| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1 | /* |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 2 | * TLS server-side functions |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3 | * |
| Bence Szépkúti | 1e14827 | 2020-08-07 13:07:28 +0200 | [diff] [blame] | 4 | * Copyright The Mbed TLS Contributors |
| Manuel Pégourié-Gonnard | 37ff140 | 2015-09-04 14:21:07 +0200 | [diff] [blame] | 5 | * SPDX-License-Identifier: Apache-2.0 |
| 6 | * |
| 7 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 8 | * not use this file except in compliance with the License. |
| 9 | * You may obtain a copy of the License at |
| 10 | * |
| 11 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | * |
| 13 | * Unless required by applicable law or agreed to in writing, software |
| 14 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 15 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 16 | * See the License for the specific language governing permissions and |
| 17 | * limitations under the License. |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 18 | */ |
| 19 | |
| Gilles Peskine | db09ef6 | 2020-06-03 01:43:33 +0200 | [diff] [blame] | 20 | #include "common.h" |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 21 | |
| Jerry Yu | fb4b647 | 2022-01-27 15:03:26 +0800 | [diff] [blame] | 22 | #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 23 | |
| SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 24 | #if defined(MBEDTLS_PLATFORM_C) |
| 25 | #include "mbedtls/platform.h" |
| 26 | #else |
| 27 | #include <stdlib.h> |
| 28 | #define mbedtls_calloc calloc |
| 29 | #define mbedtls_free free |
| SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 30 | #endif |
| 31 | |
| Manuel Pégourié-Gonnard | 7f80997 | 2015-03-09 17:05:11 +0000 | [diff] [blame] | 32 | #include "mbedtls/ssl.h" |
| Chris Jones | 84a773f | 2021-03-05 18:38:47 +0000 | [diff] [blame] | 33 | #include "ssl_misc.h" |
| Janos Follath | 73c616b | 2019-12-18 15:07:04 +0000 | [diff] [blame] | 34 | #include "mbedtls/debug.h" |
| 35 | #include "mbedtls/error.h" |
| Andres Amaya Garcia | 8491406 | 2018-04-24 08:40:46 -0500 | [diff] [blame] | 36 | #include "mbedtls/platform_util.h" |
| Gabor Mezei | 22c9a6f | 2021-10-20 12:09:35 +0200 | [diff] [blame] | 37 | #include "constant_time_internal.h" |
| Gabor Mezei | 765862c | 2021-10-19 12:22:25 +0200 | [diff] [blame] | 38 | #include "mbedtls/constant_time.h" |
| Rich Evans | 00ab470 | 2015-02-06 13:43:58 +0000 | [diff] [blame] | 39 | |
| 40 | #include <string.h> |
| 41 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 42 | #if defined(MBEDTLS_ECP_C) |
| Manuel Pégourié-Gonnard | 7f80997 | 2015-03-09 17:05:11 +0000 | [diff] [blame] | 43 | #include "mbedtls/ecp.h" |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 44 | #endif |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 45 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 46 | #if defined(MBEDTLS_HAVE_TIME) |
| Simon Butcher | b5b6af2 | 2016-07-13 14:46:18 +0100 | [diff] [blame] | 47 | #include "mbedtls/platform_time.h" |
| Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 48 | #endif |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 49 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 50 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| 51 | int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 52 | const unsigned char *info, |
| 53 | size_t ilen ) |
| 54 | { |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 55 | if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER ) |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 56 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 57 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 58 | mbedtls_free( ssl->cli_id ); |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 59 | |
| Manuel Pégourié-Gonnard | 7551cb9 | 2015-05-26 16:04:06 +0200 | [diff] [blame] | 60 | if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL ) |
| Manuel Pégourié-Gonnard | 6a8ca33 | 2015-05-28 09:33:39 +0200 | [diff] [blame] | 61 | return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 62 | |
| 63 | memcpy( ssl->cli_id, info, ilen ); |
| 64 | ssl->cli_id_len = ilen; |
| 65 | |
| 66 | return( 0 ); |
| 67 | } |
| Manuel Pégourié-Gonnard | d485d19 | 2014-07-23 14:56:15 +0200 | [diff] [blame] | 68 | |
| Manuel Pégourié-Gonnard | 6729e79 | 2015-05-11 09:50:24 +0200 | [diff] [blame] | 69 | void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf, |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 70 | mbedtls_ssl_cookie_write_t *f_cookie_write, |
| 71 | mbedtls_ssl_cookie_check_t *f_cookie_check, |
| Manuel Pégourié-Gonnard | d485d19 | 2014-07-23 14:56:15 +0200 | [diff] [blame] | 72 | void *p_cookie ) |
| 73 | { |
| Manuel Pégourié-Gonnard | d36e33f | 2015-05-05 10:45:39 +0200 | [diff] [blame] | 74 | conf->f_cookie_write = f_cookie_write; |
| 75 | conf->f_cookie_check = f_cookie_check; |
| 76 | conf->p_cookie = p_cookie; |
| Manuel Pégourié-Gonnard | d485d19 | 2014-07-23 14:56:15 +0200 | [diff] [blame] | 77 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 78 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 79 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 80 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 81 | static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 82 | const unsigned char *buf, |
| Paul Bakker | 5701cdc | 2012-09-27 21:49:42 +0000 | [diff] [blame] | 83 | size_t len ) |
| 84 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 85 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Paul Bakker | 5701cdc | 2012-09-27 21:49:42 +0000 | [diff] [blame] | 86 | size_t servername_list_size, hostname_len; |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 87 | const unsigned char *p; |
| Paul Bakker | 5701cdc | 2012-09-27 21:49:42 +0000 | [diff] [blame] | 88 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 89 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) ); |
| Manuel Pégourié-Gonnard | 96ea2f2 | 2014-02-25 12:26:29 +0100 | [diff] [blame] | 90 | |
| Philippe Antoine | 747fd53 | 2018-05-30 09:13:21 +0200 | [diff] [blame] | 91 | if( len < 2 ) |
| 92 | { |
| 93 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| 94 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 95 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 96 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Philippe Antoine | 747fd53 | 2018-05-30 09:13:21 +0200 | [diff] [blame] | 97 | } |
| Paul Bakker | 5701cdc | 2012-09-27 21:49:42 +0000 | [diff] [blame] | 98 | servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); |
| 99 | if( servername_list_size + 2 != len ) |
| 100 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 101 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 102 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 103 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 104 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | 5701cdc | 2012-09-27 21:49:42 +0000 | [diff] [blame] | 105 | } |
| 106 | |
| 107 | p = buf + 2; |
| Philippe Antoine | 747fd53 | 2018-05-30 09:13:21 +0200 | [diff] [blame] | 108 | while( servername_list_size > 2 ) |
| Paul Bakker | 5701cdc | 2012-09-27 21:49:42 +0000 | [diff] [blame] | 109 | { |
| 110 | hostname_len = ( ( p[1] << 8 ) | p[2] ); |
| 111 | if( hostname_len + 3 > servername_list_size ) |
| 112 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 113 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 114 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 115 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 116 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | 5701cdc | 2012-09-27 21:49:42 +0000 | [diff] [blame] | 117 | } |
| 118 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 119 | if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) |
| Paul Bakker | 5701cdc | 2012-09-27 21:49:42 +0000 | [diff] [blame] | 120 | { |
| Glenn Strauss | 6989407 | 2022-01-24 12:58:00 -0500 | [diff] [blame] | 121 | ssl->handshake->sni_name = p + 3; |
| 122 | ssl->handshake->sni_name_len = hostname_len; |
| 123 | if( ssl->conf->f_sni == NULL ) |
| 124 | return( 0 ); |
| 125 | |
| Manuel Pégourié-Gonnard | 1af6c85 | 2015-05-10 23:10:37 +0200 | [diff] [blame] | 126 | ret = ssl->conf->f_sni( ssl->conf->p_sni, |
| 127 | ssl, p + 3, hostname_len ); |
| Paul Bakker | 5701cdc | 2012-09-27 21:49:42 +0000 | [diff] [blame] | 128 | if( ret != 0 ) |
| 129 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 130 | MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); |
| 131 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 132 | MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 133 | return( MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME ); |
| Paul Bakker | 5701cdc | 2012-09-27 21:49:42 +0000 | [diff] [blame] | 134 | } |
| Paul Bakker | 81420ab | 2012-10-23 10:31:15 +0000 | [diff] [blame] | 135 | return( 0 ); |
| Paul Bakker | 5701cdc | 2012-09-27 21:49:42 +0000 | [diff] [blame] | 136 | } |
| 137 | |
| 138 | servername_list_size -= hostname_len + 3; |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 139 | p += hostname_len + 3; |
| 140 | } |
| 141 | |
| 142 | if( servername_list_size != 0 ) |
| 143 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 144 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 145 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 146 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| 147 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | 5701cdc | 2012-09-27 21:49:42 +0000 | [diff] [blame] | 148 | } |
| 149 | |
| 150 | return( 0 ); |
| 151 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 152 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ |
| Paul Bakker | 5701cdc | 2012-09-27 21:49:42 +0000 | [diff] [blame] | 153 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 154 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 155 | static int ssl_conf_has_psk_or_cb( mbedtls_ssl_config const *conf ) |
| 156 | { |
| 157 | if( conf->f_psk != NULL ) |
| 158 | return( 1 ); |
| 159 | |
| 160 | if( conf->psk_identity_len == 0 || conf->psk_identity == NULL ) |
| 161 | return( 0 ); |
| 162 | |
| 163 | if( conf->psk != NULL && conf->psk_len != 0 ) |
| 164 | return( 1 ); |
| 165 | |
| 166 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Ronald Cron | cf56a0a | 2020-08-04 09:51:30 +0200 | [diff] [blame] | 167 | if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 168 | return( 1 ); |
| 169 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 170 | |
| 171 | return( 0 ); |
| 172 | } |
| 173 | |
| 174 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 175 | static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl ) |
| 176 | { |
| 177 | if( ssl->conf->f_psk != NULL ) |
| 178 | { |
| 179 | /* If we've used a callback to select the PSK, |
| 180 | * the static configuration is irrelevant. */ |
| 181 | |
| Ronald Cron | cf56a0a | 2020-08-04 09:51:30 +0200 | [diff] [blame] | 182 | if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) ) |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 183 | return( 1 ); |
| 184 | |
| 185 | return( 0 ); |
| 186 | } |
| 187 | |
| Ronald Cron | cf56a0a | 2020-08-04 09:51:30 +0200 | [diff] [blame] | 188 | if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) ) |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 189 | return( 1 ); |
| 190 | |
| 191 | return( 0 ); |
| 192 | } |
| 193 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 194 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 195 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 196 | static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 197 | const unsigned char *buf, |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 198 | size_t len ) |
| 199 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 200 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 201 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 202 | { |
| 203 | /* Check verify-data in constant-time. The length OTOH is no secret */ |
| 204 | if( len != 1 + ssl->verify_data_len || |
| 205 | buf[0] != ssl->verify_data_len || |
| Gabor Mezei | 90437e3 | 2021-10-20 11:59:27 +0200 | [diff] [blame] | 206 | mbedtls_ct_memcmp( buf + 1, ssl->peer_verify_data, |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 207 | ssl->verify_data_len ) != 0 ) |
| 208 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 209 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); |
| Gilles Peskine | c94f735 | 2017-05-10 16:37:56 +0200 | [diff] [blame] | 210 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 211 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
| Dave Rodgman | 43fcb8d | 2021-06-28 21:49:15 +0100 | [diff] [blame] | 212 | return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 213 | } |
| 214 | } |
| 215 | else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 216 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 217 | { |
| 218 | if( len != 1 || buf[0] != 0x0 ) |
| 219 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 220 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); |
| Gilles Peskine | c94f735 | 2017-05-10 16:37:56 +0200 | [diff] [blame] | 221 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 222 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
| Dave Rodgman | 43fcb8d | 2021-06-28 21:49:15 +0100 | [diff] [blame] | 223 | return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 224 | } |
| 225 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 226 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 227 | } |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 228 | |
| 229 | return( 0 ); |
| 230 | } |
| 231 | |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 232 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 233 | |
| 234 | /* |
| 235 | * Status of the implementation of signature-algorithms extension: |
| 236 | * |
| 237 | * Currently, we are only considering the signature-algorithm extension |
| 238 | * to pick a ciphersuite which allows us to send the ServerKeyExchange |
| 239 | * message with a signature-hash combination that the user allows. |
| 240 | * |
| 241 | * We do *not* check whether all certificates in our certificate |
| 242 | * chain are signed with an allowed signature-hash pair. |
| 243 | * This needs to be done at a later stage. |
| 244 | * |
| 245 | */ |
| Jerry Yu | 18cd439 | 2021-12-17 17:44:24 +0800 | [diff] [blame] | 246 | static int ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl, |
| 247 | const unsigned char *buf, |
| 248 | size_t len ) |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 249 | { |
| 250 | size_t sig_alg_list_size; |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 251 | |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 252 | const unsigned char *p; |
| Manuel Pégourié-Gonnard | 08e81e0 | 2014-07-08 12:56:25 +0200 | [diff] [blame] | 253 | const unsigned char *end = buf + len; |
| Manuel Pégourié-Gonnard | 08e81e0 | 2014-07-08 12:56:25 +0200 | [diff] [blame] | 254 | |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 255 | mbedtls_md_type_t md_cur; |
| 256 | mbedtls_pk_type_t sig_cur; |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 257 | |
| Philippe Antoine | 747fd53 | 2018-05-30 09:13:21 +0200 | [diff] [blame] | 258 | if ( len < 2 ) { |
| 259 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| 260 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 261 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 262 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Philippe Antoine | 747fd53 | 2018-05-30 09:13:21 +0200 | [diff] [blame] | 263 | } |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 264 | sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); |
| 265 | if( sig_alg_list_size + 2 != len || |
| Manuel Pégourié-Gonnard | 08e81e0 | 2014-07-08 12:56:25 +0200 | [diff] [blame] | 266 | sig_alg_list_size % 2 != 0 ) |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 267 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 268 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 269 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 270 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 271 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 272 | } |
| 273 | |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 274 | /* Currently we only guarantee signing the ServerKeyExchange message according |
| 275 | * to the constraints specified in this extension (see above), so it suffices |
| 276 | * to remember only one suitable hash for each possible signature algorithm. |
| Manuel Pégourié-Gonnard | 08e81e0 | 2014-07-08 12:56:25 +0200 | [diff] [blame] | 277 | * |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 278 | * This will change when we also consider certificate signatures, |
| 279 | * in which case we will need to remember the whole signature-hash |
| 280 | * pair list from the extension. |
| Manuel Pégourié-Gonnard | 08e81e0 | 2014-07-08 12:56:25 +0200 | [diff] [blame] | 281 | */ |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 282 | |
| 283 | for( p = buf + 2; p < end; p += 2 ) |
| 284 | { |
| 285 | /* Silently ignore unknown signature or hash algorithms. */ |
| 286 | |
| 287 | if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE ) |
| 288 | { |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 289 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext" |
| 290 | " unknown sig alg encoding %d", p[1] ) ); |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 291 | continue; |
| 292 | } |
| 293 | |
| 294 | /* Check if we support the hash the user proposes */ |
| 295 | md_cur = mbedtls_ssl_md_alg_from_hash( p[0] ); |
| 296 | if( md_cur == MBEDTLS_MD_NONE ) |
| 297 | { |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 298 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:" |
| 299 | " unknown hash alg encoding %d", p[0] ) ); |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 300 | continue; |
| 301 | } |
| 302 | |
| Jerry Yu | 24811fb | 2022-01-19 18:02:15 +0800 | [diff] [blame] | 303 | if( mbedtls_ssl_sig_alg_is_offered( |
| 304 | ssl, MBEDTLS_GET_UINT16_BE( p, 0 ) ) ) |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 305 | { |
| 306 | mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur ); |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 307 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:" |
| Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 308 | " match sig %u and hash %u", |
| Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 309 | (unsigned) sig_cur, (unsigned) md_cur ) ); |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 310 | } |
| 311 | else |
| 312 | { |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 313 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: " |
| Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 314 | "hash alg %u not supported", (unsigned) md_cur ) ); |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 315 | } |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 316 | } |
| 317 | |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 318 | return( 0 ); |
| 319 | } |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 320 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 321 | |
| Robert Cragie | 136884c | 2015-10-02 13:34:31 +0100 | [diff] [blame] | 322 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 323 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Jerry Yu | b925f21 | 2022-01-12 11:17:02 +0800 | [diff] [blame] | 324 | /* |
| Jerry Yu | d491ea4 | 2022-01-13 16:15:25 +0800 | [diff] [blame] | 325 | * Function for parsing a supported groups (TLS 1.3) or supported elliptic |
| 326 | * curves (TLS 1.2) extension. |
| 327 | * |
| 328 | * The "extension_data" field of a supported groups extension contains a |
| 329 | * "NamedGroupList" value (TLS 1.3 RFC8446): |
| 330 | * enum { |
| 331 | * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019), |
| 332 | * x25519(0x001D), x448(0x001E), |
| 333 | * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102), |
| 334 | * ffdhe6144(0x0103), ffdhe8192(0x0104), |
| 335 | * ffdhe_private_use(0x01FC..0x01FF), |
| 336 | * ecdhe_private_use(0xFE00..0xFEFF), |
| 337 | * (0xFFFF) |
| 338 | * } NamedGroup; |
| 339 | * struct { |
| 340 | * NamedGroup named_group_list<2..2^16-1>; |
| 341 | * } NamedGroupList; |
| 342 | * |
| 343 | * The "extension_data" field of a supported elliptic curves extension contains |
| 344 | * a "NamedCurveList" value (TLS 1.2 RFC 8422): |
| 345 | * enum { |
| 346 | * deprecated(1..22), |
| 347 | * secp256r1 (23), secp384r1 (24), secp521r1 (25), |
| 348 | * x25519(29), x448(30), |
| 349 | * reserved (0xFE00..0xFEFF), |
| 350 | * deprecated(0xFF01..0xFF02), |
| 351 | * (0xFFFF) |
| 352 | * } NamedCurve; |
| 353 | * struct { |
| 354 | * NamedCurve named_curve_list<2..2^16-1> |
| 355 | * } NamedCurveList; |
| 356 | * |
| Jerry Yu | b925f21 | 2022-01-12 11:17:02 +0800 | [diff] [blame] | 357 | * The TLS 1.3 supported groups extension was defined to be a compatible |
| 358 | * generalization of the TLS 1.2 supported elliptic curves extension. They both |
| 359 | * share the same extension identifier. |
| Jerry Yu | d491ea4 | 2022-01-13 16:15:25 +0800 | [diff] [blame] | 360 | * |
| 361 | * DHE groups are not supported yet. |
| Jerry Yu | b925f21 | 2022-01-12 11:17:02 +0800 | [diff] [blame] | 362 | */ |
| Jerry Yu | b47d0f8 | 2021-12-20 17:34:40 +0800 | [diff] [blame] | 363 | static int ssl_parse_supported_groups_ext( mbedtls_ssl_context *ssl, |
| Jerry Yu | ffef9c5 | 2021-12-24 22:31:08 +0800 | [diff] [blame] | 364 | const unsigned char *buf, |
| 365 | size_t len ) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 366 | { |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 367 | size_t list_size, our_size; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 368 | const unsigned char *p; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 369 | const mbedtls_ecp_curve_info *curve_info, **curves; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 370 | |
| Philippe Antoine | 747fd53 | 2018-05-30 09:13:21 +0200 | [diff] [blame] | 371 | if ( len < 2 ) { |
| 372 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| 373 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 374 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 375 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Philippe Antoine | 747fd53 | 2018-05-30 09:13:21 +0200 | [diff] [blame] | 376 | } |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 377 | list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); |
| 378 | if( list_size + 2 != len || |
| 379 | list_size % 2 != 0 ) |
| 380 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 381 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 382 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 383 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 384 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 385 | } |
| 386 | |
| Manuel Pégourié-Gonnard | 43c3b28 | 2014-10-17 12:42:11 +0200 | [diff] [blame] | 387 | /* Should never happen unless client duplicates the extension */ |
| 388 | if( ssl->handshake->curves != NULL ) |
| 389 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 390 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 391 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 392 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
| 393 | return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); |
| Manuel Pégourié-Gonnard | 43c3b28 | 2014-10-17 12:42:11 +0200 | [diff] [blame] | 394 | } |
| 395 | |
| Manuel Pégourié-Gonnard | c3f6b62c | 2014-02-06 10:13:09 +0100 | [diff] [blame] | 396 | /* Don't allow our peer to make us allocate too much memory, |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 397 | * and leave room for a final 0 */ |
| 398 | our_size = list_size / 2 + 1; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 399 | if( our_size > MBEDTLS_ECP_DP_MAX ) |
| 400 | our_size = MBEDTLS_ECP_DP_MAX; |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 401 | |
| Manuel Pégourié-Gonnard | 7551cb9 | 2015-05-26 16:04:06 +0200 | [diff] [blame] | 402 | if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL ) |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 403 | { |
| 404 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 405 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); |
| Manuel Pégourié-Gonnard | 6a8ca33 | 2015-05-28 09:33:39 +0200 | [diff] [blame] | 406 | return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 407 | } |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 408 | |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 409 | ssl->handshake->curves = curves; |
| 410 | |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 411 | p = buf + 2; |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 412 | while( list_size > 0 && our_size > 1 ) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 413 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 414 | curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] ); |
| Manuel Pégourié-Gonnard | 568c9cf | 2013-09-16 17:30:04 +0200 | [diff] [blame] | 415 | |
| Manuel Pégourié-Gonnard | f24b4a7 | 2013-09-23 18:14:50 +0200 | [diff] [blame] | 416 | if( curve_info != NULL ) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 417 | { |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 418 | *curves++ = curve_info; |
| 419 | our_size--; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 420 | } |
| 421 | |
| 422 | list_size -= 2; |
| 423 | p += 2; |
| 424 | } |
| 425 | |
| 426 | return( 0 ); |
| 427 | } |
| 428 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 429 | static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, |
| Paul Bakker | b6c5d2e | 2013-06-25 16:25:17 +0200 | [diff] [blame] | 430 | const unsigned char *buf, |
| 431 | size_t len ) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 432 | { |
| 433 | size_t list_size; |
| 434 | const unsigned char *p; |
| 435 | |
| Philippe Antoine | 747fd53 | 2018-05-30 09:13:21 +0200 | [diff] [blame] | 436 | if( len == 0 || (size_t)( buf[0] + 1 ) != len ) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 437 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 438 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 439 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 440 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 441 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 442 | } |
| Philippe Antoine | 747fd53 | 2018-05-30 09:13:21 +0200 | [diff] [blame] | 443 | list_size = buf[0]; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 444 | |
| Manuel Pégourié-Gonnard | c1b46d0 | 2015-09-16 11:18:32 +0200 | [diff] [blame] | 445 | p = buf + 1; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 446 | while( list_size > 0 ) |
| 447 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 448 | if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || |
| 449 | p[0] == MBEDTLS_ECP_PF_COMPRESSED ) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 450 | { |
| Robert Cragie | 136884c | 2015-10-02 13:34:31 +0100 | [diff] [blame] | 451 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) |
| Manuel Pégourié-Gonnard | 5734b2d | 2013-08-15 19:04:02 +0200 | [diff] [blame] | 452 | ssl->handshake->ecdh_ctx.point_format = p[0]; |
| Robert Cragie | 136884c | 2015-10-02 13:34:31 +0100 | [diff] [blame] | 453 | #endif |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 454 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | cd07e22 | 2021-05-27 23:17:34 +0200 | [diff] [blame] | 455 | mbedtls_ecjpake_set_point_format( &ssl->handshake->ecjpake_ctx, |
| 456 | p[0] ); |
| Robert Cragie | 136884c | 2015-10-02 13:34:31 +0100 | [diff] [blame] | 457 | #endif |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 458 | MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 459 | return( 0 ); |
| 460 | } |
| 461 | |
| 462 | list_size--; |
| 463 | p++; |
| 464 | } |
| 465 | |
| 466 | return( 0 ); |
| 467 | } |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 468 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || |
| 469 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 470 | |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 471 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 472 | static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, |
| 473 | const unsigned char *buf, |
| 474 | size_t len ) |
| 475 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 476 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 477 | |
| 478 | if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) |
| 479 | { |
| 480 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); |
| 481 | return( 0 ); |
| 482 | } |
| 483 | |
| 484 | if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, |
| 485 | buf, len ) ) != 0 ) |
| 486 | { |
| 487 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 488 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 489 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 490 | return( ret ); |
| 491 | } |
| 492 | |
| 493 | /* Only mark the extension as OK when we're sure it is */ |
| 494 | ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; |
| 495 | |
| 496 | return( 0 ); |
| 497 | } |
| 498 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 499 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 500 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| 501 | static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 502 | const unsigned char *buf, |
| 503 | size_t len ) |
| 504 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 505 | if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ) |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 506 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 507 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 508 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 509 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 510 | return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 511 | } |
| 512 | |
| Manuel Pégourié-Gonnard | ed4af8b | 2013-07-18 14:07:09 +0200 | [diff] [blame] | 513 | ssl->session_negotiate->mfl_code = buf[0]; |
| 514 | |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 515 | return( 0 ); |
| 516 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 517 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 518 | |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 519 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 520 | static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl, |
| 521 | const unsigned char *buf, |
| 522 | size_t len ) |
| 523 | { |
| 524 | size_t peer_cid_len; |
| 525 | |
| 526 | /* CID extension only makes sense in DTLS */ |
| 527 | if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| 528 | { |
| 529 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| 530 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 531 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 532 | return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 533 | } |
| 534 | |
| 535 | /* |
| Hanno Becker | ebcc913 | 2019-05-15 10:26:32 +0100 | [diff] [blame] | 536 | * Quoting draft-ietf-tls-dtls-connection-id-05 |
| 537 | * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 538 | * |
| 539 | * struct { |
| 540 | * opaque cid<0..2^8-1>; |
| 541 | * } ConnectionId; |
| 542 | */ |
| 543 | |
| 544 | if( len < 1 ) |
| 545 | { |
| 546 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| 547 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 548 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| 549 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 550 | } |
| 551 | |
| 552 | peer_cid_len = *buf++; |
| 553 | len--; |
| 554 | |
| 555 | if( len != peer_cid_len ) |
| 556 | { |
| 557 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| 558 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 559 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| 560 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 561 | } |
| 562 | |
| 563 | /* Ignore CID if the user has disabled its use. */ |
| 564 | if( ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED ) |
| 565 | { |
| 566 | /* Leave ssl->handshake->cid_in_use in its default |
| 567 | * value of MBEDTLS_SSL_CID_DISABLED. */ |
| 568 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "Client sent CID extension, but CID disabled" ) ); |
| 569 | return( 0 ); |
| 570 | } |
| 571 | |
| 572 | if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX ) |
| 573 | { |
| 574 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| 575 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 576 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 577 | return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 578 | } |
| 579 | |
| Hanno Becker | 08556bf | 2019-05-03 12:43:44 +0100 | [diff] [blame] | 580 | ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED; |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 581 | ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len; |
| 582 | memcpy( ssl->handshake->peer_cid, buf, peer_cid_len ); |
| 583 | |
| 584 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) ); |
| 585 | MBEDTLS_SSL_DEBUG_BUF( 3, "Client CID", buf, peer_cid_len ); |
| 586 | |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 587 | return( 0 ); |
| 588 | } |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 589 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 590 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 591 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| 592 | static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 593 | const unsigned char *buf, |
| 594 | size_t len ) |
| 595 | { |
| 596 | if( len != 0 ) |
| 597 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 598 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 599 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 600 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 601 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 602 | } |
| 603 | |
| 604 | ((void) buf); |
| 605 | |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 606 | if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 607 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 608 | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 609 | } |
| 610 | |
| 611 | return( 0 ); |
| 612 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 613 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 614 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 615 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| 616 | static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 617 | const unsigned char *buf, |
| 618 | size_t len ) |
| 619 | { |
| 620 | if( len != 0 ) |
| 621 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 622 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 623 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 624 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 625 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 626 | } |
| 627 | |
| 628 | ((void) buf); |
| 629 | |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 630 | if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED ) |
| Manuel Pégourié-Gonnard | b575b54 | 2014-10-24 15:12:31 +0200 | [diff] [blame] | 631 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 632 | ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; |
| Manuel Pégourié-Gonnard | b575b54 | 2014-10-24 15:12:31 +0200 | [diff] [blame] | 633 | } |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 634 | |
| 635 | return( 0 ); |
| 636 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 637 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 638 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 639 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| 640 | static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, |
| Manuel Pégourié-Gonnard | 990c51a | 2013-08-03 15:37:58 +0200 | [diff] [blame] | 641 | unsigned char *buf, |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 642 | size_t len ) |
| 643 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 644 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 69f1728 | 2015-05-18 14:35:08 +0200 | [diff] [blame] | 645 | mbedtls_ssl_session session; |
| Manuel Pégourié-Gonnard | 990c51a | 2013-08-03 15:37:58 +0200 | [diff] [blame] | 646 | |
| Manuel Pégourié-Gonnard | bae389b | 2015-06-24 10:45:58 +0200 | [diff] [blame] | 647 | mbedtls_ssl_session_init( &session ); |
| 648 | |
| Manuel Pégourié-Gonnard | d59675d | 2015-05-19 15:28:00 +0200 | [diff] [blame] | 649 | if( ssl->conf->f_ticket_parse == NULL || |
| 650 | ssl->conf->f_ticket_write == NULL ) |
| 651 | { |
| Manuel Pégourié-Gonnard | aa0d4d1 | 2013-08-03 13:02:31 +0200 | [diff] [blame] | 652 | return( 0 ); |
| Manuel Pégourié-Gonnard | d59675d | 2015-05-19 15:28:00 +0200 | [diff] [blame] | 653 | } |
| Manuel Pégourié-Gonnard | aa0d4d1 | 2013-08-03 13:02:31 +0200 | [diff] [blame] | 654 | |
| Manuel Pégourié-Gonnard | 306827e | 2013-08-02 18:05:14 +0200 | [diff] [blame] | 655 | /* Remember the client asked us to send a new ticket */ |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 656 | ssl->handshake->new_session_ticket = 1; |
| 657 | |
| Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 658 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %" MBEDTLS_PRINTF_SIZET, len ) ); |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 659 | |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 660 | if( len == 0 ) |
| 661 | return( 0 ); |
| 662 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 663 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 664 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 665 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 666 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) ); |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 667 | return( 0 ); |
| 668 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 669 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 670 | |
| 671 | /* |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 672 | * Failures are ok: just ignore the ticket and proceed. |
| 673 | */ |
| Manuel Pégourié-Gonnard | d59675d | 2015-05-19 15:28:00 +0200 | [diff] [blame] | 674 | if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session, |
| 675 | buf, len ) ) != 0 ) |
| Manuel Pégourié-Gonnard | 990c51a | 2013-08-03 15:37:58 +0200 | [diff] [blame] | 676 | { |
| Manuel Pégourié-Gonnard | 69f1728 | 2015-05-18 14:35:08 +0200 | [diff] [blame] | 677 | mbedtls_ssl_session_free( &session ); |
| Manuel Pégourié-Gonnard | d59675d | 2015-05-19 15:28:00 +0200 | [diff] [blame] | 678 | |
| 679 | if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) |
| 680 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) ); |
| 681 | else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED ) |
| 682 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) ); |
| 683 | else |
| 684 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret ); |
| 685 | |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 686 | return( 0 ); |
| Manuel Pégourié-Gonnard | 990c51a | 2013-08-03 15:37:58 +0200 | [diff] [blame] | 687 | } |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 688 | |
| Manuel Pégourié-Gonnard | 69f1728 | 2015-05-18 14:35:08 +0200 | [diff] [blame] | 689 | /* |
| 690 | * Keep the session ID sent by the client, since we MUST send it back to |
| 691 | * inform them we're accepting the ticket (RFC 5077 section 3.4) |
| 692 | */ |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 693 | session.id_len = ssl->session_negotiate->id_len; |
| 694 | memcpy( &session.id, ssl->session_negotiate->id, session.id_len ); |
| Manuel Pégourié-Gonnard | 69f1728 | 2015-05-18 14:35:08 +0200 | [diff] [blame] | 695 | |
| 696 | mbedtls_ssl_session_free( ssl->session_negotiate ); |
| 697 | memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) ); |
| 698 | |
| 699 | /* Zeroize instead of free as we copied the content */ |
| Andres Amaya Garcia | 1f6301b | 2018-04-17 09:51:09 -0500 | [diff] [blame] | 700 | mbedtls_platform_zeroize( &session, sizeof( mbedtls_ssl_session ) ); |
| Manuel Pégourié-Gonnard | 69f1728 | 2015-05-18 14:35:08 +0200 | [diff] [blame] | 701 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 702 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) ); |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 703 | |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 704 | ssl->handshake->resume = 1; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 705 | |
| Manuel Pégourié-Gonnard | 306827e | 2013-08-02 18:05:14 +0200 | [diff] [blame] | 706 | /* Don't send a new ticket after all, this one is OK */ |
| 707 | ssl->handshake->new_session_ticket = 0; |
| 708 | |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 709 | return( 0 ); |
| 710 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 711 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 712 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 713 | #if defined(MBEDTLS_SSL_ALPN) |
| 714 | static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, |
| Manuel Pégourié-Gonnard | 14beb08 | 2014-07-08 13:50:35 +0200 | [diff] [blame] | 715 | const unsigned char *buf, size_t len ) |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 716 | { |
| Paul Bakker | 14b16c6 | 2014-05-28 11:33:54 +0200 | [diff] [blame] | 717 | size_t list_len, cur_len, ours_len; |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 718 | const unsigned char *theirs, *start, *end; |
| 719 | const char **ours; |
| 720 | |
| 721 | /* If ALPN not configured, just ignore the extension */ |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 722 | if( ssl->conf->alpn_list == NULL ) |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 723 | return( 0 ); |
| 724 | |
| 725 | /* |
| 726 | * opaque ProtocolName<1..2^8-1>; |
| 727 | * |
| 728 | * struct { |
| 729 | * ProtocolName protocol_name_list<2..2^16-1> |
| 730 | * } ProtocolNameList; |
| 731 | */ |
| 732 | |
| 733 | /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ |
| 734 | if( len < 4 ) |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 735 | { |
| 736 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 737 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 738 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 739 | } |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 740 | |
| 741 | list_len = ( buf[0] << 8 ) | buf[1]; |
| 742 | if( list_len != len - 2 ) |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 743 | { |
| 744 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 745 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 746 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 747 | } |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 748 | |
| 749 | /* |
| Manuel Pégourié-Gonnard | 239987f | 2018-01-09 10:43:43 +0100 | [diff] [blame] | 750 | * Validate peer's list (lengths) |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 751 | */ |
| 752 | start = buf + 2; |
| 753 | end = buf + len; |
| Manuel Pégourié-Gonnard | 239987f | 2018-01-09 10:43:43 +0100 | [diff] [blame] | 754 | for( theirs = start; theirs != end; theirs += cur_len ) |
| 755 | { |
| 756 | cur_len = *theirs++; |
| 757 | |
| 758 | /* Current identifier must fit in list */ |
| 759 | if( cur_len > (size_t)( end - theirs ) ) |
| 760 | { |
| 761 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 762 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 763 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Manuel Pégourié-Gonnard | 239987f | 2018-01-09 10:43:43 +0100 | [diff] [blame] | 764 | } |
| 765 | |
| 766 | /* Empty strings MUST NOT be included */ |
| 767 | if( cur_len == 0 ) |
| 768 | { |
| 769 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 770 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 771 | return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); |
| Manuel Pégourié-Gonnard | 239987f | 2018-01-09 10:43:43 +0100 | [diff] [blame] | 772 | } |
| 773 | } |
| 774 | |
| 775 | /* |
| 776 | * Use our order of preference |
| 777 | */ |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 778 | for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ ) |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 779 | { |
| Paul Bakker | 14b16c6 | 2014-05-28 11:33:54 +0200 | [diff] [blame] | 780 | ours_len = strlen( *ours ); |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 781 | for( theirs = start; theirs != end; theirs += cur_len ) |
| 782 | { |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 783 | cur_len = *theirs++; |
| 784 | |
| Paul Bakker | 14b16c6 | 2014-05-28 11:33:54 +0200 | [diff] [blame] | 785 | if( cur_len == ours_len && |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 786 | memcmp( theirs, *ours, cur_len ) == 0 ) |
| 787 | { |
| 788 | ssl->alpn_chosen = *ours; |
| 789 | return( 0 ); |
| 790 | } |
| 791 | } |
| 792 | } |
| 793 | |
| 794 | /* If we get there, no match was found */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 795 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 796 | MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL ); |
| Dave Rodgman | 53c8689 | 2021-06-29 10:02:06 +0100 | [diff] [blame] | 797 | return( MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL ); |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 798 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 799 | #endif /* MBEDTLS_SSL_ALPN */ |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 800 | |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 801 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| 802 | static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl, |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 803 | const unsigned char *buf, |
| 804 | size_t len ) |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 805 | { |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 806 | mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 807 | size_t i,j; |
| Johan Pascal | f6417ec | 2020-09-22 15:15:19 +0200 | [diff] [blame] | 808 | size_t profile_length; |
| 809 | uint16_t mki_length; |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 810 | /*! 2 bytes for profile length and 1 byte for mki len */ |
| 811 | const size_t size_of_lengths = 3; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 812 | |
| 813 | /* If use_srtp is not configured, just ignore the extension */ |
| Johan Pascal | c3ccd98 | 2020-10-28 17:18:18 +0100 | [diff] [blame] | 814 | if( ( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) || |
| 815 | ( ssl->conf->dtls_srtp_profile_list == NULL ) || |
| 816 | ( ssl->conf->dtls_srtp_profile_list_len == 0 ) ) |
| Johan Pascal | 8526957 | 2020-08-25 10:01:54 +0200 | [diff] [blame] | 817 | { |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 818 | return( 0 ); |
| Johan Pascal | 8526957 | 2020-08-25 10:01:54 +0200 | [diff] [blame] | 819 | } |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 820 | |
| 821 | /* RFC5764 section 4.1.1 |
| 822 | * uint8 SRTPProtectionProfile[2]; |
| 823 | * |
| 824 | * struct { |
| 825 | * SRTPProtectionProfiles SRTPProtectionProfiles; |
| 826 | * opaque srtp_mki<0..255>; |
| 827 | * } UseSRTPData; |
| 828 | |
| 829 | * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 830 | */ |
| 831 | |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 832 | /* |
| 833 | * Min length is 5: at least one protection profile(2 bytes) |
| 834 | * and length(2 bytes) + srtp_mki length(1 byte) |
| Johan Pascal | 042d456 | 2020-08-25 12:14:02 +0200 | [diff] [blame] | 835 | * Check here that we have at least 2 bytes of protection profiles length |
| Johan Pascal | 76fdf1d | 2020-10-22 23:31:00 +0200 | [diff] [blame] | 836 | * and one of srtp_mki length |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 837 | */ |
| Johan Pascal | 76fdf1d | 2020-10-22 23:31:00 +0200 | [diff] [blame] | 838 | if( len < size_of_lengths ) |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 839 | { |
| 840 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 841 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| 842 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 843 | } |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 844 | |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 845 | ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 846 | |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 847 | /* first 2 bytes are protection profile length(in bytes) */ |
| 848 | profile_length = ( buf[0] << 8 ) | buf[1]; |
| Johan Pascal | 042d456 | 2020-08-25 12:14:02 +0200 | [diff] [blame] | 849 | buf += 2; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 850 | |
| Johan Pascal | 76fdf1d | 2020-10-22 23:31:00 +0200 | [diff] [blame] | 851 | /* The profile length cannot be bigger than input buffer size - lengths fields */ |
| 852 | if( profile_length > len - size_of_lengths || |
| Johan Pascal | 042d456 | 2020-08-25 12:14:02 +0200 | [diff] [blame] | 853 | profile_length % 2 != 0 ) /* profiles are 2 bytes long, so the length must be even */ |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 854 | { |
| 855 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 856 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| 857 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 858 | } |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 859 | /* |
| 860 | * parse the extension list values are defined in |
| 861 | * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml |
| 862 | */ |
| Johan Pascal | 76fdf1d | 2020-10-22 23:31:00 +0200 | [diff] [blame] | 863 | for( j = 0; j < profile_length; j += 2 ) |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 864 | { |
| Johan Pascal | 76fdf1d | 2020-10-22 23:31:00 +0200 | [diff] [blame] | 865 | uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1]; |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 866 | client_protection = mbedtls_ssl_check_srtp_profile_value( protection_profile_value ); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 867 | |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 868 | if( client_protection != MBEDTLS_TLS_SRTP_UNSET ) |
| Ron Eldor | b465539 | 2018-07-05 18:25:39 +0300 | [diff] [blame] | 869 | { |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 870 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found srtp profile: %s", |
| 871 | mbedtls_ssl_get_srtp_profile_as_string( |
| 872 | client_protection ) ) ); |
| Ron Eldor | b465539 | 2018-07-05 18:25:39 +0300 | [diff] [blame] | 873 | } |
| Johan Pascal | 8526957 | 2020-08-25 10:01:54 +0200 | [diff] [blame] | 874 | else |
| 875 | { |
| 876 | continue; |
| 877 | } |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 878 | /* check if suggested profile is in our list */ |
| Ron Eldor | a978804 | 2018-12-05 11:04:31 +0200 | [diff] [blame] | 879 | for( i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 880 | { |
| 881 | if( client_protection == ssl->conf->dtls_srtp_profile_list[i] ) |
| 882 | { |
| Ron Eldor | 3adb992 | 2017-12-21 10:15:08 +0200 | [diff] [blame] | 883 | ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i]; |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 884 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected srtp profile: %s", |
| 885 | mbedtls_ssl_get_srtp_profile_as_string( |
| 886 | client_protection ) ) ); |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 887 | break; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 888 | } |
| 889 | } |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 890 | if( ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET ) |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 891 | break; |
| 892 | } |
| Johan Pascal | 042d456 | 2020-08-25 12:14:02 +0200 | [diff] [blame] | 893 | buf += profile_length; /* buf points to the mki length */ |
| 894 | mki_length = *buf; |
| 895 | buf++; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 896 | |
| Johan Pascal | 042d456 | 2020-08-25 12:14:02 +0200 | [diff] [blame] | 897 | if( mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH || |
| 898 | mki_length + profile_length + size_of_lengths != len ) |
| 899 | { |
| 900 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 901 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| 902 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Johan Pascal | 042d456 | 2020-08-25 12:14:02 +0200 | [diff] [blame] | 903 | } |
| 904 | |
| 905 | /* Parse the mki only if present and mki is supported locally */ |
| 906 | if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED && |
| 907 | mki_length > 0 ) |
| 908 | { |
| 909 | ssl->dtls_srtp_info.mki_len = mki_length; |
| 910 | |
| Johan Pascal | 5ef72d2 | 2020-10-28 17:05:47 +0100 | [diff] [blame] | 911 | memcpy( ssl->dtls_srtp_info.mki_value, buf, mki_length ); |
| Ron Eldor | b465539 | 2018-07-05 18:25:39 +0300 | [diff] [blame] | 912 | |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 913 | MBEDTLS_SSL_DEBUG_BUF( 3, "using mki", ssl->dtls_srtp_info.mki_value, |
| 914 | ssl->dtls_srtp_info.mki_len ); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 915 | } |
| 916 | |
| Johan Pascal | 042d456 | 2020-08-25 12:14:02 +0200 | [diff] [blame] | 917 | return( 0 ); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 918 | } |
| 919 | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
| 920 | |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 921 | /* |
| 922 | * Auxiliary functions for ServerHello parsing and related actions |
| 923 | */ |
| 924 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 925 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 926 | /* |
| Manuel Pégourié-Gonnard | 6458e3b | 2015-01-08 14:16:56 +0100 | [diff] [blame] | 927 | * Return 0 if the given key uses one of the acceptable curves, -1 otherwise |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 928 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 929 | #if defined(MBEDTLS_ECDSA_C) |
| 930 | static int ssl_check_key_curve( mbedtls_pk_context *pk, |
| 931 | const mbedtls_ecp_curve_info **curves ) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 932 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 933 | const mbedtls_ecp_curve_info **crv = curves; |
| 934 | mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 935 | |
| 936 | while( *crv != NULL ) |
| 937 | { |
| 938 | if( (*crv)->grp_id == grp_id ) |
| Manuel Pégourié-Gonnard | 6458e3b | 2015-01-08 14:16:56 +0100 | [diff] [blame] | 939 | return( 0 ); |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 940 | crv++; |
| 941 | } |
| 942 | |
| Manuel Pégourié-Gonnard | 6458e3b | 2015-01-08 14:16:56 +0100 | [diff] [blame] | 943 | return( -1 ); |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 944 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 945 | #endif /* MBEDTLS_ECDSA_C */ |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 946 | |
| 947 | /* |
| 948 | * Try picking a certificate for this ciphersuite, |
| 949 | * return 0 on success and -1 on failure. |
| 950 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 951 | static int ssl_pick_cert( mbedtls_ssl_context *ssl, |
| 952 | const mbedtls_ssl_ciphersuite_t * ciphersuite_info ) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 953 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 954 | mbedtls_ssl_key_cert *cur, *list, *fallback = NULL; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 955 | mbedtls_pk_type_t pk_alg = |
| 956 | mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); |
| Manuel Pégourié-Gonnard | e6ef16f | 2015-05-11 19:54:43 +0200 | [diff] [blame] | 957 | uint32_t flags; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 958 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 959 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 960 | if( ssl->handshake->sni_key_cert != NULL ) |
| 961 | list = ssl->handshake->sni_key_cert; |
| 962 | else |
| 963 | #endif |
| Manuel Pégourié-Gonnard | 8f618a8 | 2015-05-10 21:13:36 +0200 | [diff] [blame] | 964 | list = ssl->conf->key_cert; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 965 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 966 | if( pk_alg == MBEDTLS_PK_NONE ) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 967 | return( 0 ); |
| 968 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 969 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) ); |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 970 | |
| Manuel Pégourié-Gonnard | e540b49 | 2015-07-07 12:44:38 +0200 | [diff] [blame] | 971 | if( list == NULL ) |
| 972 | { |
| 973 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) ); |
| 974 | return( -1 ); |
| 975 | } |
| 976 | |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 977 | for( cur = list; cur != NULL; cur = cur->next ) |
| 978 | { |
| Andrzej Kurek | 7ed01e8 | 2020-03-18 11:51:59 -0400 | [diff] [blame] | 979 | flags = 0; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 980 | MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate", |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 981 | cur->cert ); |
| 982 | |
| Gilles Peskine | e198df5 | 2018-01-05 21:17:45 +0100 | [diff] [blame] | 983 | if( ! mbedtls_pk_can_do( &cur->cert->pk, pk_alg ) ) |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 984 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 985 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) ); |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 986 | continue; |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 987 | } |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 988 | |
| Manuel Pégourié-Gonnard | 7f2a07d | 2014-04-09 09:50:57 +0200 | [diff] [blame] | 989 | /* |
| 990 | * This avoids sending the client a cert it'll reject based on |
| 991 | * keyUsage or other extensions. |
| 992 | * |
| 993 | * It also allows the user to provision different certificates for |
| 994 | * different uses based on keyUsage, eg if they want to avoid signing |
| 995 | * and decrypting with the same RSA key. |
| 996 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 997 | if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info, |
| Manuel Pégourié-Gonnard | e6efa6f | 2015-04-20 11:01:48 +0100 | [diff] [blame] | 998 | MBEDTLS_SSL_IS_SERVER, &flags ) != 0 ) |
| Manuel Pégourié-Gonnard | 7f2a07d | 2014-04-09 09:50:57 +0200 | [diff] [blame] | 999 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1000 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: " |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1001 | "(extended) key usage extension" ) ); |
| Manuel Pégourié-Gonnard | 7f2a07d | 2014-04-09 09:50:57 +0200 | [diff] [blame] | 1002 | continue; |
| 1003 | } |
| 1004 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1005 | #if defined(MBEDTLS_ECDSA_C) |
| 1006 | if( pk_alg == MBEDTLS_PK_ECDSA && |
| Gilles Peskine | 81d4e89 | 2017-10-27 10:18:44 +0200 | [diff] [blame] | 1007 | ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 ) |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1008 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1009 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) ); |
| Manuel Pégourié-Gonnard | 846ba47 | 2015-01-08 13:54:38 +0100 | [diff] [blame] | 1010 | continue; |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1011 | } |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1012 | #endif |
| Manuel Pégourié-Gonnard | 846ba47 | 2015-01-08 13:54:38 +0100 | [diff] [blame] | 1013 | |
| 1014 | /* If we get there, we got a winner */ |
| 1015 | break; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1016 | } |
| 1017 | |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1018 | if( cur == NULL ) |
| 1019 | cur = fallback; |
| 1020 | |
| Manuel Pégourié-Gonnard | 8f618a8 | 2015-05-10 21:13:36 +0200 | [diff] [blame] | 1021 | /* Do not update ssl->handshake->key_cert unless there is a match */ |
| Manuel Pégourié-Gonnard | df331a5 | 2015-01-08 16:43:07 +0100 | [diff] [blame] | 1022 | if( cur != NULL ) |
| 1023 | { |
| 1024 | ssl->handshake->key_cert = cur; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1025 | MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate", |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1026 | ssl->handshake->key_cert->cert ); |
| Manuel Pégourié-Gonnard | df331a5 | 2015-01-08 16:43:07 +0100 | [diff] [blame] | 1027 | return( 0 ); |
| 1028 | } |
| 1029 | |
| 1030 | return( -1 ); |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1031 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1032 | #endif /* MBEDTLS_X509_CRT_PARSE_C */ |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1033 | |
| 1034 | /* |
| 1035 | * Check if a given ciphersuite is suitable for use with our config/keys/etc |
| 1036 | * Sets ciphersuite_info only if the suite matches. |
| 1037 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1038 | static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, |
| 1039 | const mbedtls_ssl_ciphersuite_t **ciphersuite_info ) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1040 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1041 | const mbedtls_ssl_ciphersuite_t *suite_info; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1042 | |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 1043 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1044 | mbedtls_pk_type_t sig_type; |
| 1045 | #endif |
| 1046 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1047 | suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id ); |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1048 | if( suite_info == NULL ) |
| 1049 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1050 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 1051 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1052 | } |
| 1053 | |
| Hanno Becker | 5c5efdf | 2019-01-28 14:59:35 +0000 | [diff] [blame] | 1054 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %#04x (%s)", |
| Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 1055 | (unsigned int) suite_id, suite_info->name ) ); |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1056 | |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1057 | if( suite_info->min_minor_ver > ssl->minor_ver || |
| 1058 | suite_info->max_minor_ver < ssl->minor_ver ) |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1059 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1060 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) ); |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1061 | return( 0 ); |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1062 | } |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1063 | |
| Manuel Pégourié-Gonnard | e511b4e | 2015-09-16 14:11:09 +0200 | [diff] [blame] | 1064 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 1065 | if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 1066 | ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 ) |
| Manuel Pégourié-Gonnard | e511b4e | 2015-09-16 14:11:09 +0200 | [diff] [blame] | 1067 | { |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 1068 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake " |
| 1069 | "not configured or ext missing" ) ); |
| Manuel Pégourié-Gonnard | e511b4e | 2015-09-16 14:11:09 +0200 | [diff] [blame] | 1070 | return( 0 ); |
| 1071 | } |
| 1072 | #endif |
| 1073 | |
| 1074 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1075 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) |
| 1076 | if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) && |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1077 | ( ssl->handshake->curves == NULL || |
| 1078 | ssl->handshake->curves[0] == NULL ) ) |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1079 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1080 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1081 | "no common elliptic curve" ) ); |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1082 | return( 0 ); |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1083 | } |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1084 | #endif |
| 1085 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 1086 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1087 | /* If the ciphersuite requires a pre-shared key and we don't |
| 1088 | * have one, skip it now rather than failing later */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1089 | if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) && |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 1090 | ssl_conf_has_psk_or_cb( ssl->conf ) == 0 ) |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1091 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1092 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) ); |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1093 | return( 0 ); |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1094 | } |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1095 | #endif |
| 1096 | |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 1097 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1098 | /* If the ciphersuite requires signing, check whether |
| 1099 | * a suitable hash algorithm is present. */ |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 1100 | sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info ); |
| 1101 | if( sig_type != MBEDTLS_PK_NONE && |
| 1102 | mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE ) |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1103 | { |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 1104 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm " |
| 1105 | "for signature algorithm %u", (unsigned) sig_type ) ); |
| 1106 | return( 0 ); |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1107 | } |
| 1108 | |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 1109 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1110 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1111 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1112 | /* |
| 1113 | * Final check: if ciphersuite requires us to have a |
| 1114 | * certificate/key of a particular type: |
| 1115 | * - select the appropriate certificate if we have one, or |
| 1116 | * - try the next ciphersuite if we don't |
| 1117 | * This must be done last since we modify the key_cert list. |
| 1118 | */ |
| 1119 | if( ssl_pick_cert( ssl, suite_info ) != 0 ) |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1120 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1121 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1122 | "no suitable certificate" ) ); |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1123 | return( 0 ); |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1124 | } |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 1125 | #endif |
| 1126 | |
| 1127 | *ciphersuite_info = suite_info; |
| 1128 | return( 0 ); |
| 1129 | } |
| 1130 | |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 1131 | /* This function doesn't alert on errors that happen early during |
| 1132 | ClientHello parsing because they might indicate that the client is |
| 1133 | not talking SSL/TLS at all and would not understand our alert. */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1134 | static int ssl_parse_client_hello( mbedtls_ssl_context *ssl ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1135 | { |
| Manuel Pégourié-Gonnard | f01768c | 2015-01-08 17:06:16 +0100 | [diff] [blame] | 1136 | int ret, got_common_suite; |
| Manuel Pégourié-Gonnard | 9de64f5 | 2015-07-01 15:51:43 +0200 | [diff] [blame] | 1137 | size_t i, j; |
| 1138 | size_t ciph_offset, comp_offset, ext_offset; |
| 1139 | size_t msg_len, ciph_len, sess_len, comp_len, ext_len; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1140 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Manuel Pégourié-Gonnard | 9de64f5 | 2015-07-01 15:51:43 +0200 | [diff] [blame] | 1141 | size_t cookie_offset, cookie_len; |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1142 | #endif |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1143 | unsigned char *buf, *p, *ext; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1144 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1145 | int renegotiation_info_seen = 0; |
| Manuel Pégourié-Gonnard | eaecbd3 | 2014-11-06 02:38:02 +0100 | [diff] [blame] | 1146 | #endif |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1147 | int handshake_failure = 0; |
| Paul Bakker | 8f4ddae | 2013-04-15 15:09:54 +0200 | [diff] [blame] | 1148 | const int *ciphersuites; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1149 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
| Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 1150 | int major, minor; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1151 | |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1152 | /* If there is no signature-algorithm extension present, |
| 1153 | * we need to fall back to the default values for allowed |
| 1154 | * signature-hash pairs. */ |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 1155 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1156 | int sig_hash_alg_ext_present = 0; |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 1157 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1158 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1159 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1160 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1161 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
| Manuel Pégourié-Gonnard | f03c7aa | 2014-09-24 14:54:06 +0200 | [diff] [blame] | 1162 | read_record_header: |
| 1163 | #endif |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1164 | /* |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1165 | * If renegotiating, then the input was read with mbedtls_ssl_read_record(), |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1166 | * otherwise read it ourselves manually in order to support SSLv2 |
| 1167 | * ClientHello, which doesn't use the same record layer format. |
| 1168 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1169 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 1170 | if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 1171 | #endif |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1172 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1173 | if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 ) |
| Manuel Pégourié-Gonnard | 59c6f2e | 2015-01-22 11:06:40 +0000 | [diff] [blame] | 1174 | { |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 1175 | /* No alert on a read error. */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1176 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); |
| Manuel Pégourié-Gonnard | 59c6f2e | 2015-01-22 11:06:40 +0000 | [diff] [blame] | 1177 | return( ret ); |
| 1178 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1179 | } |
| 1180 | |
| 1181 | buf = ssl->in_hdr; |
| 1182 | |
| Hanno Becker | 5903de4 | 2019-05-03 14:46:38 +0100 | [diff] [blame] | 1183 | MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_in_hdr_len( ssl ) ); |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1184 | |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1185 | /* |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1186 | * TLS Client Hello |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1187 | * |
| 1188 | * Record layer: |
| 1189 | * 0 . 0 message type |
| 1190 | * 1 . 2 protocol version |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 1191 | * 3 . 11 DTLS: epoch + record sequence number |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1192 | * 3 . 4 message length |
| 1193 | */ |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1194 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, message type: %d", |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1195 | buf[0] ) ); |
| 1196 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1197 | if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE ) |
| Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 1198 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1199 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1200 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
| Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 1201 | } |
| 1202 | |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1203 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, message len.: %d", |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1204 | ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) ); |
| 1205 | |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1206 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, protocol version: [%d:%d]", |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1207 | buf[1], buf[2] ) ); |
| 1208 | |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 1209 | mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 ); |
| Manuel Pégourié-Gonnard | 6b1e207 | 2014-02-12 10:14:54 +0100 | [diff] [blame] | 1210 | |
| 1211 | /* According to RFC 5246 Appendix E.1, the version here is typically |
| 1212 | * "{03,00}, the lowest version number supported by the client, [or] the |
| 1213 | * value of ClientHello.client_version", so the only meaningful check here |
| 1214 | * is the major version shouldn't be less than 3 */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1215 | if( major < MBEDTLS_SSL_MAJOR_VERSION_3 ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1216 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1217 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1218 | return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION ); |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1219 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1220 | |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 1221 | /* For DTLS if this is the initial handshake, remember the client sequence |
| 1222 | * number to use it in our next message (RFC 6347 4.2.1) */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1223 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 1224 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1225 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 1226 | && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE |
| Manuel Pégourié-Gonnard | 3a173f4 | 2015-01-22 13:30:33 +0000 | [diff] [blame] | 1227 | #endif |
| 1228 | ) |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 1229 | { |
| 1230 | /* Epoch should be 0 for initial handshakes */ |
| 1231 | if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 ) |
| 1232 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1233 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1234 | return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 1235 | } |
| 1236 | |
| Jerry Yu | d9a94fe | 2021-09-28 18:58:59 +0800 | [diff] [blame] | 1237 | memcpy( &ssl->cur_out_ctr[2], ssl->in_ctr + 2, |
| Jerry Yu | d96a5c2 | 2021-09-29 17:46:51 +0800 | [diff] [blame] | 1238 | sizeof( ssl->cur_out_ctr ) - 2 ); |
| Manuel Pégourié-Gonnard | f03c7aa | 2014-09-24 14:54:06 +0200 | [diff] [blame] | 1239 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1240 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
| 1241 | if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) |
| Manuel Pégourié-Gonnard | f03c7aa | 2014-09-24 14:54:06 +0200 | [diff] [blame] | 1242 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1243 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) ); |
| Manuel Pégourié-Gonnard | f03c7aa | 2014-09-24 14:54:06 +0200 | [diff] [blame] | 1244 | ssl->next_record_offset = 0; |
| 1245 | ssl->in_left = 0; |
| 1246 | goto read_record_header; |
| 1247 | } |
| 1248 | |
| 1249 | /* No MAC to check yet, so we can update right now */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1250 | mbedtls_ssl_dtls_replay_update( ssl ); |
| Manuel Pégourié-Gonnard | f03c7aa | 2014-09-24 14:54:06 +0200 | [diff] [blame] | 1251 | #endif |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 1252 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1253 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 1254 | |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1255 | msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1256 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1257 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 1258 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
| Manuel Pégourié-Gonnard | b89c4f3 | 2015-01-21 13:24:10 +0000 | [diff] [blame] | 1259 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1260 | /* Set by mbedtls_ssl_read_record() */ |
| Manuel Pégourié-Gonnard | b89c4f3 | 2015-01-21 13:24:10 +0000 | [diff] [blame] | 1261 | msg_len = ssl->in_hslen; |
| 1262 | } |
| 1263 | else |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 1264 | #endif |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1265 | { |
| Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 1266 | if( msg_len > MBEDTLS_SSL_IN_CONTENT_LEN ) |
| Manuel Pégourié-Gonnard | d6b721c | 2014-03-24 12:13:54 +0100 | [diff] [blame] | 1267 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1268 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1269 | return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); |
| Manuel Pégourié-Gonnard | d6b721c | 2014-03-24 12:13:54 +0100 | [diff] [blame] | 1270 | } |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1271 | |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 1272 | if( ( ret = mbedtls_ssl_fetch_input( ssl, |
| Hanno Becker | 5903de4 | 2019-05-03 14:46:38 +0100 | [diff] [blame] | 1273 | mbedtls_ssl_in_hdr_len( ssl ) + msg_len ) ) != 0 ) |
| Manuel Pégourié-Gonnard | d6b721c | 2014-03-24 12:13:54 +0100 | [diff] [blame] | 1274 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1275 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); |
| Manuel Pégourié-Gonnard | d6b721c | 2014-03-24 12:13:54 +0100 | [diff] [blame] | 1276 | return( ret ); |
| 1277 | } |
| Manuel Pégourié-Gonnard | 30d16eb | 2014-08-19 17:43:50 +0200 | [diff] [blame] | 1278 | |
| 1279 | /* Done reading this record, get ready for the next one */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1280 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 1281 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| Hanno Becker | 5903de4 | 2019-05-03 14:46:38 +0100 | [diff] [blame] | 1282 | ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len( ssl ); |
| Manuel Pégourié-Gonnard | 30d16eb | 2014-08-19 17:43:50 +0200 | [diff] [blame] | 1283 | else |
| 1284 | #endif |
| 1285 | ssl->in_left = 0; |
| Manuel Pégourié-Gonnard | d6b721c | 2014-03-24 12:13:54 +0100 | [diff] [blame] | 1286 | } |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1287 | |
| 1288 | buf = ssl->in_msg; |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1289 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1290 | MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len ); |
| Manuel Pégourié-Gonnard | e89bcf0 | 2014-02-18 18:50:02 +0100 | [diff] [blame] | 1291 | |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1292 | ssl->handshake->update_checksum( ssl, buf, msg_len ); |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1293 | |
| 1294 | /* |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1295 | * Handshake layer: |
| 1296 | * 0 . 0 handshake type |
| 1297 | * 1 . 3 handshake length |
| 1298 | * 4 . 5 DTLS only: message seqence number |
| 1299 | * 6 . 8 DTLS only: fragment offset |
| 1300 | * 9 . 11 DTLS only: fragment length |
| Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 1301 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1302 | if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) ) |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1303 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1304 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1305 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1306 | } |
| 1307 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1308 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) ); |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1309 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1310 | if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1311 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1312 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1313 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1314 | } |
| 1315 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1316 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d", |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1317 | ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) ); |
| 1318 | |
| 1319 | /* We don't support fragmentation of ClientHello (yet?) */ |
| 1320 | if( buf[1] != 0 || |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1321 | msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) ) |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1322 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1323 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1324 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1325 | } |
| 1326 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1327 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 1328 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 1329 | { |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 1330 | /* |
| Manuel Pégourié-Gonnard | 69849f8 | 2015-03-10 11:54:02 +0000 | [diff] [blame] | 1331 | * Copy the client's handshake message_seq on initial handshakes, |
| 1332 | * check sequence number on renego. |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 1333 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1334 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 1335 | if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) |
| Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 1336 | { |
| 1337 | /* This couldn't be done in ssl_prepare_handshake_record() */ |
| 1338 | unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | |
| 1339 | ssl->in_msg[5]; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 1340 | |
| Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 1341 | if( cli_msg_seq != ssl->handshake->in_msg_seq ) |
| 1342 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1343 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: " |
| Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 1344 | "%u (expected %u)", cli_msg_seq, |
| Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 1345 | ssl->handshake->in_msg_seq ) ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1346 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 1347 | } |
| 1348 | |
| 1349 | ssl->handshake->in_msg_seq++; |
| 1350 | } |
| Manuel Pégourié-Gonnard | 69849f8 | 2015-03-10 11:54:02 +0000 | [diff] [blame] | 1351 | else |
| 1352 | #endif |
| 1353 | { |
| 1354 | unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | |
| 1355 | ssl->in_msg[5]; |
| 1356 | ssl->handshake->out_msg_seq = cli_msg_seq; |
| 1357 | ssl->handshake->in_msg_seq = cli_msg_seq + 1; |
| 1358 | } |
| Manuel Pégourié-Gonnard | e89bcf0 | 2014-02-18 18:50:02 +0100 | [diff] [blame] | 1359 | |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1360 | /* |
| 1361 | * For now we don't support fragmentation, so make sure |
| 1362 | * fragment_offset == 0 and fragment_length == length |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1363 | */ |
| Manuel Pégourié-Gonnard | e89bcf0 | 2014-02-18 18:50:02 +0100 | [diff] [blame] | 1364 | if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 || |
| 1365 | memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 ) |
| 1366 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1367 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) ); |
| 1368 | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); |
| Manuel Pégourié-Gonnard | e89bcf0 | 2014-02-18 18:50:02 +0100 | [diff] [blame] | 1369 | } |
| Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 1370 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1371 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 1372 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1373 | buf += mbedtls_ssl_hs_hdr_len( ssl ); |
| 1374 | msg_len -= mbedtls_ssl_hs_hdr_len( ssl ); |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1375 | |
| Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 1376 | /* |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1377 | * ClientHello layer: |
| 1378 | * 0 . 1 protocol version |
| 1379 | * 2 . 33 random bytes (starting with 4 bytes of Unix time) |
| 1380 | * 34 . 35 session id length (1 byte) |
| 1381 | * 35 . 34+x session id |
| 1382 | * 35+x . 35+x DTLS only: cookie length (1 byte) |
| 1383 | * 36+x . .. DTLS only: cookie |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1384 | * .. . .. ciphersuite list length (2 bytes) |
| 1385 | * .. . .. ciphersuite list |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1386 | * .. . .. compression alg. list length (1 byte) |
| 1387 | * .. . .. compression alg. list |
| 1388 | * .. . .. extensions length (2 bytes, optional) |
| 1389 | * .. . .. extensions (optional) |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1390 | */ |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1391 | |
| 1392 | /* |
| Antonin Décimo | 36e89b5 | 2019-01-23 15:24:37 +0100 | [diff] [blame] | 1393 | * Minimal length (with everything empty and extensions omitted) is |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1394 | * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can |
| 1395 | * read at least up to session id length without worrying. |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1396 | */ |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1397 | if( msg_len < 38 ) |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1398 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1399 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1400 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1401 | } |
| 1402 | |
| 1403 | /* |
| 1404 | * Check and save the protocol version |
| 1405 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1406 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 ); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1407 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1408 | mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 1409 | ssl->conf->transport, buf ); |
| Hanno Becker | fadbdbb | 2021-07-23 06:25:48 +0100 | [diff] [blame] | 1410 | ssl->session_negotiate->minor_ver = ssl->minor_ver; |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1411 | |
| Ronald Cron | 90f0120 | 2022-03-15 15:37:13 +0100 | [diff] [blame] | 1412 | if( ( ssl->major_ver != MBEDTLS_SSL_MAJOR_VERSION_3 ) || |
| 1413 | ( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) ) |
| Paul Bakker | 1d29fb5 | 2012-09-28 13:28:45 +0000 | [diff] [blame] | 1414 | { |
| Ronald Cron | 90f0120 | 2022-03-15 15:37:13 +0100 | [diff] [blame] | 1415 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "server only supports TLS 1.2" ) ); |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1416 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1417 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); |
| Hanno Becker | bc00044 | 2021-06-24 09:18:19 +0100 | [diff] [blame] | 1418 | return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION ); |
| Paul Bakker | 1d29fb5 | 2012-09-28 13:28:45 +0000 | [diff] [blame] | 1419 | } |
| 1420 | |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1421 | /* |
| 1422 | * Save client random (inc. Unix time) |
| 1423 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1424 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 ); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1425 | |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1426 | memcpy( ssl->handshake->randbytes, buf + 2, 32 ); |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1427 | |
| 1428 | /* |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1429 | * Check the session ID length and save session ID |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1430 | */ |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1431 | sess_len = buf[34]; |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1432 | |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1433 | if( sess_len > sizeof( ssl->session_negotiate->id ) || |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1434 | sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */ |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1435 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1436 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 1437 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1438 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1439 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1440 | } |
| 1441 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1442 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len ); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1443 | |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 1444 | ssl->session_negotiate->id_len = sess_len; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1445 | memset( ssl->session_negotiate->id, 0, |
| 1446 | sizeof( ssl->session_negotiate->id ) ); |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1447 | memcpy( ssl->session_negotiate->id, buf + 35, |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 1448 | ssl->session_negotiate->id_len ); |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1449 | |
| 1450 | /* |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1451 | * Check the cookie length and content |
| 1452 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1453 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 1454 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1455 | { |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1456 | cookie_offset = 35 + sess_len; |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1457 | cookie_len = buf[cookie_offset]; |
| 1458 | |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 1459 | if( cookie_offset + 1 + cookie_len + 2 > msg_len ) |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1460 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1461 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 1462 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1463 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| 1464 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1465 | } |
| 1466 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1467 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1468 | buf + cookie_offset + 1, cookie_len ); |
| 1469 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1470 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 1471 | if( ssl->conf->f_cookie_check != NULL |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1472 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 1473 | && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE |
| Manuel Pégourié-Gonnard | 69849f8 | 2015-03-10 11:54:02 +0000 | [diff] [blame] | 1474 | #endif |
| 1475 | ) |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 1476 | { |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 1477 | if( ssl->conf->f_cookie_check( ssl->conf->p_cookie, |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 1478 | buf + cookie_offset + 1, cookie_len, |
| 1479 | ssl->cli_id, ssl->cli_id_len ) != 0 ) |
| 1480 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1481 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) ); |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 1482 | ssl->handshake->verify_cookie_len = 1; |
| 1483 | } |
| 1484 | else |
| 1485 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1486 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) ); |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 1487 | ssl->handshake->verify_cookie_len = 0; |
| 1488 | } |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 1489 | } |
| Manuel Pégourié-Gonnard | d7f9bc5 | 2014-07-23 11:09:27 +0200 | [diff] [blame] | 1490 | else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1491 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 1492 | { |
| 1493 | /* We know we didn't send a cookie, so it should be empty */ |
| 1494 | if( cookie_len != 0 ) |
| 1495 | { |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 1496 | /* This may be an attacker's probe, so don't send an alert */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1497 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1498 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 1499 | } |
| 1500 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1501 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) ); |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 1502 | } |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1503 | |
| 1504 | /* |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1505 | * Check the ciphersuitelist length (will be parsed later) |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1506 | */ |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1507 | ciph_offset = cookie_offset + 1 + cookie_len; |
| Manuel Pégourié-Gonnard | a06d7fe | 2015-03-13 10:36:55 +0000 | [diff] [blame] | 1508 | } |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1509 | else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1510 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1511 | ciph_offset = 35 + sess_len; |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1512 | |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1513 | ciph_len = ( buf[ciph_offset + 0] << 8 ) |
| 1514 | | ( buf[ciph_offset + 1] ); |
| 1515 | |
| 1516 | if( ciph_len < 2 || |
| 1517 | ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */ |
| 1518 | ( ciph_len % 2 ) != 0 ) |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1519 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1520 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 1521 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1522 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1523 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1524 | } |
| 1525 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1526 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1527 | buf + ciph_offset + 2, ciph_len ); |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1528 | |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1529 | /* |
| 1530 | * Check the compression algorithms length and pick one |
| 1531 | */ |
| 1532 | comp_offset = ciph_offset + 2 + ciph_len; |
| 1533 | |
| 1534 | comp_len = buf[comp_offset]; |
| 1535 | |
| 1536 | if( comp_len < 1 || |
| 1537 | comp_len > 16 || |
| 1538 | comp_len + comp_offset + 1 > msg_len ) |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1539 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1540 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 1541 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1542 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1543 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1544 | } |
| 1545 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1546 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression", |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1547 | buf + comp_offset + 1, comp_len ); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1548 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1549 | ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; |
| Manuel Pégourié-Gonnard | a0e1632 | 2014-07-14 17:38:41 +0200 | [diff] [blame] | 1550 | /* See comments in ssl_write_client_hello() */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1551 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 1552 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1553 | ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; |
| Manuel Pégourié-Gonnard | a0e1632 | 2014-07-14 17:38:41 +0200 | [diff] [blame] | 1554 | #endif |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1555 | /* |
| 1556 | * Check the extension length |
| 1557 | */ |
| 1558 | ext_offset = comp_offset + 1 + comp_len; |
| 1559 | if( msg_len > ext_offset ) |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1560 | { |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1561 | if( msg_len < ext_offset + 2 ) |
| 1562 | { |
| 1563 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 1564 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1565 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1566 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1567 | } |
| 1568 | |
| 1569 | ext_len = ( buf[ext_offset + 0] << 8 ) |
| 1570 | | ( buf[ext_offset + 1] ); |
| 1571 | |
| Glenn Strauss | 8a8a83b | 2021-02-02 02:21:23 -0500 | [diff] [blame] | 1572 | if( msg_len != ext_offset + 2 + ext_len ) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1573 | { |
| 1574 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 1575 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1576 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1577 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1578 | } |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1579 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1580 | else |
| 1581 | ext_len = 0; |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1582 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1583 | ext = buf + ext_offset + 2; |
| 1584 | MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len ); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1585 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1586 | while( ext_len != 0 ) |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1587 | { |
| Philippe Antoine | 747fd53 | 2018-05-30 09:13:21 +0200 | [diff] [blame] | 1588 | unsigned int ext_id; |
| 1589 | unsigned int ext_size; |
| 1590 | if ( ext_len < 4 ) { |
| 1591 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| 1592 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1593 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1594 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Philippe Antoine | 747fd53 | 2018-05-30 09:13:21 +0200 | [diff] [blame] | 1595 | } |
| 1596 | ext_id = ( ( ext[0] << 8 ) | ( ext[1] ) ); |
| 1597 | ext_size = ( ( ext[2] << 8 ) | ( ext[3] ) ); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1598 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1599 | if( ext_size + 4 > ext_len ) |
| 1600 | { |
| 1601 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 1602 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1603 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1604 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1605 | } |
| 1606 | switch( ext_id ) |
| 1607 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1608 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1609 | case MBEDTLS_TLS_EXT_SERVERNAME: |
| 1610 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1611 | ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size ); |
| 1612 | if( ret != 0 ) |
| 1613 | return( ret ); |
| 1614 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1615 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ |
| Paul Bakker | 5701cdc | 2012-09-27 21:49:42 +0000 | [diff] [blame] | 1616 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1617 | case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: |
| 1618 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1619 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1620 | renegotiation_info_seen = 1; |
| Manuel Pégourié-Gonnard | eaecbd3 | 2014-11-06 02:38:02 +0100 | [diff] [blame] | 1621 | #endif |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1622 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1623 | ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ); |
| 1624 | if( ret != 0 ) |
| 1625 | return( ret ); |
| 1626 | break; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1627 | |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 1628 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1629 | case MBEDTLS_TLS_EXT_SIG_ALG: |
| Ron Eldor | 73a3817 | 2017-10-03 15:58:26 +0300 | [diff] [blame] | 1630 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); |
| 1631 | |
| Jerry Yu | 18cd439 | 2021-12-17 17:44:24 +0800 | [diff] [blame] | 1632 | ret = ssl_parse_sig_alg_ext( ssl, ext + 4, ext_size ); |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1633 | if( ret != 0 ) |
| 1634 | return( ret ); |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1635 | |
| 1636 | sig_hash_alg_ext_present = 1; |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1637 | break; |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 1638 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1639 | |
| Robert Cragie | 136884c | 2015-10-02 13:34:31 +0100 | [diff] [blame] | 1640 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 1641 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Jerry Yu | b47d0f8 | 2021-12-20 17:34:40 +0800 | [diff] [blame] | 1642 | case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1643 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) ); |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1644 | |
| Jerry Yu | b47d0f8 | 2021-12-20 17:34:40 +0800 | [diff] [blame] | 1645 | ret = ssl_parse_supported_groups_ext( ssl, ext + 4, ext_size ); |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1646 | if( ret != 0 ) |
| 1647 | return( ret ); |
| 1648 | break; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1649 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1650 | case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: |
| 1651 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) ); |
| 1652 | ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1653 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1654 | ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size ); |
| 1655 | if( ret != 0 ) |
| 1656 | return( ret ); |
| 1657 | break; |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 1658 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || |
| 1659 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1660 | |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 1661 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1662 | case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: |
| 1663 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) ); |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 1664 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1665 | ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size ); |
| 1666 | if( ret != 0 ) |
| 1667 | return( ret ); |
| 1668 | break; |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 1669 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 1670 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1671 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1672 | case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: |
| 1673 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) ); |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 1674 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1675 | ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size ); |
| 1676 | if( ret != 0 ) |
| 1677 | return( ret ); |
| 1678 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1679 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 1680 | |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1681 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 1682 | case MBEDTLS_TLS_EXT_CID: |
| 1683 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) ); |
| 1684 | |
| 1685 | ret = ssl_parse_cid_ext( ssl, ext + 4, ext_size ); |
| 1686 | if( ret != 0 ) |
| 1687 | return( ret ); |
| 1688 | break; |
| Thomas Daubney | e1c9a40 | 2021-06-15 11:26:43 +0100 | [diff] [blame] | 1689 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 1690 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1691 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1692 | case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: |
| 1693 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) ); |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1694 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1695 | ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size ); |
| 1696 | if( ret != 0 ) |
| 1697 | return( ret ); |
| 1698 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1699 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1700 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1701 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1702 | case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: |
| 1703 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) ); |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1704 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1705 | ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size ); |
| 1706 | if( ret != 0 ) |
| 1707 | return( ret ); |
| 1708 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1709 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1710 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1711 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1712 | case MBEDTLS_TLS_EXT_SESSION_TICKET: |
| 1713 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) ); |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 1714 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1715 | ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size ); |
| 1716 | if( ret != 0 ) |
| 1717 | return( ret ); |
| 1718 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1719 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 1720 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1721 | #if defined(MBEDTLS_SSL_ALPN) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1722 | case MBEDTLS_TLS_EXT_ALPN: |
| 1723 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 1724 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1725 | ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ); |
| 1726 | if( ret != 0 ) |
| 1727 | return( ret ); |
| 1728 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1729 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 1730 | |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1731 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| 1732 | case MBEDTLS_TLS_EXT_USE_SRTP: |
| 1733 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "found use_srtp extension" ) ); |
| Johan Pascal | d576fdb | 2020-09-22 10:39:53 +0200 | [diff] [blame] | 1734 | |
| Johan Pascal | c3ccd98 | 2020-10-28 17:18:18 +0100 | [diff] [blame] | 1735 | ret = ssl_parse_use_srtp_ext( ssl, ext + 4, ext_size ); |
| 1736 | if( ret != 0 ) |
| 1737 | return( ret ); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1738 | break; |
| 1739 | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
| 1740 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1741 | default: |
| Paul Elliott | 9f35211 | 2020-12-09 14:55:45 +0000 | [diff] [blame] | 1742 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %u (ignoring)", |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1743 | ext_id ) ); |
| 1744 | } |
| 1745 | |
| 1746 | ext_len -= 4 + ext_size; |
| 1747 | ext += 4 + ext_size; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1748 | } |
| Janos Follath | c6dab2b | 2016-05-23 14:27:02 +0100 | [diff] [blame] | 1749 | |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 1750 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1751 | |
| 1752 | /* |
| 1753 | * Try to fall back to default hash SHA1 if the client |
| 1754 | * hasn't provided any preferred signature-hash combinations. |
| 1755 | */ |
| 1756 | if( sig_hash_alg_ext_present == 0 ) |
| 1757 | { |
| Jerry Yu | eb821c6 | 2022-01-19 18:35:56 +0800 | [diff] [blame] | 1758 | uint16_t sig_algs[] = { MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA1) }; |
| 1759 | mbedtls_md_type_t md_default = MBEDTLS_MD_NONE; |
| Jerry Yu | 9719885 | 2022-01-21 16:16:01 +0800 | [diff] [blame] | 1760 | for( i = 0; i < sizeof( sig_algs ) / sizeof( sig_algs[0] ) ; i++ ) |
| Jerry Yu | eb821c6 | 2022-01-19 18:35:56 +0800 | [diff] [blame] | 1761 | { |
| 1762 | if( mbedtls_ssl_sig_alg_is_offered( ssl, sig_algs[ i ] ) ) |
| 1763 | md_default = MBEDTLS_MD_SHA1; |
| 1764 | } |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1765 | |
| Jerry Yu | 9719885 | 2022-01-21 16:16:01 +0800 | [diff] [blame] | 1766 | mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, |
| 1767 | md_default ); |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1768 | } |
| 1769 | |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 1770 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1771 | |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1772 | /* |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1773 | * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV |
| 1774 | */ |
| 1775 | for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 ) |
| 1776 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1777 | if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ) |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1778 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1779 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); |
| 1780 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 1781 | if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1782 | { |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 1783 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV " |
| 1784 | "during renegotiation" ) ); |
| Gilles Peskine | c94f735 | 2017-05-10 16:37:56 +0200 | [diff] [blame] | 1785 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1786 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
| Dave Rodgman | c50b717 | 2021-06-29 14:40:23 +0100 | [diff] [blame] | 1787 | return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1788 | } |
| Manuel Pégourié-Gonnard | 69849f8 | 2015-03-10 11:54:02 +0000 | [diff] [blame] | 1789 | #endif |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1790 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1791 | break; |
| 1792 | } |
| 1793 | } |
| 1794 | |
| 1795 | /* |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1796 | * Renegotiation security checks |
| 1797 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1798 | if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION && |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 1799 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1800 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1801 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1802 | handshake_failure = 1; |
| 1803 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1804 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 1805 | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| 1806 | ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1807 | renegotiation_info_seen == 0 ) |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1808 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1809 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1810 | handshake_failure = 1; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1811 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1812 | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| 1813 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 1814 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1815 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1816 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1817 | handshake_failure = 1; |
| 1818 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1819 | else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| 1820 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1821 | renegotiation_info_seen == 1 ) |
| 1822 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1823 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1824 | handshake_failure = 1; |
| 1825 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1826 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1827 | |
| 1828 | if( handshake_failure == 1 ) |
| 1829 | { |
| Gilles Peskine | c94f735 | 2017-05-10 16:37:56 +0200 | [diff] [blame] | 1830 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1831 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
| Hanno Becker | 90d59dd | 2021-06-24 11:17:13 +0100 | [diff] [blame] | 1832 | return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1833 | } |
| Paul Bakker | 380da53 | 2012-04-18 16:10:25 +0000 | [diff] [blame] | 1834 | |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1835 | /* |
| Glenn Strauss | 2ed9527 | 2022-01-21 18:02:17 -0500 | [diff] [blame] | 1836 | * Server certification selection (after processing TLS extensions) |
| 1837 | */ |
| 1838 | if( ssl->conf->f_cert_cb && ( ret = ssl->conf->f_cert_cb( ssl ) ) != 0 ) |
| 1839 | { |
| 1840 | MBEDTLS_SSL_DEBUG_RET( 1, "f_cert_cb", ret ); |
| 1841 | return( ret ); |
| 1842 | } |
| Glenn Strauss | 6989407 | 2022-01-24 12:58:00 -0500 | [diff] [blame] | 1843 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| 1844 | ssl->handshake->sni_name = NULL; |
| 1845 | ssl->handshake->sni_name_len = 0; |
| 1846 | #endif |
| Glenn Strauss | 2ed9527 | 2022-01-21 18:02:17 -0500 | [diff] [blame] | 1847 | |
| 1848 | /* |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1849 | * Search for a matching ciphersuite |
| Manuel Pégourié-Gonnard | 3ebb2cd | 2013-09-23 17:00:18 +0200 | [diff] [blame] | 1850 | * (At the end because we need information from the EC-based extensions |
| Glenn Strauss | 2ed9527 | 2022-01-21 18:02:17 -0500 | [diff] [blame] | 1851 | * and certificate from the SNI callback triggered by the SNI extension |
| 1852 | * or certificate from server certificate selection callback.) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1853 | */ |
| Manuel Pégourié-Gonnard | f01768c | 2015-01-08 17:06:16 +0100 | [diff] [blame] | 1854 | got_common_suite = 0; |
| Hanno Becker | d60b6c6 | 2021-04-29 12:04:11 +0100 | [diff] [blame] | 1855 | ciphersuites = ssl->conf->ciphersuite_list; |
| Manuel Pégourié-Gonnard | 59b81d7 | 2013-11-30 17:46:04 +0100 | [diff] [blame] | 1856 | ciphersuite_info = NULL; |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1857 | |
| TRodziewicz | 3946f79 | 2021-06-14 12:11:18 +0200 | [diff] [blame] | 1858 | if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1859 | { |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1860 | for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1861 | for( i = 0; ciphersuites[i] != 0; i++ ) |
| 1862 | { |
| Joe Subbiani | e4603ee | 2021-08-20 13:05:30 +0100 | [diff] [blame] | 1863 | if( MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i] ) |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1864 | continue; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1865 | |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1866 | got_common_suite = 1; |
| Manuel Pégourié-Gonnard | f01768c | 2015-01-08 17:06:16 +0100 | [diff] [blame] | 1867 | |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1868 | if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], |
| 1869 | &ciphersuite_info ) ) != 0 ) |
| 1870 | return( ret ); |
| Manuel Pégourié-Gonnard | 011a8db | 2013-11-30 18:11:07 +0100 | [diff] [blame] | 1871 | |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1872 | if( ciphersuite_info != NULL ) |
| 1873 | goto have_ciphersuite; |
| 1874 | } |
| 1875 | } else { |
| 1876 | for( i = 0; ciphersuites[i] != 0; i++ ) |
| 1877 | for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) |
| 1878 | { |
| Joe Subbiani | e4603ee | 2021-08-20 13:05:30 +0100 | [diff] [blame] | 1879 | if( MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i] ) |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1880 | continue; |
| 1881 | |
| 1882 | got_common_suite = 1; |
| 1883 | |
| 1884 | if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], |
| 1885 | &ciphersuite_info ) ) != 0 ) |
| 1886 | return( ret ); |
| 1887 | |
| 1888 | if( ciphersuite_info != NULL ) |
| 1889 | goto have_ciphersuite; |
| 1890 | } |
| 1891 | } |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1892 | |
| Manuel Pégourié-Gonnard | f01768c | 2015-01-08 17:06:16 +0100 | [diff] [blame] | 1893 | if( got_common_suite ) |
| 1894 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1895 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " |
| Manuel Pégourié-Gonnard | f01768c | 2015-01-08 17:06:16 +0100 | [diff] [blame] | 1896 | "but none of them usable" ) ); |
| Gilles Peskine | c94f735 | 2017-05-10 16:37:56 +0200 | [diff] [blame] | 1897 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1898 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
| Dave Rodgman | 096c411 | 2021-06-29 09:52:06 +0100 | [diff] [blame] | 1899 | return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); |
| Manuel Pégourié-Gonnard | f01768c | 2015-01-08 17:06:16 +0100 | [diff] [blame] | 1900 | } |
| 1901 | else |
| 1902 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1903 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); |
| Gilles Peskine | c94f735 | 2017-05-10 16:37:56 +0200 | [diff] [blame] | 1904 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1905 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); |
| Dave Rodgman | bb05cd0 | 2021-06-29 10:37:43 +0100 | [diff] [blame] | 1906 | return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); |
| Manuel Pégourié-Gonnard | f01768c | 2015-01-08 17:06:16 +0100 | [diff] [blame] | 1907 | } |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1908 | |
| 1909 | have_ciphersuite: |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1910 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1911 | |
| Paul Bakker | 8f4ddae | 2013-04-15 15:09:54 +0200 | [diff] [blame] | 1912 | ssl->session_negotiate->ciphersuite = ciphersuites[i]; |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 1913 | ssl->handshake->ciphersuite_info = ciphersuite_info; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1914 | |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1915 | ssl->state++; |
| 1916 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1917 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 1918 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1919 | mbedtls_ssl_recv_flight_completed( ssl ); |
| Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 1920 | #endif |
| 1921 | |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1922 | /* Debugging-only output for testsuite */ |
| 1923 | #if defined(MBEDTLS_DEBUG_C) && \ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 1924 | defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 1925 | mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info ); |
| 1926 | if( sig_alg != MBEDTLS_PK_NONE ) |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1927 | { |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 1928 | mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, |
| 1929 | sig_alg ); |
| 1930 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d", |
| 1931 | mbedtls_ssl_hash_from_md_alg( md_alg ) ) ); |
| 1932 | } |
| 1933 | else |
| 1934 | { |
| 1935 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm " |
| 1936 | "%u - should not happen", (unsigned) sig_alg ) ); |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1937 | } |
| 1938 | #endif |
| 1939 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1940 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1941 | |
| 1942 | return( 0 ); |
| 1943 | } |
| 1944 | |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1945 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1946 | static void ssl_write_cid_ext( mbedtls_ssl_context *ssl, |
| 1947 | unsigned char *buf, |
| 1948 | size_t *olen ) |
| 1949 | { |
| 1950 | unsigned char *p = buf; |
| 1951 | size_t ext_len; |
| 1952 | const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| 1953 | |
| 1954 | *olen = 0; |
| 1955 | |
| 1956 | /* Skip writing the extension if we don't want to use it or if |
| 1957 | * the client hasn't offered it. */ |
| 1958 | if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED ) |
| 1959 | return; |
| 1960 | |
| 1961 | /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX |
| 1962 | * which is at most 255, so the increment cannot overflow. */ |
| 1963 | if( end < p || (size_t)( end - p ) < (unsigned)( ssl->own_cid_len + 5 ) ) |
| 1964 | { |
| 1965 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); |
| 1966 | return; |
| 1967 | } |
| 1968 | |
| 1969 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding CID extension" ) ); |
| 1970 | |
| 1971 | /* |
| Hanno Becker | ebcc913 | 2019-05-15 10:26:32 +0100 | [diff] [blame] | 1972 | * Quoting draft-ietf-tls-dtls-connection-id-05 |
| 1973 | * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1974 | * |
| 1975 | * struct { |
| 1976 | * opaque cid<0..2^8-1>; |
| 1977 | * } ConnectionId; |
| 1978 | */ |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1979 | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_CID, p, 0 ); |
| 1980 | p += 2; |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1981 | ext_len = (size_t) ssl->own_cid_len + 1; |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1982 | MBEDTLS_PUT_UINT16_BE( ext_len, p, 0 ); |
| 1983 | p += 2; |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1984 | |
| 1985 | *p++ = (uint8_t) ssl->own_cid_len; |
| 1986 | memcpy( p, ssl->own_cid, ssl->own_cid_len ); |
| 1987 | |
| 1988 | *olen = ssl->own_cid_len + 5; |
| 1989 | } |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1990 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1991 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1992 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| 1993 | static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1994 | unsigned char *buf, |
| 1995 | size_t *olen ) |
| 1996 | { |
| 1997 | unsigned char *p = buf; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1998 | const mbedtls_ssl_ciphersuite_t *suite = NULL; |
| Przemyslaw Stekiel | 2c87a20 | 2022-01-31 10:59:30 +0100 | [diff] [blame] | 1999 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 2000 | psa_key_type_t key_type; |
| 2001 | psa_algorithm_t alg; |
| 2002 | size_t key_bits; |
| 2003 | #else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2004 | const mbedtls_cipher_info_t *cipher = NULL; |
| Przemyslaw Stekiel | 2c87a20 | 2022-01-31 10:59:30 +0100 | [diff] [blame] | 2005 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 2006 | |
| Manuel Pégourié-Gonnard | 78e745f | 2014-11-04 15:44:06 +0100 | [diff] [blame] | 2007 | /* |
| 2008 | * RFC 7366: "If a server receives an encrypt-then-MAC request extension |
| 2009 | * from a client and then selects a stream or Authenticated Encryption |
| 2010 | * with Associated Data (AEAD) ciphersuite, it MUST NOT send an |
| 2011 | * encrypt-then-MAC response extension back to the client." |
| 2012 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2013 | if( ( suite = mbedtls_ssl_ciphersuite_from_id( |
| Manuel Pégourié-Gonnard | 78e745f | 2014-11-04 15:44:06 +0100 | [diff] [blame] | 2014 | ssl->session_negotiate->ciphersuite ) ) == NULL || |
| Przemyslaw Stekiel | 2c87a20 | 2022-01-31 10:59:30 +0100 | [diff] [blame] | 2015 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Przemyslaw Stekiel | 8c010eb | 2022-02-03 10:44:02 +0100 | [diff] [blame] | 2016 | ( mbedtls_ssl_cipher_to_psa( suite->cipher, 0, &alg, |
| 2017 | &key_type, &key_bits ) != PSA_SUCCESS ) || |
| Przemyslaw Stekiel | 2c87a20 | 2022-01-31 10:59:30 +0100 | [diff] [blame] | 2018 | alg != PSA_ALG_CBC_NO_PADDING ) |
| 2019 | #else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2020 | ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL || |
| 2021 | cipher->mode != MBEDTLS_MODE_CBC ) |
| Przemyslaw Stekiel | 2c87a20 | 2022-01-31 10:59:30 +0100 | [diff] [blame] | 2022 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | 78e745f | 2014-11-04 15:44:06 +0100 | [diff] [blame] | 2023 | { |
| Ronald Cron | 862902d | 2022-03-24 14:15:28 +0100 | [diff] [blame] | 2024 | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED; |
| 2025 | } |
| 2026 | |
| 2027 | if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ) |
| 2028 | { |
| Manuel Pégourié-Gonnard | 78e745f | 2014-11-04 15:44:06 +0100 | [diff] [blame] | 2029 | *olen = 0; |
| 2030 | return; |
| 2031 | } |
| 2032 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2033 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) ); |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 2034 | |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 2035 | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0 ); |
| 2036 | p += 2; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 2037 | |
| 2038 | *p++ = 0x00; |
| 2039 | *p++ = 0x00; |
| 2040 | |
| 2041 | *olen = 4; |
| 2042 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2043 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 2044 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2045 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| 2046 | static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 2047 | unsigned char *buf, |
| 2048 | size_t *olen ) |
| 2049 | { |
| 2050 | unsigned char *p = buf; |
| 2051 | |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 2052 | if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ) |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 2053 | { |
| 2054 | *olen = 0; |
| 2055 | return; |
| 2056 | } |
| 2057 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2058 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret " |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 2059 | "extension" ) ); |
| 2060 | |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 2061 | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0 ); |
| 2062 | p += 2; |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 2063 | |
| 2064 | *p++ = 0x00; |
| 2065 | *p++ = 0x00; |
| 2066 | |
| 2067 | *olen = 4; |
| 2068 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2069 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 2070 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2071 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| 2072 | static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 2073 | unsigned char *buf, |
| 2074 | size_t *olen ) |
| 2075 | { |
| 2076 | unsigned char *p = buf; |
| 2077 | |
| 2078 | if( ssl->handshake->new_session_ticket == 0 ) |
| 2079 | { |
| 2080 | *olen = 0; |
| 2081 | return; |
| 2082 | } |
| 2083 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2084 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) ); |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 2085 | |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 2086 | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0 ); |
| 2087 | p += 2; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 2088 | |
| 2089 | *p++ = 0x00; |
| 2090 | *p++ = 0x00; |
| 2091 | |
| 2092 | *olen = 4; |
| 2093 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2094 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 2095 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2096 | static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 2097 | unsigned char *buf, |
| 2098 | size_t *olen ) |
| 2099 | { |
| 2100 | unsigned char *p = buf; |
| 2101 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2102 | if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION ) |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 2103 | { |
| 2104 | *olen = 0; |
| 2105 | return; |
| 2106 | } |
| 2107 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2108 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) ); |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 2109 | |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 2110 | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0 ); |
| 2111 | p += 2; |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 2112 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2113 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 2114 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 2115 | { |
| 2116 | *p++ = 0x00; |
| 2117 | *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF; |
| 2118 | *p++ = ssl->verify_data_len * 2 & 0xFF; |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 2119 | |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 2120 | memcpy( p, ssl->peer_verify_data, ssl->verify_data_len ); |
| 2121 | p += ssl->verify_data_len; |
| 2122 | memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); |
| 2123 | p += ssl->verify_data_len; |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 2124 | } |
| 2125 | else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2126 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 2127 | { |
| 2128 | *p++ = 0x00; |
| 2129 | *p++ = 0x01; |
| 2130 | *p++ = 0x00; |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 2131 | } |
| Manuel Pégourié-Gonnard | 1938975 | 2015-06-23 13:46:44 +0200 | [diff] [blame] | 2132 | |
| 2133 | *olen = p - buf; |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 2134 | } |
| 2135 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2136 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| 2137 | static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 2138 | unsigned char *buf, |
| 2139 | size_t *olen ) |
| 2140 | { |
| 2141 | unsigned char *p = buf; |
| 2142 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2143 | if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) |
| Manuel Pégourié-Gonnard | e048b67 | 2013-07-19 12:47:00 +0200 | [diff] [blame] | 2144 | { |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 2145 | *olen = 0; |
| 2146 | return; |
| 2147 | } |
| 2148 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2149 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) ); |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 2150 | |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 2151 | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0 ); |
| 2152 | p += 2; |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 2153 | |
| 2154 | *p++ = 0x00; |
| 2155 | *p++ = 1; |
| 2156 | |
| Manuel Pégourié-Gonnard | ed4af8b | 2013-07-18 14:07:09 +0200 | [diff] [blame] | 2157 | *p++ = ssl->session_negotiate->mfl_code; |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 2158 | |
| 2159 | *olen = 5; |
| 2160 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2161 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 2162 | |
| Manuel Pégourié-Gonnard | f472179 | 2015-09-15 10:53:51 +0200 | [diff] [blame] | 2163 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| Manuel Pégourié-Gonnard | eef142d | 2015-09-16 10:05:04 +0200 | [diff] [blame] | 2164 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2165 | static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 2166 | unsigned char *buf, |
| 2167 | size_t *olen ) |
| 2168 | { |
| 2169 | unsigned char *p = buf; |
| 2170 | ((void) ssl); |
| 2171 | |
| Paul Bakker | 677377f | 2013-10-28 12:54:26 +0100 | [diff] [blame] | 2172 | if( ( ssl->handshake->cli_exts & |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2173 | MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 ) |
| Paul Bakker | 677377f | 2013-10-28 12:54:26 +0100 | [diff] [blame] | 2174 | { |
| 2175 | *olen = 0; |
| 2176 | return; |
| 2177 | } |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 2178 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2179 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) ); |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 2180 | |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 2181 | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0 ); |
| 2182 | p += 2; |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 2183 | |
| 2184 | *p++ = 0x00; |
| 2185 | *p++ = 2; |
| 2186 | |
| 2187 | *p++ = 1; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2188 | *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 2189 | |
| 2190 | *olen = 6; |
| 2191 | } |
| Manuel Pégourié-Gonnard | eef142d | 2015-09-16 10:05:04 +0200 | [diff] [blame] | 2192 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 2193 | |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 2194 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 2195 | static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, |
| 2196 | unsigned char *buf, |
| 2197 | size_t *olen ) |
| 2198 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2199 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 2200 | unsigned char *p = buf; |
| Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 2201 | const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 2202 | size_t kkpp_len; |
| 2203 | |
| 2204 | *olen = 0; |
| 2205 | |
| 2206 | /* Skip costly computation if not needed */ |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 2207 | if( ssl->handshake->ciphersuite_info->key_exchange != |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 2208 | MBEDTLS_KEY_EXCHANGE_ECJPAKE ) |
| 2209 | return; |
| 2210 | |
| 2211 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) ); |
| 2212 | |
| 2213 | if( end - p < 4 ) |
| 2214 | { |
| 2215 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); |
| 2216 | return; |
| 2217 | } |
| 2218 | |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 2219 | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0 ); |
| 2220 | p += 2; |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 2221 | |
| Manuel Pégourié-Gonnard | 5674a97 | 2015-10-19 15:14:03 +0200 | [diff] [blame] | 2222 | ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, |
| 2223 | p + 2, end - p - 2, &kkpp_len, |
| 2224 | ssl->conf->f_rng, ssl->conf->p_rng ); |
| 2225 | if( ret != 0 ) |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 2226 | { |
| 2227 | MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); |
| 2228 | return; |
| 2229 | } |
| 2230 | |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 2231 | MBEDTLS_PUT_UINT16_BE( kkpp_len, p, 0 ); |
| 2232 | p += 2; |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 2233 | |
| 2234 | *olen = kkpp_len + 4; |
| 2235 | } |
| 2236 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 2237 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2238 | #if defined(MBEDTLS_SSL_ALPN ) |
| 2239 | static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 2240 | unsigned char *buf, size_t *olen ) |
| 2241 | { |
| 2242 | if( ssl->alpn_chosen == NULL ) |
| 2243 | { |
| 2244 | *olen = 0; |
| 2245 | return; |
| 2246 | } |
| 2247 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2248 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) ); |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 2249 | |
| 2250 | /* |
| 2251 | * 0 . 1 ext identifier |
| 2252 | * 2 . 3 ext length |
| 2253 | * 4 . 5 protocol list length |
| 2254 | * 6 . 6 protocol name length |
| 2255 | * 7 . 7+n protocol name |
| 2256 | */ |
| Joe Subbiani | 6dd7364 | 2021-07-19 11:56:54 +0100 | [diff] [blame] | 2257 | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ALPN, buf, 0); |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 2258 | |
| 2259 | *olen = 7 + strlen( ssl->alpn_chosen ); |
| 2260 | |
| Joe Subbiani | 6dd7364 | 2021-07-19 11:56:54 +0100 | [diff] [blame] | 2261 | MBEDTLS_PUT_UINT16_BE( *olen - 4, buf, 2 ); |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 2262 | |
| Joe Subbiani | 6dd7364 | 2021-07-19 11:56:54 +0100 | [diff] [blame] | 2263 | MBEDTLS_PUT_UINT16_BE( *olen - 6, buf, 4 ); |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 2264 | |
| Joe Subbiani | 2194dc4 | 2021-07-14 12:31:31 +0100 | [diff] [blame] | 2265 | buf[6] = MBEDTLS_BYTE_0( *olen - 7 ); |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 2266 | |
| 2267 | memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 ); |
| 2268 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2269 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 2270 | |
| Ron Eldor | 3adb992 | 2017-12-21 10:15:08 +0200 | [diff] [blame] | 2271 | #if defined(MBEDTLS_SSL_DTLS_SRTP ) && defined(MBEDTLS_SSL_PROTO_DTLS) |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2272 | static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl, |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 2273 | unsigned char *buf, |
| 2274 | size_t *olen ) |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2275 | { |
| Ron Eldor | 75870ec | 2018-12-06 17:31:55 +0200 | [diff] [blame] | 2276 | size_t mki_len = 0, ext_len = 0; |
| Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 2277 | uint16_t profile_value = 0; |
| Johan Pascal | 8f70fba | 2020-09-02 10:32:06 +0200 | [diff] [blame] | 2278 | const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| 2279 | |
| 2280 | *olen = 0; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 2281 | |
| Johan Pascal | c3ccd98 | 2020-10-28 17:18:18 +0100 | [diff] [blame] | 2282 | if( ( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) || |
| 2283 | ( ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET ) ) |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2284 | { |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2285 | return; |
| 2286 | } |
| 2287 | |
| 2288 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding use_srtp extension" ) ); |
| 2289 | |
| Johan Pascal | d576fdb | 2020-09-22 10:39:53 +0200 | [diff] [blame] | 2290 | if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED ) |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 2291 | { |
| 2292 | mki_len = ssl->dtls_srtp_info.mki_len; |
| 2293 | } |
| 2294 | |
| Johan Pascal | 9bc97ca | 2020-09-21 23:44:45 +0200 | [diff] [blame] | 2295 | /* The extension total size is 9 bytes : |
| 2296 | * - 2 bytes for the extension tag |
| 2297 | * - 2 bytes for the total size |
| 2298 | * - 2 bytes for the protection profile length |
| 2299 | * - 2 bytes for the protection profile |
| 2300 | * - 1 byte for the mki length |
| 2301 | * + the actual mki length |
| 2302 | * Check we have enough room in the output buffer */ |
| Johan Pascal | d576fdb | 2020-09-22 10:39:53 +0200 | [diff] [blame] | 2303 | if( (size_t)( end - buf ) < mki_len + 9 ) |
| Johan Pascal | 8f70fba | 2020-09-02 10:32:06 +0200 | [diff] [blame] | 2304 | { |
| 2305 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); |
| 2306 | return; |
| 2307 | } |
| 2308 | |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2309 | /* extension */ |
| Joe Subbiani | 6dd7364 | 2021-07-19 11:56:54 +0100 | [diff] [blame] | 2310 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0 ); |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 2311 | /* |
| 2312 | * total length 5 and mki value: only one profile(2 bytes) |
| 2313 | * and length(2 bytes) and srtp_mki ) |
| 2314 | */ |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 2315 | ext_len = 5 + mki_len; |
| Joe Subbiani | 6dd7364 | 2021-07-19 11:56:54 +0100 | [diff] [blame] | 2316 | MBEDTLS_PUT_UINT16_BE( ext_len, buf, 2 ); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2317 | |
| 2318 | /* protection profile length: 2 */ |
| 2319 | buf[4] = 0x00; |
| 2320 | buf[5] = 0x02; |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 2321 | profile_value = mbedtls_ssl_check_srtp_profile_value( |
| Johan Pascal | d576fdb | 2020-09-22 10:39:53 +0200 | [diff] [blame] | 2322 | ssl->dtls_srtp_info.chosen_dtls_srtp_profile ); |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 2323 | if( profile_value != MBEDTLS_TLS_SRTP_UNSET ) |
| Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 2324 | { |
| Joe Subbiani | 6dd7364 | 2021-07-19 11:56:54 +0100 | [diff] [blame] | 2325 | MBEDTLS_PUT_UINT16_BE( profile_value, buf, 6 ); |
| Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 2326 | } |
| 2327 | else |
| 2328 | { |
| Johan Pascal | 8f70fba | 2020-09-02 10:32:06 +0200 | [diff] [blame] | 2329 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "use_srtp extension invalid profile" ) ); |
| Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 2330 | return; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2331 | } |
| 2332 | |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 2333 | buf[8] = mki_len & 0xFF; |
| Ron Eldor | 75870ec | 2018-12-06 17:31:55 +0200 | [diff] [blame] | 2334 | memcpy( &buf[9], ssl->dtls_srtp_info.mki_value, mki_len ); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2335 | |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 2336 | *olen = 9 + mki_len; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2337 | } |
| 2338 | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
| 2339 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2340 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| 2341 | static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl ) |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2342 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2343 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2344 | unsigned char *p = ssl->out_msg + 4; |
| Manuel Pégourié-Gonnard | d7f9bc5 | 2014-07-23 11:09:27 +0200 | [diff] [blame] | 2345 | unsigned char *cookie_len_byte; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2346 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2347 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) ); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2348 | |
| 2349 | /* |
| 2350 | * struct { |
| 2351 | * ProtocolVersion server_version; |
| 2352 | * opaque cookie<0..2^8-1>; |
| 2353 | * } HelloVerifyRequest; |
| 2354 | */ |
| 2355 | |
| Manuel Pégourié-Gonnard | b35fe56 | 2014-08-09 17:00:46 +0200 | [diff] [blame] | 2356 | /* The RFC is not clear on this point, but sending the actual negotiated |
| 2357 | * version looks like the most interoperable thing to do. */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2358 | mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 2359 | ssl->conf->transport, p ); |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2360 | MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2361 | p += 2; |
| 2362 | |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 2363 | /* If we get here, f_cookie_check is not null */ |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 2364 | if( ssl->conf->f_cookie_write == NULL ) |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 2365 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2366 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) ); |
| 2367 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 2368 | } |
| 2369 | |
| Manuel Pégourié-Gonnard | d7f9bc5 | 2014-07-23 11:09:27 +0200 | [diff] [blame] | 2370 | /* Skip length byte until we know the length */ |
| 2371 | cookie_len_byte = p++; |
| 2372 | |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 2373 | if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie, |
| Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 2374 | &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN, |
| Manuel Pégourié-Gonnard | d485d19 | 2014-07-23 14:56:15 +0200 | [diff] [blame] | 2375 | ssl->cli_id, ssl->cli_id_len ) ) != 0 ) |
| Manuel Pégourié-Gonnard | d7f9bc5 | 2014-07-23 11:09:27 +0200 | [diff] [blame] | 2376 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2377 | MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret ); |
| Manuel Pégourié-Gonnard | d7f9bc5 | 2014-07-23 11:09:27 +0200 | [diff] [blame] | 2378 | return( ret ); |
| 2379 | } |
| 2380 | |
| 2381 | *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) ); |
| 2382 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2383 | MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte ); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2384 | |
| 2385 | ssl->out_msglen = p - ssl->out_msg; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2386 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 2387 | ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2388 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2389 | ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2390 | |
| Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2391 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2392 | { |
| Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2393 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2394 | return( ret ); |
| 2395 | } |
| 2396 | |
| Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2397 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 2398 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 2399 | ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) |
| 2400 | { |
| 2401 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret ); |
| 2402 | return( ret ); |
| 2403 | } |
| Hanno Becker | bc2498a | 2018-08-28 10:13:29 +0100 | [diff] [blame] | 2404 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2405 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2406 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) ); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2407 | |
| 2408 | return( 0 ); |
| 2409 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2410 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2411 | |
| Hanno Becker | f6e09c6 | 2021-05-13 06:12:38 +0100 | [diff] [blame] | 2412 | static void ssl_handle_id_based_session_resumption( mbedtls_ssl_context *ssl ) |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2413 | { |
| 2414 | int ret; |
| Hanno Becker | a5b1a39 | 2021-04-15 16:48:01 +0100 | [diff] [blame] | 2415 | mbedtls_ssl_session session_tmp; |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2416 | mbedtls_ssl_session * const session = ssl->session_negotiate; |
| 2417 | |
| 2418 | /* Resume is 0 by default, see ssl_handshake_init(). |
| 2419 | * It may be already set to 1 by ssl_parse_session_ticket_ext(). */ |
| 2420 | if( ssl->handshake->resume == 1 ) |
| 2421 | return; |
| Hanno Becker | 7ad7796 | 2021-05-13 06:13:34 +0100 | [diff] [blame] | 2422 | if( session->id_len == 0 ) |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2423 | return; |
| 2424 | if( ssl->conf->f_get_cache == NULL ) |
| 2425 | return; |
| 2426 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 2427 | if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) |
| 2428 | return; |
| 2429 | #endif |
| 2430 | |
| Hanno Becker | a5b1a39 | 2021-04-15 16:48:01 +0100 | [diff] [blame] | 2431 | mbedtls_ssl_session_init( &session_tmp ); |
| 2432 | |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2433 | ret = ssl->conf->f_get_cache( ssl->conf->p_cache, |
| Hanno Becker | ccdaf6e | 2021-04-15 09:26:17 +0100 | [diff] [blame] | 2434 | session->id, |
| 2435 | session->id_len, |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2436 | &session_tmp ); |
| 2437 | if( ret != 0 ) |
| 2438 | goto exit; |
| 2439 | |
| 2440 | if( session->ciphersuite != session_tmp.ciphersuite || |
| 2441 | session->compression != session_tmp.compression ) |
| 2442 | { |
| 2443 | /* Mismatch between cached and negotiated session */ |
| 2444 | goto exit; |
| 2445 | } |
| 2446 | |
| 2447 | /* Move semantics */ |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2448 | mbedtls_ssl_session_free( session ); |
| 2449 | *session = session_tmp; |
| Hanno Becker | fc1f413 | 2021-05-14 14:57:54 +0100 | [diff] [blame] | 2450 | memset( &session_tmp, 0, sizeof( session_tmp ) ); |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2451 | |
| 2452 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) ); |
| 2453 | ssl->handshake->resume = 1; |
| 2454 | |
| 2455 | exit: |
| 2456 | |
| Hanno Becker | df56402 | 2021-05-13 06:26:37 +0100 | [diff] [blame] | 2457 | mbedtls_ssl_session_free( &session_tmp ); |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2458 | } |
| 2459 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2460 | static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2461 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2462 | #if defined(MBEDTLS_HAVE_TIME) |
| SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 2463 | mbedtls_time_t t; |
| Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 2464 | #endif |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2465 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Paul Bakker | b9cfaa0 | 2013-10-11 18:58:55 +0200 | [diff] [blame] | 2466 | size_t olen, ext_len = 0, n; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2467 | unsigned char *buf, *p; |
| 2468 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2469 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2470 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2471 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 2472 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| Manuel Pégourié-Gonnard | d7f9bc5 | 2014-07-23 11:09:27 +0200 | [diff] [blame] | 2473 | ssl->handshake->verify_cookie_len != 0 ) |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2474 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2475 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) ); |
| 2476 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2477 | |
| Manuel Pégourié-Gonnard | 579950c | 2014-09-29 17:47:33 +0200 | [diff] [blame] | 2478 | return( ssl_write_hello_verify_request( ssl ) ); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2479 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2480 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2481 | |
| Manuel Pégourié-Gonnard | 750e4d7 | 2015-05-07 12:35:38 +0100 | [diff] [blame] | 2482 | if( ssl->conf->f_rng == NULL ) |
| Paul Bakker | a9a028e | 2013-11-21 17:31:06 +0100 | [diff] [blame] | 2483 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2484 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); |
| 2485 | return( MBEDTLS_ERR_SSL_NO_RNG ); |
| Paul Bakker | a9a028e | 2013-11-21 17:31:06 +0100 | [diff] [blame] | 2486 | } |
| 2487 | |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2488 | /* |
| 2489 | * 0 . 0 handshake type |
| 2490 | * 1 . 3 handshake length |
| 2491 | * 4 . 5 protocol version |
| 2492 | * 6 . 9 UNIX time() |
| 2493 | * 10 . 37 random bytes |
| 2494 | */ |
| 2495 | buf = ssl->out_msg; |
| 2496 | p = buf + 4; |
| 2497 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2498 | mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 2499 | ssl->conf->transport, p ); |
| Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 2500 | p += 2; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2501 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2502 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]", |
| Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 2503 | buf[4], buf[5] ) ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2504 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2505 | #if defined(MBEDTLS_HAVE_TIME) |
| SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 2506 | t = mbedtls_time( NULL ); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 2507 | MBEDTLS_PUT_UINT32_BE( t, p, 0 ); |
| 2508 | p += 4; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2509 | |
| Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2510 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %" MBEDTLS_PRINTF_LONGLONG, |
| 2511 | (long long) t ) ); |
| Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 2512 | #else |
| Manuel Pégourié-Gonnard | 750e4d7 | 2015-05-07 12:35:38 +0100 | [diff] [blame] | 2513 | if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) |
| Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 2514 | return( ret ); |
| 2515 | |
| 2516 | p += 4; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2517 | #endif /* MBEDTLS_HAVE_TIME */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2518 | |
| Manuel Pégourié-Gonnard | 750e4d7 | 2015-05-07 12:35:38 +0100 | [diff] [blame] | 2519 | if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) |
| Paul Bakker | a3d195c | 2011-11-27 21:07:34 +0000 | [diff] [blame] | 2520 | return( ret ); |
| 2521 | |
| 2522 | p += 28; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2523 | |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 2524 | memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2525 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2526 | MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2527 | |
| Hanno Becker | f6e09c6 | 2021-05-13 06:12:38 +0100 | [diff] [blame] | 2528 | ssl_handle_id_based_session_resumption( ssl ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2529 | |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 2530 | if( ssl->handshake->resume == 0 ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2531 | { |
| 2532 | /* |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 2533 | * New session, create a new session id, |
| 2534 | * unless we're about to issue a session ticket |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2535 | */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2536 | ssl->state++; |
| 2537 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2538 | #if defined(MBEDTLS_HAVE_TIME) |
| SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 2539 | ssl->session_negotiate->start = mbedtls_time( NULL ); |
| Manuel Pégourié-Gonnard | 164d894 | 2013-09-23 22:01:39 +0200 | [diff] [blame] | 2540 | #endif |
| 2541 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2542 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Manuel Pégourié-Gonnard | 164d894 | 2013-09-23 22:01:39 +0200 | [diff] [blame] | 2543 | if( ssl->handshake->new_session_ticket != 0 ) |
| 2544 | { |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 2545 | ssl->session_negotiate->id_len = n = 0; |
| Manuel Pégourié-Gonnard | 164d894 | 2013-09-23 22:01:39 +0200 | [diff] [blame] | 2546 | memset( ssl->session_negotiate->id, 0, 32 ); |
| 2547 | } |
| 2548 | else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2549 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 2550 | { |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 2551 | ssl->session_negotiate->id_len = n = 32; |
| Manuel Pégourié-Gonnard | 750e4d7 | 2015-05-07 12:35:38 +0100 | [diff] [blame] | 2552 | if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, |
| Paul Bakker | a503a63 | 2013-08-14 13:48:06 +0200 | [diff] [blame] | 2553 | n ) ) != 0 ) |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 2554 | return( ret ); |
| 2555 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2556 | } |
| 2557 | else |
| 2558 | { |
| 2559 | /* |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 2560 | * Resuming a session |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2561 | */ |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 2562 | n = ssl->session_negotiate->id_len; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2563 | ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; |
| Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2564 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2565 | if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) |
| Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2566 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2567 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); |
| Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2568 | return( ret ); |
| 2569 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2570 | } |
| 2571 | |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 2572 | /* |
| 2573 | * 38 . 38 session id length |
| 2574 | * 39 . 38+n session id |
| 2575 | * 39+n . 40+n chosen ciphersuite |
| 2576 | * 41+n . 41+n chosen compression alg. |
| 2577 | * 42+n . 43+n extensions length |
| 2578 | * 44+n . 43+n+m extensions |
| 2579 | */ |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 2580 | *p++ = (unsigned char) ssl->session_negotiate->id_len; |
| 2581 | memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len ); |
| 2582 | p += ssl->session_negotiate->id_len; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2583 | |
| Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2584 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n ) ); |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2585 | MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); |
| 2586 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", |
| Paul Bakker | 0a59707 | 2012-09-25 21:55:46 +0000 | [diff] [blame] | 2587 | ssl->handshake->resume ? "a" : "no" ) ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2588 | |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 2589 | MBEDTLS_PUT_UINT16_BE( ssl->session_negotiate->ciphersuite, p, 0 ); |
| 2590 | p += 2; |
| Joe Subbiani | fbeb692 | 2021-07-16 14:27:50 +0100 | [diff] [blame] | 2591 | *p++ = MBEDTLS_BYTE_0( ssl->session_negotiate->compression ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2592 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2593 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", |
| 2594 | mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) ); |
| 2595 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X", |
| Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 2596 | (unsigned int) ssl->session_negotiate->compression ) ); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 2597 | |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 2598 | /* |
| 2599 | * First write extensions, then the total length |
| 2600 | */ |
| 2601 | ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); |
| 2602 | ext_len += olen; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 2603 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2604 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 2605 | ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); |
| 2606 | ext_len += olen; |
| Paul Bakker | 05decb2 | 2013-08-15 13:33:48 +0200 | [diff] [blame] | 2607 | #endif |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 2608 | |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 2609 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 2610 | ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen ); |
| 2611 | ext_len += olen; |
| 2612 | #endif |
| 2613 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2614 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 2615 | ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); |
| 2616 | ext_len += olen; |
| 2617 | #endif |
| 2618 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2619 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 2620 | ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); |
| 2621 | ext_len += olen; |
| 2622 | #endif |
| 2623 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2624 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 2625 | ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); |
| 2626 | ext_len += olen; |
| Paul Bakker | a503a63 | 2013-08-14 13:48:06 +0200 | [diff] [blame] | 2627 | #endif |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 2628 | |
| Manuel Pégourié-Gonnard | f472179 | 2015-09-15 10:53:51 +0200 | [diff] [blame] | 2629 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 2630 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Ron Eldor | 755bb6a | 2018-02-14 19:30:48 +0200 | [diff] [blame] | 2631 | if ( mbedtls_ssl_ciphersuite_uses_ec( |
| 2632 | mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ) ) ) |
| 2633 | { |
| 2634 | ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); |
| 2635 | ext_len += olen; |
| 2636 | } |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 2637 | #endif |
| 2638 | |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 2639 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 2640 | ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); |
| 2641 | ext_len += olen; |
| 2642 | #endif |
| 2643 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2644 | #if defined(MBEDTLS_SSL_ALPN) |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 2645 | ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); |
| 2646 | ext_len += olen; |
| 2647 | #endif |
| 2648 | |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2649 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| Johan Pascal | c3ccd98 | 2020-10-28 17:18:18 +0100 | [diff] [blame] | 2650 | ssl_write_use_srtp_ext( ssl, p + 2 + ext_len, &olen ); |
| 2651 | ext_len += olen; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2652 | #endif |
| 2653 | |
| Paul Elliott | d48d5c6 | 2021-01-07 14:47:05 +0000 | [diff] [blame] | 2654 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %" MBEDTLS_PRINTF_SIZET, |
| 2655 | ext_len ) ); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 2656 | |
| Paul Bakker | a703663 | 2014-04-30 10:15:38 +0200 | [diff] [blame] | 2657 | if( ext_len > 0 ) |
| 2658 | { |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 2659 | MBEDTLS_PUT_UINT16_BE( ext_len, p, 0 ); |
| Joe Subbiani | 94180e7 | 2021-08-20 16:20:44 +0100 | [diff] [blame] | 2660 | p += 2 + ext_len; |
| Paul Bakker | a703663 | 2014-04-30 10:15:38 +0200 | [diff] [blame] | 2661 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2662 | |
| 2663 | ssl->out_msglen = p - buf; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2664 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 2665 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2666 | |
| Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2667 | ret = mbedtls_ssl_write_handshake_msg( ssl ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2668 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2669 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2670 | |
| 2671 | return( ret ); |
| 2672 | } |
| 2673 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2674 | #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2675 | static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2676 | { |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 2677 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 2678 | ssl->handshake->ciphersuite_info; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2679 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2680 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2681 | |
| Hanno Becker | 77adddc | 2019-02-07 12:32:43 +0000 | [diff] [blame] | 2682 | if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2683 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2684 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2685 | ssl->state++; |
| 2686 | return( 0 ); |
| 2687 | } |
| 2688 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2689 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 2690 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2691 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2692 | #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2693 | static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2694 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2695 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 2696 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 2697 | ssl->handshake->ciphersuite_info; |
| irwir | c9bc300 | 2020-04-01 13:46:36 +0300 | [diff] [blame] | 2698 | uint16_t dn_size, total_dn_size; /* excluding length bytes */ |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2699 | size_t ct_len, sa_len; /* including length bytes */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2700 | unsigned char *buf, *p; |
| Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 2701 | const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2702 | const mbedtls_x509_crt *crt; |
| Manuel Pégourié-Gonnard | cdc26ae | 2015-06-19 12:16:31 +0200 | [diff] [blame] | 2703 | int authmode; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2704 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2705 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2706 | |
| 2707 | ssl->state++; |
| 2708 | |
| Manuel Pégourié-Gonnard | cdc26ae | 2015-06-19 12:16:31 +0200 | [diff] [blame] | 2709 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| 2710 | if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) |
| 2711 | authmode = ssl->handshake->sni_authmode; |
| 2712 | else |
| 2713 | #endif |
| 2714 | authmode = ssl->conf->authmode; |
| 2715 | |
| Hanno Becker | 77adddc | 2019-02-07 12:32:43 +0000 | [diff] [blame] | 2716 | if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) || |
| Manuel Pégourié-Gonnard | cdc26ae | 2015-06-19 12:16:31 +0200 | [diff] [blame] | 2717 | authmode == MBEDTLS_SSL_VERIFY_NONE ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2718 | { |
| Johan Pascal | 4f09926 | 2020-09-22 10:59:26 +0200 | [diff] [blame] | 2719 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); |
| 2720 | return( 0 ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2721 | } |
| 2722 | |
| 2723 | /* |
| 2724 | * 0 . 0 handshake type |
| 2725 | * 1 . 3 handshake length |
| 2726 | * 4 . 4 cert type count |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2727 | * 5 .. m-1 cert types |
| 2728 | * m .. m+1 sig alg length (TLS 1.2 only) |
| Paul Bakker | 9af723c | 2014-05-01 13:03:14 +0200 | [diff] [blame] | 2729 | * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2730 | * n .. n+1 length of all DNs |
| 2731 | * n+2 .. n+3 length of DN 1 |
| 2732 | * n+4 .. ... Distinguished Name #1 |
| 2733 | * ... .. ... length of DN 2, etc. |
| 2734 | */ |
| 2735 | buf = ssl->out_msg; |
| 2736 | p = buf + 4; |
| 2737 | |
| 2738 | /* |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2739 | * Supported certificate types |
| 2740 | * |
| 2741 | * ClientCertificateType certificate_types<1..2^8-1>; |
| 2742 | * enum { (255) } ClientCertificateType; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2743 | */ |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2744 | ct_len = 0; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2745 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2746 | #if defined(MBEDTLS_RSA_C) |
| 2747 | p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN; |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2748 | #endif |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2749 | #if defined(MBEDTLS_ECDSA_C) |
| 2750 | p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN; |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2751 | #endif |
| 2752 | |
| Paul Bakker | b9cfaa0 | 2013-10-11 18:58:55 +0200 | [diff] [blame] | 2753 | p[0] = (unsigned char) ct_len++; |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2754 | p += ct_len; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2755 | |
| Paul Bakker | 577e006 | 2013-08-28 11:57:20 +0200 | [diff] [blame] | 2756 | sa_len = 0; |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 2757 | |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2758 | /* |
| 2759 | * Add signature_algorithms for verify (TLS 1.2) |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2760 | * |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2761 | * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>; |
| 2762 | * |
| 2763 | * struct { |
| 2764 | * HashAlgorithm hash; |
| 2765 | * SignatureAlgorithm signature; |
| 2766 | * } SignatureAndHashAlgorithm; |
| 2767 | * |
| 2768 | * enum { (255) } HashAlgorithm; |
| 2769 | * enum { (255) } SignatureAlgorithm; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2770 | */ |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 2771 | const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl ); |
| 2772 | if( sig_alg == NULL ) |
| 2773 | return( MBEDTLS_ERR_SSL_BAD_CONFIG ); |
| 2774 | |
| 2775 | for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2776 | { |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 2777 | unsigned char hash = MBEDTLS_BYTE_1( *sig_alg ); |
| Jerry Yu | 6106fdc | 2022-01-12 16:36:14 +0800 | [diff] [blame] | 2778 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 2779 | if( mbedtls_ssl_set_calc_verify_md( ssl, hash ) ) |
| 2780 | continue; |
| 2781 | if( ! mbedtls_ssl_sig_alg_is_supported( ssl, *sig_alg ) ) |
| 2782 | continue; |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 2783 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 2784 | MBEDTLS_PUT_UINT16_BE( *sig_alg, p, sa_len ); |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2785 | sa_len += 2; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2786 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2787 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 2788 | MBEDTLS_PUT_UINT16_BE( sa_len, p, 0 ); |
| 2789 | sa_len += 2; |
| 2790 | p += sa_len; |
| 2791 | |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2792 | /* |
| 2793 | * DistinguishedName certificate_authorities<0..2^16-1>; |
| 2794 | * opaque DistinguishedName<1..2^16-1>; |
| 2795 | */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2796 | p += 2; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2797 | |
| Paul Bakker | bc3d984 | 2012-11-26 16:12:02 +0100 | [diff] [blame] | 2798 | total_dn_size = 0; |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2799 | |
| 2800 | if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2801 | { |
| Hanno Becker | 8bf74f3 | 2019-03-27 11:01:30 +0000 | [diff] [blame] | 2802 | /* NOTE: If trusted certificates are provisioned |
| 2803 | * via a CA callback (configured through |
| 2804 | * `mbedtls_ssl_conf_ca_cb()`, then the |
| 2805 | * CertificateRequest is currently left empty. */ |
| 2806 | |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2807 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| 2808 | if( ssl->handshake->sni_ca_chain != NULL ) |
| 2809 | crt = ssl->handshake->sni_ca_chain; |
| 2810 | else |
| 2811 | #endif |
| 2812 | crt = ssl->conf->ca_chain; |
| Manuel Pégourié-Gonnard | bc1babb | 2015-10-02 11:16:47 +0200 | [diff] [blame] | 2813 | |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2814 | while( crt != NULL && crt->version != 0 ) |
| Manuel Pégourié-Gonnard | bc1babb | 2015-10-02 11:16:47 +0200 | [diff] [blame] | 2815 | { |
| irwir | c9bc300 | 2020-04-01 13:46:36 +0300 | [diff] [blame] | 2816 | /* It follows from RFC 5280 A.1 that this length |
| 2817 | * can be represented in at most 11 bits. */ |
| 2818 | dn_size = (uint16_t) crt->subject_raw.len; |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2819 | |
| irwir | c9bc300 | 2020-04-01 13:46:36 +0300 | [diff] [blame] | 2820 | if( end < p || (size_t)( end - p ) < 2 + (size_t) dn_size ) |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2821 | { |
| 2822 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) ); |
| 2823 | break; |
| 2824 | } |
| 2825 | |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 2826 | MBEDTLS_PUT_UINT16_BE( dn_size, p, 0 ); |
| 2827 | p += 2; |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2828 | memcpy( p, crt->subject_raw.p, dn_size ); |
| 2829 | p += dn_size; |
| 2830 | |
| 2831 | MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size ); |
| 2832 | |
| 2833 | total_dn_size += 2 + dn_size; |
| 2834 | crt = crt->next; |
| Manuel Pégourié-Gonnard | bc1babb | 2015-10-02 11:16:47 +0200 | [diff] [blame] | 2835 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2836 | } |
| 2837 | |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2838 | ssl->out_msglen = p - buf; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2839 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 2840 | ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST; |
| Joe Subbiani | 6dd7364 | 2021-07-19 11:56:54 +0100 | [diff] [blame] | 2841 | MBEDTLS_PUT_UINT16_BE( total_dn_size, ssl->out_msg, 4 + ct_len + sa_len ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2842 | |
| Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 2843 | ret = mbedtls_ssl_write_handshake_msg( ssl ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2844 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2845 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2846 | |
| 2847 | return( ret ); |
| 2848 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2849 | #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2850 | |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2851 | #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
| 2852 | ( defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| 2853 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) ) |
| 2854 | static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) |
| 2855 | { |
| 2856 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 2857 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| Neil Armstrong | 4f33fbc | 2022-03-22 16:30:01 +0100 | [diff] [blame] | 2858 | unsigned char buf[ |
| 2859 | PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2860 | psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2861 | size_t ecdh_bits = 0; |
| 2862 | size_t key_len; |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2863 | mbedtls_pk_context *pk; |
| 2864 | mbedtls_ecp_keypair *key; |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2865 | |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2866 | pk = mbedtls_ssl_own_key( ssl ); |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2867 | |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2868 | if( pk == NULL ) |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2869 | return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); |
| 2870 | |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2871 | switch( mbedtls_pk_get_type( pk ) ) |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2872 | { |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2873 | case MBEDTLS_PK_OPAQUE: |
| 2874 | if( ! mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) ) |
| 2875 | return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); |
| 2876 | |
| 2877 | ssl->handshake->ecdh_psa_privkey = |
| 2878 | *( (mbedtls_svc_key_id_t*) pk->pk_ctx ); |
| 2879 | |
| Neil Armstrong | e88d190 | 2022-04-04 11:25:23 +0200 | [diff] [blame] | 2880 | /* Key should not be destroyed in the TLS library */ |
| 2881 | ssl->handshake->ecdh_psa_privkey_is_external = 1; |
| 2882 | |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2883 | status = psa_get_key_attributes( ssl->handshake->ecdh_psa_privkey, |
| 2884 | &key_attributes ); |
| 2885 | if( status != PSA_SUCCESS) |
| Neil Armstrong | e88d190 | 2022-04-04 11:25:23 +0200 | [diff] [blame] | 2886 | { |
| 2887 | ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Neil Armstrong | 1335222 | 2022-03-25 15:08:11 +0100 | [diff] [blame] | 2888 | return( psa_ssl_status_to_mbedtls( status ) ); |
| Neil Armstrong | e88d190 | 2022-04-04 11:25:23 +0200 | [diff] [blame] | 2889 | } |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2890 | |
| 2891 | ssl->handshake->ecdh_psa_type = psa_get_key_type( &key_attributes ); |
| 2892 | ssl->handshake->ecdh_bits = psa_get_key_bits( &key_attributes ); |
| 2893 | |
| 2894 | psa_reset_key_attributes( &key_attributes ); |
| 2895 | |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2896 | ret = 0; |
| 2897 | break; |
| 2898 | case MBEDTLS_PK_ECKEY: |
| 2899 | case MBEDTLS_PK_ECKEY_DH: |
| 2900 | case MBEDTLS_PK_ECDSA: |
| 2901 | key = mbedtls_pk_ec( *pk ); |
| 2902 | if( key == NULL ) |
| 2903 | return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); |
| 2904 | |
| 2905 | /* Convert EC group to PSA key type. */ |
| 2906 | if( ( ssl->handshake->ecdh_psa_type = |
| 2907 | mbedtls_ecc_group_to_psa( key->grp.id, |
| 2908 | &ecdh_bits ) ) == 0 ) |
| 2909 | { |
| 2910 | return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); |
| 2911 | } |
| 2912 | |
| Neil Armstrong | 91477a7 | 2022-03-25 15:42:20 +0100 | [diff] [blame] | 2913 | ssl->handshake->ecdh_bits = ecdh_bits; |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2914 | |
| 2915 | key_attributes = psa_key_attributes_init(); |
| 2916 | psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE ); |
| 2917 | psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH ); |
| 2918 | psa_set_key_type( &key_attributes, |
| 2919 | PSA_KEY_TYPE_ECC_KEY_PAIR( ssl->handshake->ecdh_psa_type ) ); |
| 2920 | psa_set_key_bits( &key_attributes, ssl->handshake->ecdh_bits ); |
| 2921 | |
| 2922 | key_len = PSA_BITS_TO_BYTES( key->grp.pbits ); |
| 2923 | ret = mbedtls_ecp_write_key( key, buf, key_len ); |
| 2924 | if( ret != 0 ) |
| 2925 | goto cleanup; |
| 2926 | |
| 2927 | status = psa_import_key( &key_attributes, buf, key_len, |
| 2928 | &ssl->handshake->ecdh_psa_privkey ); |
| 2929 | if( status != PSA_SUCCESS ) |
| 2930 | { |
| 2931 | ret = psa_ssl_status_to_mbedtls( status ); |
| 2932 | goto cleanup; |
| 2933 | } |
| 2934 | |
| 2935 | ret = 0; |
| 2936 | break; |
| 2937 | default: |
| 2938 | ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2939 | } |
| 2940 | |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2941 | cleanup: |
| Neil Armstrong | 5cd5f76 | 2022-03-22 17:28:51 +0100 | [diff] [blame] | 2942 | mbedtls_platform_zeroize( buf, sizeof( buf ) ); |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2943 | |
| 2944 | return( ret ); |
| 2945 | } |
| 2946 | #elif defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2947 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| 2948 | static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2949 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2950 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2951 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2952 | if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) ) |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2953 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2954 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); |
| 2955 | return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2956 | } |
| 2957 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2958 | if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, |
| 2959 | mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ), |
| 2960 | MBEDTLS_ECDH_OURS ) ) != 0 ) |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2961 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2962 | MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2963 | return( ret ); |
| 2964 | } |
| 2965 | |
| 2966 | return( 0 ); |
| 2967 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2968 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || |
| 2969 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2970 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2971 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \ |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 2972 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 2973 | static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl, |
| Gilles Peskine | 0fd90dd | 2018-04-26 07:41:09 +0200 | [diff] [blame] | 2974 | size_t *signature_len ) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2975 | { |
| Gilles Peskine | 0fd90dd | 2018-04-26 07:41:09 +0200 | [diff] [blame] | 2976 | /* Append the signature to ssl->out_msg, leaving 2 bytes for the |
| 2977 | * signature length which will be added in ssl_write_server_key_exchange |
| 2978 | * after the call to ssl_prepare_server_key_exchange. |
| 2979 | * ssl_write_server_key_exchange also takes care of incrementing |
| 2980 | * ssl->out_msglen. */ |
| 2981 | unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2; |
| Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 2982 | size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN |
| Gilles Peskine | 0fd90dd | 2018-04-26 07:41:09 +0200 | [diff] [blame] | 2983 | - sig_start ); |
| Gilles Peskine | 8f97af7 | 2018-04-26 11:46:10 +0200 | [diff] [blame] | 2984 | int ret = ssl->conf->f_async_resume( ssl, |
| Gilles Peskine | 0fd90dd | 2018-04-26 07:41:09 +0200 | [diff] [blame] | 2985 | sig_start, signature_len, sig_max_len ); |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 2986 | if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) |
| 2987 | { |
| Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 2988 | ssl->handshake->async_in_progress = 0; |
| Gilles Peskine | 1febfef | 2018-04-30 11:54:39 +0200 | [diff] [blame] | 2989 | mbedtls_ssl_set_async_operation_data( ssl, NULL ); |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 2990 | } |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 2991 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret ); |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 2992 | return( ret ); |
| 2993 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2994 | #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 2995 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) */ |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 2996 | |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 2997 | /* Prepare the ServerKeyExchange message, up to and including |
| Gilles Peskine | 168dae8 | 2018-04-25 23:35:42 +0200 | [diff] [blame] | 2998 | * calculating the signature if any, but excluding formatting the |
| 2999 | * signature and sending the message. */ |
| Gilles Peskine | 7ab013a | 2018-01-08 17:04:16 +0100 | [diff] [blame] | 3000 | static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, |
| 3001 | size_t *signature_len ) |
| Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 3002 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3003 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 3004 | ssl->handshake->ciphersuite_info; |
| 3005 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3006 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED) |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 3007 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | 3ce9b90 | 2018-01-06 01:34:21 +0100 | [diff] [blame] | 3008 | unsigned char *dig_signed = NULL; |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 3009 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3010 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 3011 | |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3012 | (void) ciphersuite_info; /* unused in some configurations */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3013 | #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | 22e695f | 2018-04-26 00:22:50 +0200 | [diff] [blame] | 3014 | (void) signature_len; |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3015 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 3016 | |
| Gilles Peskine | 16fe8fc | 2021-06-22 09:45:56 +0200 | [diff] [blame] | 3017 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | f00f152 | 2021-06-22 00:09:00 +0200 | [diff] [blame] | 3018 | #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) |
| 3019 | size_t out_buf_len = ssl->out_buf_len - ( ssl->out_msg - ssl->out_buf ); |
| 3020 | #else |
| 3021 | size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - ( ssl->out_msg - ssl->out_buf ); |
| 3022 | #endif |
| Gilles Peskine | 16fe8fc | 2021-06-22 09:45:56 +0200 | [diff] [blame] | 3023 | #endif |
| Gilles Peskine | f00f152 | 2021-06-22 00:09:00 +0200 | [diff] [blame] | 3024 | |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 3025 | ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3026 | |
| Hanno Becker | cf7ae7e | 2017-05-11 14:07:25 +0100 | [diff] [blame] | 3027 | /* |
| 3028 | * |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3029 | * Part 1: Provide key exchange parameters for chosen ciphersuite. |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 3030 | * |
| 3031 | */ |
| 3032 | |
| 3033 | /* |
| 3034 | * - ECJPAKE key exchanges |
| 3035 | */ |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 3036 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 3037 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) |
| 3038 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3039 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Simon Butcher | 600c5e6 | 2018-06-14 08:58:59 +0100 | [diff] [blame] | 3040 | size_t len = 0; |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 3041 | |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 3042 | ret = mbedtls_ecjpake_write_round_two( |
| 3043 | &ssl->handshake->ecjpake_ctx, |
| 3044 | ssl->out_msg + ssl->out_msglen, |
| Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 3045 | MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len, |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 3046 | ssl->conf->f_rng, ssl->conf->p_rng ); |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 3047 | if( ret != 0 ) |
| 3048 | { |
| 3049 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); |
| 3050 | return( ret ); |
| 3051 | } |
| 3052 | |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 3053 | ssl->out_msglen += len; |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 3054 | } |
| 3055 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 3056 | |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 3057 | /* |
| 3058 | * For (EC)DHE key exchanges with PSK, parameters are prefixed by support |
| 3059 | * identity hint (RFC 4279, Sec. 3). Until someone needs this feature, |
| 3060 | * we use empty support identity hints here. |
| 3061 | **/ |
| 3062 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3063 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
| 3064 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || |
| 3065 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3066 | { |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 3067 | ssl->out_msg[ssl->out_msglen++] = 0x00; |
| 3068 | ssl->out_msg[ssl->out_msglen++] = 0x00; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3069 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3070 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || |
| 3071 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3072 | |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 3073 | /* |
| Hanno Becker | cf7ae7e | 2017-05-11 14:07:25 +0100 | [diff] [blame] | 3074 | * - DHE key exchanges |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 3075 | */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3076 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 3077 | if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) ) |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 3078 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3079 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Simon Butcher | 600c5e6 | 2018-06-14 08:58:59 +0100 | [diff] [blame] | 3080 | size_t len = 0; |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3081 | |
| Manuel Pégourié-Gonnard | 1028b74 | 2015-05-06 17:33:07 +0100 | [diff] [blame] | 3082 | if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL ) |
| 3083 | { |
| 3084 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) ); |
| 3085 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| 3086 | } |
| 3087 | |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 3088 | /* |
| 3089 | * Ephemeral DH parameters: |
| 3090 | * |
| 3091 | * struct { |
| 3092 | * opaque dh_p<1..2^16-1>; |
| 3093 | * opaque dh_g<1..2^16-1>; |
| 3094 | * opaque dh_Ys<1..2^16-1>; |
| 3095 | * } ServerDHParams; |
| 3096 | */ |
| Hanno Becker | ab74056 | 2017-10-04 13:15:37 +0100 | [diff] [blame] | 3097 | if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx, |
| 3098 | &ssl->conf->dhm_P, |
| 3099 | &ssl->conf->dhm_G ) ) != 0 ) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 3100 | { |
| Hanno Becker | ab74056 | 2017-10-04 13:15:37 +0100 | [diff] [blame] | 3101 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret ); |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 3102 | return( ret ); |
| 3103 | } |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 3104 | |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 3105 | if( ( ret = mbedtls_dhm_make_params( |
| 3106 | &ssl->handshake->dhm_ctx, |
| Gilles Peskine | 487bbf6 | 2021-05-27 22:17:07 +0200 | [diff] [blame] | 3107 | (int) mbedtls_dhm_get_len( &ssl->handshake->dhm_ctx ), |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 3108 | ssl->out_msg + ssl->out_msglen, &len, |
| 3109 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 3110 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3111 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret ); |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 3112 | return( ret ); |
| 3113 | } |
| 3114 | |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 3115 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 3116 | dig_signed = ssl->out_msg + ssl->out_msglen; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 3117 | #endif |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3118 | |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 3119 | ssl->out_msglen += len; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3120 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3121 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); |
| 3122 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); |
| 3123 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); |
| 3124 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 3125 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3126 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 3127 | |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 3128 | /* |
| Hanno Becker | cf7ae7e | 2017-05-11 14:07:25 +0100 | [diff] [blame] | 3129 | * - ECDHE key exchanges |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 3130 | */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3131 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 3132 | if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3133 | { |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 3134 | /* |
| 3135 | * Ephemeral ECDH parameters: |
| 3136 | * |
| 3137 | * struct { |
| 3138 | * ECParameters curve_params; |
| 3139 | * ECPoint public; |
| 3140 | * } ServerECDHParams; |
| 3141 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3142 | const mbedtls_ecp_curve_info **curve = NULL; |
| Brett Warren | 01f3dae | 2021-08-17 13:50:51 +0100 | [diff] [blame] | 3143 | const uint16_t *group_list = mbedtls_ssl_get_groups( ssl ); |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3144 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Simon Butcher | 600c5e6 | 2018-06-14 08:58:59 +0100 | [diff] [blame] | 3145 | size_t len = 0; |
| Gergely Budai | 987bfb5 | 2014-01-19 21:48:42 +0100 | [diff] [blame] | 3146 | |
| Manuel Pégourié-Gonnard | c3f6b62c | 2014-02-06 10:13:09 +0100 | [diff] [blame] | 3147 | /* Match our preference list against the offered curves */ |
| Brett Warren | 01f3dae | 2021-08-17 13:50:51 +0100 | [diff] [blame] | 3148 | if( group_list == NULL ) |
| 3149 | return( MBEDTLS_ERR_SSL_BAD_CONFIG ); |
| 3150 | for( ; *group_list != 0; group_list++ ) |
| Manuel Pégourié-Gonnard | c3f6b62c | 2014-02-06 10:13:09 +0100 | [diff] [blame] | 3151 | for( curve = ssl->handshake->curves; *curve != NULL; curve++ ) |
| Brett Warren | 01f3dae | 2021-08-17 13:50:51 +0100 | [diff] [blame] | 3152 | if( (*curve)->tls_id == *group_list ) |
| Manuel Pégourié-Gonnard | c3f6b62c | 2014-02-06 10:13:09 +0100 | [diff] [blame] | 3153 | goto curve_matching_done; |
| 3154 | |
| 3155 | curve_matching_done: |
| Manuel Pégourié-Gonnard | b86145e | 2015-06-23 14:11:39 +0200 | [diff] [blame] | 3156 | if( curve == NULL || *curve == NULL ) |
| Gergely Budai | 987bfb5 | 2014-01-19 21:48:42 +0100 | [diff] [blame] | 3157 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3158 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) ); |
| Dave Rodgman | bb05cd0 | 2021-06-29 10:37:43 +0100 | [diff] [blame] | 3159 | return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); |
| Gergely Budai | 987bfb5 | 2014-01-19 21:48:42 +0100 | [diff] [blame] | 3160 | } |
| Manuel Pégourié-Gonnard | de05390 | 2014-02-04 13:58:39 +0100 | [diff] [blame] | 3161 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3162 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) ); |
| Gergely Budai | 987bfb5 | 2014-01-19 21:48:42 +0100 | [diff] [blame] | 3163 | |
| Przemek Stekiel | b6ce0b6 | 2022-03-09 15:38:24 +0100 | [diff] [blame] | 3164 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3165 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3166 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || |
| 3167 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 3168 | { |
| Przemek Stekiel | fc91a1f | 2022-03-14 12:05:27 +0100 | [diff] [blame] | 3169 | psa_status_t status = PSA_ERROR_GENERIC_ERROR; |
| 3170 | psa_key_attributes_t key_attributes; |
| 3171 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| 3172 | size_t ecdh_bits = 0; |
| 3173 | uint8_t *p = ssl->out_msg + ssl->out_msglen; |
| Przemek Stekiel | a4e15cc | 2022-03-16 11:32:42 +0100 | [diff] [blame] | 3174 | const size_t header_size = 4; // curve_type(1), namedcurve(2), |
| 3175 | // data length(1) |
| Przemek Stekiel | fc91a1f | 2022-03-14 12:05:27 +0100 | [diff] [blame] | 3176 | const size_t data_length_size = 1; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3177 | |
| Przemek Stekiel | fc91a1f | 2022-03-14 12:05:27 +0100 | [diff] [blame] | 3178 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) ); |
| 3179 | |
| 3180 | /* Convert EC group to PSA key type. */ |
| 3181 | handshake->ecdh_psa_type = mbedtls_psa_parse_tls_ecc_group( |
| 3182 | (*curve)->tls_id, &ecdh_bits ); |
| 3183 | |
| Neil Armstrong | 91477a7 | 2022-03-25 15:42:20 +0100 | [diff] [blame] | 3184 | if( handshake->ecdh_psa_type == 0 ) |
| Przemek Stekiel | fc91a1f | 2022-03-14 12:05:27 +0100 | [diff] [blame] | 3185 | { |
| 3186 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid ecc group parse." ) ); |
| 3187 | return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); |
| 3188 | } |
| Neil Armstrong | 91477a7 | 2022-03-25 15:42:20 +0100 | [diff] [blame] | 3189 | handshake->ecdh_bits = ecdh_bits; |
| Przemek Stekiel | fc91a1f | 2022-03-14 12:05:27 +0100 | [diff] [blame] | 3190 | |
| 3191 | key_attributes = psa_key_attributes_init(); |
| 3192 | psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE ); |
| 3193 | psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH ); |
| 3194 | psa_set_key_type( &key_attributes, handshake->ecdh_psa_type ); |
| 3195 | psa_set_key_bits( &key_attributes, handshake->ecdh_bits ); |
| 3196 | |
| 3197 | /* |
| Przemek Stekiel | 338b61d | 2022-03-15 08:03:43 +0100 | [diff] [blame] | 3198 | * ECParameters curve_params |
| 3199 | * |
| 3200 | * First byte is curve_type, always named_curve |
| 3201 | */ |
| Przemek Stekiel | fc91a1f | 2022-03-14 12:05:27 +0100 | [diff] [blame] | 3202 | *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE; |
| 3203 | |
| 3204 | /* |
| Przemek Stekiel | 338b61d | 2022-03-15 08:03:43 +0100 | [diff] [blame] | 3205 | * Next two bytes are the namedcurve value |
| 3206 | */ |
| Przemek Stekiel | fc91a1f | 2022-03-14 12:05:27 +0100 | [diff] [blame] | 3207 | MBEDTLS_PUT_UINT16_BE( (*curve)->tls_id, p, 0 ); |
| 3208 | p += 2; |
| 3209 | |
| 3210 | /* Generate ECDH private key. */ |
| 3211 | status = psa_generate_key( &key_attributes, |
| Przemek Stekiel | 338b61d | 2022-03-15 08:03:43 +0100 | [diff] [blame] | 3212 | &handshake->ecdh_psa_privkey ); |
| Przemek Stekiel | fc91a1f | 2022-03-14 12:05:27 +0100 | [diff] [blame] | 3213 | if( status != PSA_SUCCESS ) |
| 3214 | { |
| 3215 | ret = psa_ssl_status_to_mbedtls( status ); |
| 3216 | MBEDTLS_SSL_DEBUG_RET( 1, "psa_generate_key", ret ); |
| 3217 | return( ret ); |
| 3218 | } |
| 3219 | |
| 3220 | /* |
| Przemek Stekiel | 338b61d | 2022-03-15 08:03:43 +0100 | [diff] [blame] | 3221 | * ECPoint public |
| 3222 | * |
| 3223 | * First byte is data length. |
| 3224 | * It will be filled later. p holds now the data length location. |
| 3225 | */ |
| Przemek Stekiel | fc91a1f | 2022-03-14 12:05:27 +0100 | [diff] [blame] | 3226 | |
| 3227 | /* Export the public part of the ECDH private key from PSA. |
| Przemek Stekiel | 338b61d | 2022-03-15 08:03:43 +0100 | [diff] [blame] | 3228 | * Make one byte space for the length. |
| 3229 | */ |
| Przemek Stekiel | fc91a1f | 2022-03-14 12:05:27 +0100 | [diff] [blame] | 3230 | unsigned char *own_pubkey = p + data_length_size; |
| Przemek Stekiel | dd482bf | 2022-03-16 11:43:22 +0100 | [diff] [blame] | 3231 | |
| Przemek Stekiel | fc91a1f | 2022-03-14 12:05:27 +0100 | [diff] [blame] | 3232 | size_t own_pubkey_max_len = (size_t)( MBEDTLS_SSL_OUT_CONTENT_LEN |
| Przemek Stekiel | dd482bf | 2022-03-16 11:43:22 +0100 | [diff] [blame] | 3233 | - ( own_pubkey - ssl->out_msg ) ); |
| Przemek Stekiel | fc91a1f | 2022-03-14 12:05:27 +0100 | [diff] [blame] | 3234 | |
| 3235 | status = psa_export_public_key( handshake->ecdh_psa_privkey, |
| Przemek Stekiel | 338b61d | 2022-03-15 08:03:43 +0100 | [diff] [blame] | 3236 | own_pubkey, own_pubkey_max_len, |
| 3237 | &len ); |
| Przemek Stekiel | fc91a1f | 2022-03-14 12:05:27 +0100 | [diff] [blame] | 3238 | if( status != PSA_SUCCESS ) |
| 3239 | { |
| 3240 | ret = psa_ssl_status_to_mbedtls( status ); |
| 3241 | MBEDTLS_SSL_DEBUG_RET( 1, "psa_export_public_key", ret ); |
| 3242 | (void) psa_destroy_key( handshake->ecdh_psa_privkey ); |
| 3243 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 3244 | return( ret ); |
| 3245 | } |
| 3246 | |
| 3247 | /* Store the length of the exported public key. */ |
| 3248 | *p = (uint8_t) len; |
| 3249 | |
| 3250 | /* Determine full message length. */ |
| 3251 | len += header_size; |
| Przemek Stekiel | b6ce0b6 | 2022-03-09 15:38:24 +0100 | [diff] [blame] | 3252 | } |
| Przemek Stekiel | fc91a1f | 2022-03-14 12:05:27 +0100 | [diff] [blame] | 3253 | else |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3254 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 3255 | { |
| Przemek Stekiel | 855938e | 2022-03-16 11:29:29 +0100 | [diff] [blame] | 3256 | if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx, |
| 3257 | (*curve)->grp_id ) ) != 0 ) |
| 3258 | { |
| 3259 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret ); |
| 3260 | return( ret ); |
| 3261 | } |
| 3262 | |
| 3263 | if( ( ret = mbedtls_ecdh_make_params( |
| 3264 | &ssl->handshake->ecdh_ctx, &len, |
| 3265 | ssl->out_msg + ssl->out_msglen, |
| 3266 | MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, |
| 3267 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) |
| 3268 | { |
| 3269 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret ); |
| 3270 | return( ret ); |
| 3271 | } |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 3272 | } |
| 3273 | |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 3274 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 3275 | dig_signed = ssl->out_msg + ssl->out_msglen; |
| Hanno Becker | cf7ae7e | 2017-05-11 14:07:25 +0100 | [diff] [blame] | 3276 | #endif |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3277 | |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 3278 | ssl->out_msglen += len; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3279 | |
| Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 3280 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, |
| 3281 | MBEDTLS_DEBUG_ECDH_Q ); |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 3282 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3283 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3284 | |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 3285 | /* |
| Hanno Becker | cf7ae7e | 2017-05-11 14:07:25 +0100 | [diff] [blame] | 3286 | * |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3287 | * Part 2: For key exchanges involving the server signing the |
| Hanno Becker | cf7ae7e | 2017-05-11 14:07:25 +0100 | [diff] [blame] | 3288 | * exchange parameters, compute and add the signature here. |
| 3289 | * |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 3290 | */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3291 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 3292 | if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 3293 | { |
| Gilles Peskine | 1004c19 | 2018-01-08 16:59:14 +0100 | [diff] [blame] | 3294 | size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed; |
| Gilles Peskine | ca1d742 | 2018-04-24 11:53:22 +0200 | [diff] [blame] | 3295 | size_t hashlen = 0; |
| Ronald Cron | 69a6342 | 2021-10-18 09:47:58 +0200 | [diff] [blame] | 3296 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 3297 | unsigned char hash[PSA_HASH_MAX_SIZE]; |
| 3298 | #else |
| Gilles Peskine | e1efdf9 | 2018-01-05 21:18:37 +0100 | [diff] [blame] | 3299 | unsigned char hash[MBEDTLS_MD_MAX_SIZE]; |
| Ronald Cron | 69a6342 | 2021-10-18 09:47:58 +0200 | [diff] [blame] | 3300 | #endif |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3301 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 3302 | |
| Manuel Pégourié-Gonnard | abae74c | 2013-08-20 13:53:44 +0200 | [diff] [blame] | 3303 | /* |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3304 | * 2.1: Choose hash algorithm: |
| TRodziewicz | 4ca18aa | 2021-05-20 14:46:20 +0200 | [diff] [blame] | 3305 | * For TLS 1.2, obey signature-hash-algorithm extension |
| 3306 | * to choose appropriate hash. |
| Manuel Pégourié-Gonnard | 4bd1284 | 2013-08-27 13:31:28 +0200 | [diff] [blame] | 3307 | */ |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 3308 | |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 3309 | mbedtls_md_type_t md_alg; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 3310 | mbedtls_pk_type_t sig_alg = |
| 3311 | mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 3312 | |
| 3313 | /* For TLS 1.2, obey signature-hash-algorithm extension |
| 3314 | * (RFC 5246, Sec. 7.4.1.4.1). */ |
| 3315 | if( sig_alg == MBEDTLS_PK_NONE || |
| 3316 | ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, |
| 3317 | sig_alg ) ) == MBEDTLS_MD_NONE ) |
| Manuel Pégourié-Gonnard | 4bd1284 | 2013-08-27 13:31:28 +0200 | [diff] [blame] | 3318 | { |
| TRodziewicz | 4ca18aa | 2021-05-20 14:46:20 +0200 | [diff] [blame] | 3319 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 3320 | /* (... because we choose a cipher suite |
| 3321 | * only if there is a matching hash.) */ |
| TRodziewicz | 4ca18aa | 2021-05-20 14:46:20 +0200 | [diff] [blame] | 3322 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| Manuel Pégourié-Gonnard | 4bd1284 | 2013-08-27 13:31:28 +0200 | [diff] [blame] | 3323 | } |
| 3324 | |
| Paul Elliott | 3891caf | 2020-12-17 18:42:40 +0000 | [diff] [blame] | 3325 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %u for signing", (unsigned) md_alg ) ); |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 3326 | |
| Manuel Pégourié-Gonnard | 4bd1284 | 2013-08-27 13:31:28 +0200 | [diff] [blame] | 3327 | /* |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3328 | * 2.2: Compute the hash to be signed |
| Manuel Pégourié-Gonnard | abae74c | 2013-08-20 13:53:44 +0200 | [diff] [blame] | 3329 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3330 | if( md_alg != MBEDTLS_MD_NONE ) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3331 | { |
| Gilles Peskine | ca1d742 | 2018-04-24 11:53:22 +0200 | [diff] [blame] | 3332 | ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen, |
| Andres Amaya Garcia | 46f5a3e | 2017-07-20 16:17:51 +0100 | [diff] [blame] | 3333 | dig_signed, |
| 3334 | dig_signed_len, |
| 3335 | md_alg ); |
| 3336 | if( ret != 0 ) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3337 | return( ret ); |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 3338 | } |
| Paul Bakker | d2f068e | 2013-08-27 21:19:20 +0200 | [diff] [blame] | 3339 | else |
| Paul Bakker | 577e006 | 2013-08-28 11:57:20 +0200 | [diff] [blame] | 3340 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3341 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 3342 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| Paul Bakker | 577e006 | 2013-08-28 11:57:20 +0200 | [diff] [blame] | 3343 | } |
| Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3344 | |
| Gilles Peskine | ebd652f | 2018-01-05 21:18:59 +0100 | [diff] [blame] | 3345 | MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen ); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3346 | |
| Manuel Pégourié-Gonnard | abae74c | 2013-08-20 13:53:44 +0200 | [diff] [blame] | 3347 | /* |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3348 | * 2.3: Compute and add the signature |
| Manuel Pégourié-Gonnard | abae74c | 2013-08-20 13:53:44 +0200 | [diff] [blame] | 3349 | */ |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 3350 | /* |
| 3351 | * We need to specify signature and hash algorithm explicitly through |
| 3352 | * a prefix to the signature. |
| 3353 | * |
| 3354 | * struct { |
| 3355 | * HashAlgorithm hash; |
| 3356 | * SignatureAlgorithm signature; |
| 3357 | * } SignatureAndHashAlgorithm; |
| 3358 | * |
| 3359 | * struct { |
| 3360 | * SignatureAndHashAlgorithm algorithm; |
| 3361 | * opaque signature<0..2^16-1>; |
| 3362 | * } DigitallySigned; |
| 3363 | * |
| 3364 | */ |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 3365 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 3366 | ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg( md_alg ); |
| 3367 | ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg( sig_alg ); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3368 | |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3369 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | 4bf9a28 | 2018-01-05 21:20:50 +0100 | [diff] [blame] | 3370 | if( ssl->conf->f_async_sign_start != NULL ) |
| 3371 | { |
| Gilles Peskine | 8f97af7 | 2018-04-26 11:46:10 +0200 | [diff] [blame] | 3372 | ret = ssl->conf->f_async_sign_start( ssl, |
| Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 3373 | mbedtls_ssl_own_cert( ssl ), |
| 3374 | md_alg, hash, hashlen ); |
| Gilles Peskine | 4bf9a28 | 2018-01-05 21:20:50 +0100 | [diff] [blame] | 3375 | switch( ret ) |
| 3376 | { |
| 3377 | case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: |
| 3378 | /* act as if f_async_sign was null */ |
| 3379 | break; |
| 3380 | case 0: |
| Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 3381 | ssl->handshake->async_in_progress = 1; |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 3382 | return( ssl_resume_server_key_exchange( ssl, signature_len ) ); |
| Gilles Peskine | 4bf9a28 | 2018-01-05 21:20:50 +0100 | [diff] [blame] | 3383 | case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: |
| Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 3384 | ssl->handshake->async_in_progress = 1; |
| Gilles Peskine | 4bf9a28 | 2018-01-05 21:20:50 +0100 | [diff] [blame] | 3385 | return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ); |
| 3386 | default: |
| Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 3387 | MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign_start", ret ); |
| Gilles Peskine | 4bf9a28 | 2018-01-05 21:20:50 +0100 | [diff] [blame] | 3388 | return( ret ); |
| 3389 | } |
| 3390 | } |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3391 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| Gilles Peskine | 4bf9a28 | 2018-01-05 21:20:50 +0100 | [diff] [blame] | 3392 | |
| 3393 | if( mbedtls_ssl_own_key( ssl ) == NULL ) |
| 3394 | { |
| 3395 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) ); |
| 3396 | return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); |
| 3397 | } |
| 3398 | |
| Gilles Peskine | 0fd90dd | 2018-04-26 07:41:09 +0200 | [diff] [blame] | 3399 | /* Append the signature to ssl->out_msg, leaving 2 bytes for the |
| 3400 | * signature length which will be added in ssl_write_server_key_exchange |
| 3401 | * after the call to ssl_prepare_server_key_exchange. |
| 3402 | * ssl_write_server_key_exchange also takes care of incrementing |
| 3403 | * ssl->out_msglen. */ |
| Gilles Peskine | 1004c19 | 2018-01-08 16:59:14 +0100 | [diff] [blame] | 3404 | if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), |
| 3405 | md_alg, hash, hashlen, |
| 3406 | ssl->out_msg + ssl->out_msglen + 2, |
| Gilles Peskine | f00f152 | 2021-06-22 00:09:00 +0200 | [diff] [blame] | 3407 | out_buf_len - ssl->out_msglen - 2, |
| Gilles Peskine | 7ab013a | 2018-01-08 17:04:16 +0100 | [diff] [blame] | 3408 | signature_len, |
| Gilles Peskine | 1004c19 | 2018-01-08 16:59:14 +0100 | [diff] [blame] | 3409 | ssl->conf->f_rng, |
| 3410 | ssl->conf->p_rng ) ) != 0 ) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3411 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3412 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); |
| Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3413 | return( ret ); |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 3414 | } |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 3415 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3416 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 3417 | |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3418 | return( 0 ); |
| 3419 | } |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 3420 | |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 3421 | /* Prepare the ServerKeyExchange message and send it. For ciphersuites |
| Gilles Peskine | 168dae8 | 2018-04-25 23:35:42 +0200 | [diff] [blame] | 3422 | * that do not include a ServerKeyExchange message, do nothing. Either |
| 3423 | * way, if successful, move on to the next step in the SSL state |
| 3424 | * machine. */ |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3425 | static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) |
| 3426 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3427 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Gilles Peskine | 7ab013a | 2018-01-08 17:04:16 +0100 | [diff] [blame] | 3428 | size_t signature_len = 0; |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3429 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED) |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3430 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 3431 | ssl->handshake->ciphersuite_info; |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3432 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */ |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3433 | |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 3434 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); |
| 3435 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3436 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED) |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 3437 | /* Extract static ECDH parameters and abort if ServerKeyExchange |
| 3438 | * is not needed. */ |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3439 | if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) ) |
| 3440 | { |
| 3441 | /* For suites involving ECDH, extract DH parameters |
| 3442 | * from certificate at this point. */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3443 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3444 | if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) ) |
| 3445 | { |
| 3446 | ssl_get_ecdh_params_from_cert( ssl ); |
| 3447 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3448 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */ |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3449 | |
| 3450 | /* Key exchanges not involving ephemeral keys don't use |
| 3451 | * ServerKeyExchange, so end here. */ |
| 3452 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); |
| 3453 | ssl->state++; |
| 3454 | return( 0 ); |
| 3455 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3456 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */ |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3457 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3458 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \ |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3459 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 3460 | /* If we have already prepared the message and there is an ongoing |
| Gilles Peskine | 168dae8 | 2018-04-25 23:35:42 +0200 | [diff] [blame] | 3461 | * signature operation, resume signing. */ |
| Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 3462 | if( ssl->handshake->async_in_progress != 0 ) |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 3463 | { |
| 3464 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming signature operation" ) ); |
| 3465 | ret = ssl_resume_server_key_exchange( ssl, &signature_len ); |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 3466 | } |
| 3467 | else |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3468 | #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3469 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) */ |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 3470 | { |
| 3471 | /* ServerKeyExchange is needed. Prepare the message. */ |
| 3472 | ret = ssl_prepare_server_key_exchange( ssl, &signature_len ); |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 3473 | } |
| 3474 | |
| 3475 | if( ret != 0 ) |
| 3476 | { |
| Gilles Peskine | ad28bf0 | 2018-04-26 00:19:16 +0200 | [diff] [blame] | 3477 | /* If we're starting to write a new message, set ssl->out_msglen |
| 3478 | * to 0. But if we're resuming after an asynchronous message, |
| 3479 | * out_msglen is the amount of data written so far and mst be |
| 3480 | * preserved. */ |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 3481 | if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) |
| 3482 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange (pending)" ) ); |
| 3483 | else |
| 3484 | ssl->out_msglen = 0; |
| 3485 | return( ret ); |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 3486 | } |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3487 | |
| Gilles Peskine | 7ab013a | 2018-01-08 17:04:16 +0100 | [diff] [blame] | 3488 | /* If there is a signature, write its length. |
| Gilles Peskine | 168dae8 | 2018-04-25 23:35:42 +0200 | [diff] [blame] | 3489 | * ssl_prepare_server_key_exchange already wrote the signature |
| 3490 | * itself at its proper place in the output buffer. */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3491 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | 7ab013a | 2018-01-08 17:04:16 +0100 | [diff] [blame] | 3492 | if( signature_len != 0 ) |
| 3493 | { |
| Joe Subbiani | fbeb692 | 2021-07-16 14:27:50 +0100 | [diff] [blame] | 3494 | ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1( signature_len ); |
| 3495 | ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0( signature_len ); |
| Gilles Peskine | 7ab013a | 2018-01-08 17:04:16 +0100 | [diff] [blame] | 3496 | |
| 3497 | MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", |
| 3498 | ssl->out_msg + ssl->out_msglen, |
| 3499 | signature_len ); |
| 3500 | |
| 3501 | /* Skip over the already-written signature */ |
| 3502 | ssl->out_msglen += signature_len; |
| 3503 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3504 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
| Gilles Peskine | 7ab013a | 2018-01-08 17:04:16 +0100 | [diff] [blame] | 3505 | |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3506 | /* Add header and send. */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3507 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 3508 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3509 | |
| 3510 | ssl->state++; |
| 3511 | |
| Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 3512 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3513 | { |
| Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 3514 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3515 | return( ret ); |
| 3516 | } |
| 3517 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3518 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3519 | return( 0 ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3520 | } |
| 3521 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3522 | static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3523 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3524 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3525 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3526 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3527 | |
| 3528 | ssl->out_msglen = 4; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3529 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 3530 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3531 | |
| 3532 | ssl->state++; |
| 3533 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3534 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 3535 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3536 | mbedtls_ssl_send_flight_completed( ssl ); |
| Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 3537 | #endif |
| 3538 | |
| Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 3539 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3540 | { |
| Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 3541 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3542 | return( ret ); |
| 3543 | } |
| 3544 | |
| Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 3545 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 3546 | if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 3547 | ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) |
| 3548 | { |
| 3549 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret ); |
| 3550 | return( ret ); |
| 3551 | } |
| Hanno Becker | bc2498a | 2018-08-28 10:13:29 +0100 | [diff] [blame] | 3552 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 3553 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3554 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3555 | |
| 3556 | return( 0 ); |
| 3557 | } |
| 3558 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3559 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
| 3560 | defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| 3561 | static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p, |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3562 | const unsigned char *end ) |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3563 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3564 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3565 | size_t n; |
| 3566 | |
| 3567 | /* |
| 3568 | * Receive G^Y mod P, premaster = (G^Y)^X mod P |
| 3569 | */ |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3570 | if( *p + 2 > end ) |
| 3571 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3572 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| Hanno Becker | 666b5b4 | 2021-06-24 10:13:31 +0100 | [diff] [blame] | 3573 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3574 | } |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3575 | |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3576 | n = ( (*p)[0] << 8 ) | (*p)[1]; |
| 3577 | *p += 2; |
| 3578 | |
| Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 3579 | if( *p + n > end ) |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3580 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3581 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| Hanno Becker | 666b5b4 | 2021-06-24 10:13:31 +0100 | [diff] [blame] | 3582 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3583 | } |
| 3584 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3585 | if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 ) |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3586 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3587 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret ); |
| Hanno Becker | b24e74b | 2021-06-24 09:52:01 +0100 | [diff] [blame] | 3588 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3589 | } |
| 3590 | |
| Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 3591 | *p += n; |
| 3592 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3593 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3594 | |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3595 | return( ret ); |
| 3596 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3597 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || |
| 3598 | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3599 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3600 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ |
| 3601 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3602 | |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3603 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3604 | static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl, |
| 3605 | unsigned char *peer_pms, |
| 3606 | size_t *peer_pmslen, |
| 3607 | size_t peer_pmssize ) |
| 3608 | { |
| Gilles Peskine | 8f97af7 | 2018-04-26 11:46:10 +0200 | [diff] [blame] | 3609 | int ret = ssl->conf->f_async_resume( ssl, |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3610 | peer_pms, peer_pmslen, peer_pmssize ); |
| 3611 | if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) |
| 3612 | { |
| Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 3613 | ssl->handshake->async_in_progress = 0; |
| Gilles Peskine | 1febfef | 2018-04-30 11:54:39 +0200 | [diff] [blame] | 3614 | mbedtls_ssl_set_async_operation_data( ssl, NULL ); |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3615 | } |
| 3616 | MBEDTLS_SSL_DEBUG_RET( 2, "ssl_decrypt_encrypted_pms", ret ); |
| 3617 | return( ret ); |
| 3618 | } |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3619 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3620 | |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3621 | static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl, |
| 3622 | const unsigned char *p, |
| 3623 | const unsigned char *end, |
| 3624 | unsigned char *peer_pms, |
| 3625 | size_t *peer_pmslen, |
| 3626 | size_t peer_pmssize ) |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3627 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3628 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Gilles Peskine | 422ccab | 2018-01-11 18:29:01 +0100 | [diff] [blame] | 3629 | mbedtls_pk_context *private_key = mbedtls_ssl_own_key( ssl ); |
| 3630 | mbedtls_pk_context *public_key = &mbedtls_ssl_own_cert( ssl )->pk; |
| 3631 | size_t len = mbedtls_pk_get_len( public_key ); |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3632 | |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3633 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3634 | /* If we have already started decoding the message and there is an ongoing |
| Gilles Peskine | 168dae8 | 2018-04-25 23:35:42 +0200 | [diff] [blame] | 3635 | * decryption operation, resume signing. */ |
| Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 3636 | if( ssl->handshake->async_in_progress != 0 ) |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3637 | { |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3638 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming decryption operation" ) ); |
| 3639 | return( ssl_resume_decrypt_pms( ssl, |
| 3640 | peer_pms, peer_pmslen, peer_pmssize ) ); |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3641 | } |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3642 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3643 | |
| 3644 | /* |
| Gilles Peskine | 422ccab | 2018-01-11 18:29:01 +0100 | [diff] [blame] | 3645 | * Prepare to decrypt the premaster using own private RSA key |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3646 | */ |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 3647 | if ( p + 2 > end ) { |
| 3648 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| Hanno Becker | 666b5b4 | 2021-06-24 10:13:31 +0100 | [diff] [blame] | 3649 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 3650 | } |
| Joe Subbiani | 2194dc4 | 2021-07-14 12:31:31 +0100 | [diff] [blame] | 3651 | if( *p++ != MBEDTLS_BYTE_1( len ) || |
| 3652 | *p++ != MBEDTLS_BYTE_0( len ) ) |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3653 | { |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 3654 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| Hanno Becker | 666b5b4 | 2021-06-24 10:13:31 +0100 | [diff] [blame] | 3655 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3656 | } |
| 3657 | |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 3658 | if( p + len != end ) |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3659 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3660 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| Hanno Becker | 666b5b4 | 2021-06-24 10:13:31 +0100 | [diff] [blame] | 3661 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3662 | } |
| 3663 | |
| Gilles Peskine | 422ccab | 2018-01-11 18:29:01 +0100 | [diff] [blame] | 3664 | /* |
| 3665 | * Decrypt the premaster secret |
| 3666 | */ |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3667 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3668 | if( ssl->conf->f_async_decrypt_start != NULL ) |
| 3669 | { |
| Gilles Peskine | 8f97af7 | 2018-04-26 11:46:10 +0200 | [diff] [blame] | 3670 | ret = ssl->conf->f_async_decrypt_start( ssl, |
| Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 3671 | mbedtls_ssl_own_cert( ssl ), |
| 3672 | p, len ); |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3673 | switch( ret ) |
| 3674 | { |
| 3675 | case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: |
| 3676 | /* act as if f_async_decrypt_start was null */ |
| 3677 | break; |
| 3678 | case 0: |
| Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 3679 | ssl->handshake->async_in_progress = 1; |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3680 | return( ssl_resume_decrypt_pms( ssl, |
| 3681 | peer_pms, |
| 3682 | peer_pmslen, |
| 3683 | peer_pmssize ) ); |
| 3684 | case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: |
| Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 3685 | ssl->handshake->async_in_progress = 1; |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3686 | return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ); |
| 3687 | default: |
| Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 3688 | MBEDTLS_SSL_DEBUG_RET( 1, "f_async_decrypt_start", ret ); |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3689 | return( ret ); |
| 3690 | } |
| 3691 | } |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3692 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3693 | |
| Gilles Peskine | 422ccab | 2018-01-11 18:29:01 +0100 | [diff] [blame] | 3694 | if( ! mbedtls_pk_can_do( private_key, MBEDTLS_PK_RSA ) ) |
| 3695 | { |
| Gilles Peskine | 422ccab | 2018-01-11 18:29:01 +0100 | [diff] [blame] | 3696 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) ); |
| 3697 | return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); |
| 3698 | } |
| 3699 | |
| 3700 | ret = mbedtls_pk_decrypt( private_key, p, len, |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3701 | peer_pms, peer_pmslen, peer_pmssize, |
| 3702 | ssl->conf->f_rng, ssl->conf->p_rng ); |
| 3703 | return( ret ); |
| 3704 | } |
| 3705 | |
| 3706 | static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl, |
| 3707 | const unsigned char *p, |
| 3708 | const unsigned char *end, |
| 3709 | size_t pms_offset ) |
| 3710 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3711 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3712 | unsigned char *pms = ssl->handshake->premaster + pms_offset; |
| 3713 | unsigned char ver[2]; |
| 3714 | unsigned char fake_pms[48], peer_pms[48]; |
| 3715 | unsigned char mask; |
| 3716 | size_t i, peer_pmslen; |
| 3717 | unsigned int diff; |
| 3718 | |
| Gilles Peskine | 0a8352b | 2018-06-13 18:16:41 +0200 | [diff] [blame] | 3719 | /* In case of a failure in decryption, the decryption may write less than |
| 3720 | * 2 bytes of output, but we always read the first two bytes. It doesn't |
| 3721 | * matter in the end because diff will be nonzero in that case due to |
| André Maroneze | 7953329 | 2020-11-12 09:37:42 +0100 | [diff] [blame] | 3722 | * ret being nonzero, and we only care whether diff is 0. |
| 3723 | * But do initialize peer_pms and peer_pmslen for robustness anyway. This |
| 3724 | * also makes memory analyzers happy (don't access uninitialized memory, |
| 3725 | * even if it's an unsigned char). */ |
| Gilles Peskine | 0a8352b | 2018-06-13 18:16:41 +0200 | [diff] [blame] | 3726 | peer_pms[0] = peer_pms[1] = ~0; |
| André Maroneze | 7953329 | 2020-11-12 09:37:42 +0100 | [diff] [blame] | 3727 | peer_pmslen = 0; |
| Gilles Peskine | 0a8352b | 2018-06-13 18:16:41 +0200 | [diff] [blame] | 3728 | |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3729 | ret = ssl_decrypt_encrypted_pms( ssl, p, end, |
| 3730 | peer_pms, |
| 3731 | &peer_pmslen, |
| 3732 | sizeof( peer_pms ) ); |
| 3733 | |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3734 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3735 | if ( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) |
| 3736 | return( ret ); |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3737 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3738 | |
| Ronald Cron | 90f0120 | 2022-03-15 15:37:13 +0100 | [diff] [blame] | 3739 | mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3, |
| 3740 | MBEDTLS_SSL_MINOR_VERSION_3, |
| Gilles Peskine | 2e33337 | 2018-04-24 13:22:10 +0200 | [diff] [blame] | 3741 | ssl->conf->transport, ver ); |
| 3742 | |
| 3743 | /* Avoid data-dependent branches while checking for invalid |
| 3744 | * padding, to protect against timing-based Bleichenbacher-type |
| 3745 | * attacks. */ |
| 3746 | diff = (unsigned int) ret; |
| 3747 | diff |= peer_pmslen ^ 48; |
| 3748 | diff |= peer_pms[0] ^ ver[0]; |
| 3749 | diff |= peer_pms[1] ^ ver[1]; |
| 3750 | |
| 3751 | /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */ |
| Gabor Mezei | 90437e3 | 2021-10-20 11:59:27 +0200 | [diff] [blame] | 3752 | mask = mbedtls_ct_uint_mask( diff ); |
| Manuel Pégourié-Gonnard | b9c93d0 | 2015-06-23 13:53:15 +0200 | [diff] [blame] | 3753 | |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3754 | /* |
| 3755 | * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding |
| 3756 | * must not cause the connection to end immediately; instead, send a |
| 3757 | * bad_record_mac later in the handshake. |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3758 | * To protect against timing-based variants of the attack, we must |
| 3759 | * not have any branch that depends on whether the decryption was |
| 3760 | * successful. In particular, always generate the fake premaster secret, |
| 3761 | * regardless of whether it will ultimately influence the output or not. |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3762 | */ |
| Manuel Pégourié-Gonnard | 750e4d7 | 2015-05-07 12:35:38 +0100 | [diff] [blame] | 3763 | ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) ); |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3764 | if( ret != 0 ) |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3765 | { |
| Gilles Peskine | e141638 | 2018-04-26 10:23:21 +0200 | [diff] [blame] | 3766 | /* It's ok to abort on an RNG failure, since this does not reveal |
| 3767 | * anything about the RSA decryption. */ |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3768 | return( ret ); |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3769 | } |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3770 | |
| Manuel Pégourié-Gonnard | 331ba57 | 2015-04-20 12:33:57 +0100 | [diff] [blame] | 3771 | #if defined(MBEDTLS_SSL_DEBUG_ALL) |
| Manuel Pégourié-Gonnard | ce60fbe | 2015-04-15 16:45:52 +0200 | [diff] [blame] | 3772 | if( diff != 0 ) |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3773 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3774 | #endif |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3775 | |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3776 | if( sizeof( ssl->handshake->premaster ) < pms_offset || |
| 3777 | sizeof( ssl->handshake->premaster ) - pms_offset < 48 ) |
| 3778 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3779 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 3780 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3781 | } |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3782 | ssl->handshake->pmslen = 48; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3783 | |
| Gilles Peskine | 422ccab | 2018-01-11 18:29:01 +0100 | [diff] [blame] | 3784 | /* Set pms to either the true or the fake PMS, without |
| 3785 | * data-dependent branches. */ |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3786 | for( i = 0; i < ssl->handshake->pmslen; i++ ) |
| 3787 | pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] ); |
| 3788 | |
| 3789 | return( 0 ); |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3790 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3791 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || |
| 3792 | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3793 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3794 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3795 | static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p, |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3796 | const unsigned char *end ) |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3797 | { |
| Paul Bakker | 6db455e | 2013-09-18 17:29:31 +0200 | [diff] [blame] | 3798 | int ret = 0; |
| irwir | 6527bd6 | 2019-09-21 18:51:25 +0300 | [diff] [blame] | 3799 | uint16_t n; |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3800 | |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 3801 | if( ssl_conf_has_psk_or_cb( ssl->conf ) == 0 ) |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3802 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3803 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) ); |
| 3804 | return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3805 | } |
| 3806 | |
| 3807 | /* |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3808 | * Receive client pre-shared key identity name |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3809 | */ |
| Hanno Becker | 83c9f49 | 2017-06-26 13:52:14 +0100 | [diff] [blame] | 3810 | if( end - *p < 2 ) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3811 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3812 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| Hanno Becker | 666b5b4 | 2021-06-24 10:13:31 +0100 | [diff] [blame] | 3813 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3814 | } |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3815 | |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3816 | n = ( (*p)[0] << 8 ) | (*p)[1]; |
| 3817 | *p += 2; |
| 3818 | |
| irwir | 6527bd6 | 2019-09-21 18:51:25 +0300 | [diff] [blame] | 3819 | if( n == 0 || n > end - *p ) |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3820 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3821 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| Hanno Becker | 666b5b4 | 2021-06-24 10:13:31 +0100 | [diff] [blame] | 3822 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3823 | } |
| 3824 | |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 3825 | if( ssl->conf->f_psk != NULL ) |
| Paul Bakker | 6db455e | 2013-09-18 17:29:31 +0200 | [diff] [blame] | 3826 | { |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 3827 | if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 ) |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3828 | ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; |
| Paul Bakker | 6db455e | 2013-09-18 17:29:31 +0200 | [diff] [blame] | 3829 | } |
| Manuel Pégourié-Gonnard | d27680b | 2014-07-08 14:15:55 +0200 | [diff] [blame] | 3830 | else |
| Paul Bakker | 6db455e | 2013-09-18 17:29:31 +0200 | [diff] [blame] | 3831 | { |
| Manuel Pégourié-Gonnard | 31ff1d2 | 2013-10-28 13:46:11 +0100 | [diff] [blame] | 3832 | /* Identity is not a big secret since clients send it in the clear, |
| 3833 | * but treat it carefully anyway, just in case */ |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 3834 | if( n != ssl->conf->psk_identity_len || |
| Gabor Mezei | 90437e3 | 2021-10-20 11:59:27 +0200 | [diff] [blame] | 3835 | mbedtls_ct_memcmp( ssl->conf->psk_identity, *p, n ) != 0 ) |
| Paul Bakker | 6db455e | 2013-09-18 17:29:31 +0200 | [diff] [blame] | 3836 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3837 | ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; |
| Paul Bakker | 6db455e | 2013-09-18 17:29:31 +0200 | [diff] [blame] | 3838 | } |
| 3839 | } |
| 3840 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3841 | if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ) |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3842 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3843 | MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n ); |
| Gilles Peskine | c94f735 | 2017-05-10 16:37:56 +0200 | [diff] [blame] | 3844 | mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 3845 | MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ); |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3846 | return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3847 | } |
| 3848 | |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3849 | *p += n; |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3850 | |
| Manuel Pégourié-Gonnard | d27680b | 2014-07-08 14:15:55 +0200 | [diff] [blame] | 3851 | return( 0 ); |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3852 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3853 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3854 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3855 | static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3856 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3857 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3858 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
| Manuel Pégourié-Gonnard | 2114d72 | 2014-09-10 13:59:41 +0000 | [diff] [blame] | 3859 | unsigned char *p, *end; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3860 | |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 3861 | ciphersuite_info = ssl->handshake->ciphersuite_info; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3862 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3863 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3864 | |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3865 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \ |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3866 | ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ |
| 3867 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) ) |
| 3868 | if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || |
| 3869 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) && |
| Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 3870 | ( ssl->handshake->async_in_progress != 0 ) ) |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3871 | { |
| 3872 | /* We've already read a record and there is an asynchronous |
| 3873 | * operation in progress to decrypt it. So skip reading the |
| Gilles Peskine | 168dae8 | 2018-04-25 23:35:42 +0200 | [diff] [blame] | 3874 | * record. */ |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3875 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "will resume decryption of previously-read record" ) ); |
| 3876 | } |
| 3877 | else |
| 3878 | #endif |
| Hanno Becker | 327c93b | 2018-08-15 13:56:18 +0100 | [diff] [blame] | 3879 | if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3880 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3881 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3882 | return( ret ); |
| 3883 | } |
| 3884 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3885 | p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); |
| Manuel Pégourié-Gonnard | 2114d72 | 2014-09-10 13:59:41 +0000 | [diff] [blame] | 3886 | end = ssl->in_msg + ssl->in_hslen; |
| Manuel Pégourié-Gonnard | f899583 | 2014-09-10 08:25:12 +0000 | [diff] [blame] | 3887 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3888 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3889 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3890 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| Hanno Becker | 666b5b4 | 2021-06-24 10:13:31 +0100 | [diff] [blame] | 3891 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3892 | } |
| 3893 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3894 | if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3895 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3896 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); |
| Hanno Becker | 666b5b4 | 2021-06-24 10:13:31 +0100 | [diff] [blame] | 3897 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3898 | } |
| 3899 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3900 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) |
| 3901 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3902 | { |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3903 | if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3904 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3905 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3906 | return( ret ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3907 | } |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3908 | |
| Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 3909 | if( p != end ) |
| 3910 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3911 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); |
| Hanno Becker | 666b5b4 | 2021-06-24 10:13:31 +0100 | [diff] [blame] | 3912 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 3913 | } |
| 3914 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3915 | if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3916 | ssl->handshake->premaster, |
| Manuel Pégourié-Gonnard | 3335205 | 2015-06-02 16:17:08 +0100 | [diff] [blame] | 3917 | MBEDTLS_PREMASTER_SIZE, |
| Manuel Pégourié-Gonnard | 2d62764 | 2013-09-04 14:22:07 +0200 | [diff] [blame] | 3918 | &ssl->handshake->pmslen, |
| Manuel Pégourié-Gonnard | 750e4d7 | 2015-05-07 12:35:38 +0100 | [diff] [blame] | 3919 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3920 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3921 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); |
| Hanno Becker | d3eec78 | 2021-06-24 10:21:46 +0100 | [diff] [blame] | 3922 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3923 | } |
| 3924 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3925 | MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3926 | } |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3927 | else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3928 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3929 | #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
| 3930 | ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 3931 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
| 3932 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| 3933 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) ) |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3934 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 3935 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || |
| 3936 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || |
| 3937 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3938 | { |
| 3939 | size_t data_len = (size_t)( *p++ ); |
| 3940 | size_t buf_len = (size_t)( end - p ); |
| 3941 | psa_status_t status = PSA_ERROR_GENERIC_ERROR; |
| 3942 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| 3943 | |
| 3944 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Read the peer's public key." ) ); |
| 3945 | |
| 3946 | /* |
| Przemek Stekiel | 338b61d | 2022-03-15 08:03:43 +0100 | [diff] [blame] | 3947 | * We must have at least two bytes (1 for length, at least 1 for data) |
| 3948 | */ |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3949 | if( buf_len < 2 ) |
| 3950 | { |
| 3951 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid buffer length" ) ); |
| 3952 | return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); |
| 3953 | } |
| 3954 | |
| 3955 | if( data_len < 1 || data_len > buf_len ) |
| 3956 | { |
| 3957 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid data length" ) ); |
| 3958 | return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); |
| 3959 | } |
| 3960 | |
| 3961 | /* Store peer's ECDH public key. */ |
| 3962 | memcpy( handshake->ecdh_psa_peerkey, p, data_len ); |
| 3963 | handshake->ecdh_psa_peerkey_len = data_len; |
| 3964 | |
| 3965 | /* Compute ECDH shared secret. */ |
| 3966 | status = psa_raw_key_agreement( |
| 3967 | PSA_ALG_ECDH, handshake->ecdh_psa_privkey, |
| 3968 | handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len, |
| 3969 | handshake->premaster, sizeof( handshake->premaster ), |
| 3970 | &handshake->pmslen ); |
| 3971 | if( status != PSA_SUCCESS ) |
| 3972 | { |
| 3973 | ret = psa_ssl_status_to_mbedtls( status ); |
| 3974 | MBEDTLS_SSL_DEBUG_RET( 1, "psa_raw_key_agreement", ret ); |
| Neil Armstrong | f716a70 | 2022-04-04 11:23:46 +0200 | [diff] [blame] | 3975 | if( handshake->ecdh_psa_privkey_is_external == 0 ) |
| Neil Armstrong | 8113d25 | 2022-03-23 10:57:04 +0100 | [diff] [blame] | 3976 | (void) psa_destroy_key( handshake->ecdh_psa_privkey ); |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3977 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 3978 | return( ret ); |
| 3979 | } |
| 3980 | |
| Neil Armstrong | f716a70 | 2022-04-04 11:23:46 +0200 | [diff] [blame] | 3981 | if( handshake->ecdh_psa_privkey_is_external == 0 ) |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3982 | { |
| Neil Armstrong | 8113d25 | 2022-03-23 10:57:04 +0100 | [diff] [blame] | 3983 | status = psa_destroy_key( handshake->ecdh_psa_privkey ); |
| 3984 | |
| 3985 | if( status != PSA_SUCCESS ) |
| 3986 | { |
| 3987 | ret = psa_ssl_status_to_mbedtls( status ); |
| 3988 | MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret ); |
| 3989 | return( ret ); |
| 3990 | } |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3991 | } |
| 3992 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 3993 | } |
| 3994 | else |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3995 | #endif /* MBEDTLS_USE_PSA_CRYPTO && |
| 3996 | ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 3997 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || |
| 3998 | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
| 3999 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED ) */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4000 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| 4001 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
| 4002 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| 4003 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| 4004 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
| 4005 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || |
| 4006 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || |
| 4007 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 4008 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4009 | if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, |
| Manuel Pégourié-Gonnard | 2114d72 | 2014-09-10 13:59:41 +0000 | [diff] [blame] | 4010 | p, end - p) ) != 0 ) |
| Manuel Pégourié-Gonnard | b59d699 | 2013-10-14 12:00:45 +0200 | [diff] [blame] | 4011 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4012 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret ); |
| Hanno Becker | b24e74b | 2021-06-24 09:52:01 +0100 | [diff] [blame] | 4013 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Manuel Pégourié-Gonnard | b59d699 | 2013-10-14 12:00:45 +0200 | [diff] [blame] | 4014 | } |
| 4015 | |
| Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 4016 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, |
| 4017 | MBEDTLS_DEBUG_ECDH_QP ); |
| Manuel Pégourié-Gonnard | b59d699 | 2013-10-14 12:00:45 +0200 | [diff] [blame] | 4018 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4019 | if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4020 | &ssl->handshake->pmslen, |
| 4021 | ssl->handshake->premaster, |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4022 | MBEDTLS_MPI_MAX_SIZE, |
| Manuel Pégourié-Gonnard | 750e4d7 | 2015-05-07 12:35:38 +0100 | [diff] [blame] | 4023 | ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4024 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4025 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); |
| Hanno Becker | d3eec78 | 2021-06-24 10:21:46 +0100 | [diff] [blame] | 4026 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4027 | } |
| 4028 | |
| Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 4029 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, |
| 4030 | MBEDTLS_DEBUG_ECDH_Z ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4031 | } |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4032 | else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4033 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
| 4034 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || |
| 4035 | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
| 4036 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| 4037 | #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) |
| 4038 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 4039 | { |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4040 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 4041 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4042 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 4043 | return( ret ); |
| 4044 | } |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4045 | |
| Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 4046 | if( p != end ) |
| 4047 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4048 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); |
| Hanno Becker | 666b5b4 | 2021-06-24 10:13:31 +0100 | [diff] [blame] | 4049 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 4050 | } |
| 4051 | |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 4052 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 4053 | /* For opaque PSKs, we perform the PSK-to-MS derivation atomatically |
| 4054 | * and skip the intermediate PMS. */ |
| Hanno Becker | c1385c1 | 2018-11-05 12:44:27 +0000 | [diff] [blame] | 4055 | if( ssl_use_opaque_psk( ssl ) == 1 ) |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 4056 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque PSK" ) ); |
| 4057 | else |
| 4058 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4059 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, |
| Manuel Pégourié-Gonnard | bd1ae24 | 2013-10-14 13:09:25 +0200 | [diff] [blame] | 4060 | ciphersuite_info->key_exchange ) ) != 0 ) |
| 4061 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4062 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); |
| Manuel Pégourié-Gonnard | bd1ae24 | 2013-10-14 13:09:25 +0200 | [diff] [blame] | 4063 | return( ret ); |
| 4064 | } |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 4065 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4066 | else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4067 | #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ |
| 4068 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| 4069 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 4070 | { |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 4071 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 4072 | if ( ssl->handshake->async_in_progress != 0 ) |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 4073 | { |
| 4074 | /* There is an asynchronous operation in progress to |
| 4075 | * decrypt the encrypted premaster secret, so skip |
| 4076 | * directly to resuming this operation. */ |
| 4077 | MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK identity already parsed" ) ); |
| 4078 | /* Update p to skip the PSK identity. ssl_parse_encrypted_pms |
| 4079 | * won't actually use it, but maintain p anyway for robustness. */ |
| 4080 | p += ssl->conf->psk_identity_len + 2; |
| 4081 | } |
| 4082 | else |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 4083 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 4084 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) |
| 4085 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4086 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 4087 | return( ret ); |
| 4088 | } |
| 4089 | |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 4090 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 4091 | /* Opaque PSKs are currently only supported for PSK-only. */ |
| 4092 | if( ssl_use_opaque_psk( ssl ) == 1 ) |
| 4093 | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); |
| 4094 | #endif |
| 4095 | |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 4096 | if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 ) |
| 4097 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4098 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret ); |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 4099 | return( ret ); |
| 4100 | } |
| 4101 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4102 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 4103 | ciphersuite_info->key_exchange ) ) != 0 ) |
| 4104 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4105 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 4106 | return( ret ); |
| 4107 | } |
| 4108 | } |
| 4109 | else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4110 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
| 4111 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| 4112 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4113 | { |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4114 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) |
| 4115 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4116 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4117 | return( ret ); |
| 4118 | } |
| 4119 | if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) |
| 4120 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4121 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4122 | return( ret ); |
| 4123 | } |
| 4124 | |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 4125 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 4126 | /* Opaque PSKs are currently only supported for PSK-only. */ |
| 4127 | if( ssl_use_opaque_psk( ssl ) == 1 ) |
| 4128 | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); |
| 4129 | #endif |
| 4130 | |
| Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 4131 | if( p != end ) |
| 4132 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4133 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); |
| Hanno Becker | 666b5b4 | 2021-06-24 10:13:31 +0100 | [diff] [blame] | 4134 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 4135 | } |
| 4136 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4137 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, |
| Manuel Pégourié-Gonnard | bd1ae24 | 2013-10-14 13:09:25 +0200 | [diff] [blame] | 4138 | ciphersuite_info->key_exchange ) ) != 0 ) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4139 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4140 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); |
| Manuel Pégourié-Gonnard | bd1ae24 | 2013-10-14 13:09:25 +0200 | [diff] [blame] | 4141 | return( ret ); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4142 | } |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4143 | } |
| 4144 | else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4145 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 4146 | #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
| 4147 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
| 4148 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) |
| 4149 | { |
| 4150 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| 4151 | psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; |
| 4152 | uint8_t ecpoint_len; |
| 4153 | |
| Neil Armstrong | 1039ba5 | 2022-04-05 10:03:24 +0200 | [diff] [blame] | 4154 | /* Opaque PSKs are currently only supported for PSK-only. */ |
| 4155 | if( ssl_use_opaque_psk( ssl ) == 1 ) |
| 4156 | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); |
| 4157 | |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 4158 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| 4159 | |
| 4160 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) |
| 4161 | { |
| 4162 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); |
| 4163 | psa_destroy_key( handshake->ecdh_psa_privkey ); |
| 4164 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 4165 | return( ret ); |
| 4166 | } |
| 4167 | |
| 4168 | /* Keep a copy of the peer's public key */ |
| Neil Armstrong | 3cae167 | 2022-04-05 10:01:15 +0200 | [diff] [blame] | 4169 | if( p >= end ) |
| 4170 | { |
| 4171 | psa_destroy_key( handshake->ecdh_psa_privkey ); |
| 4172 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 4173 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| 4174 | } |
| 4175 | |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 4176 | ecpoint_len = *(p++); |
| Neil Armstrong | 3cae167 | 2022-04-05 10:01:15 +0200 | [diff] [blame] | 4177 | if( (size_t)( end - p ) < ecpoint_len ) { |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 4178 | psa_destroy_key( handshake->ecdh_psa_privkey ); |
| 4179 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 4180 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| 4181 | } |
| 4182 | |
| 4183 | if( ecpoint_len > sizeof( handshake->ecdh_psa_peerkey ) ) { |
| 4184 | psa_destroy_key( handshake->ecdh_psa_privkey ); |
| 4185 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 4186 | return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); |
| 4187 | } |
| 4188 | |
| 4189 | memcpy( handshake->ecdh_psa_peerkey, p, ecpoint_len ); |
| 4190 | handshake->ecdh_psa_peerkey_len = ecpoint_len; |
| 4191 | p += ecpoint_len; |
| 4192 | |
| Neil Armstrong | 3bcef08 | 2022-03-23 18:16:54 +0100 | [diff] [blame] | 4193 | /* As RFC 5489 section 2, the premaster secret is formed as follows: |
| Neil Armstrong | fdf20cb | 2022-03-24 09:43:02 +0100 | [diff] [blame] | 4194 | * - a uint16 containing the length (in octets) of the ECDH computation |
| 4195 | * - the octet string produced by the ECDH computation |
| 4196 | * - a uint16 containing the length (in octets) of the PSK |
| 4197 | * - the PSK itself |
| 4198 | */ |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 4199 | unsigned char *psm = ssl->handshake->premaster; |
| Neil Armstrong | d6e2759 | 2022-03-23 18:17:24 +0100 | [diff] [blame] | 4200 | const unsigned char* const psm_end = |
| 4201 | psm + sizeof( ssl->handshake->premaster ); |
| Neil Armstrong | 2d63da9 | 2022-03-23 18:17:31 +0100 | [diff] [blame] | 4202 | /* uint16 to store length (in octets) of the ECDH computation */ |
| 4203 | const size_t zlen_size = 2; |
| Neil Armstrong | 549a3e4 | 2022-03-23 18:16:24 +0100 | [diff] [blame] | 4204 | size_t zlen = 0; |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 4205 | |
| 4206 | /* Compute ECDH shared secret. */ |
| 4207 | status = psa_raw_key_agreement( PSA_ALG_ECDH, |
| 4208 | handshake->ecdh_psa_privkey, |
| 4209 | handshake->ecdh_psa_peerkey, |
| 4210 | handshake->ecdh_psa_peerkey_len, |
| Neil Armstrong | 2d63da9 | 2022-03-23 18:17:31 +0100 | [diff] [blame] | 4211 | psm + zlen_size, |
| 4212 | psm_end - ( psm + zlen_size ), |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 4213 | &zlen ); |
| 4214 | |
| 4215 | destruction_status = psa_destroy_key( handshake->ecdh_psa_privkey ); |
| 4216 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 4217 | |
| Neil Armstrong | fb0a81e | 2022-03-23 18:17:11 +0100 | [diff] [blame] | 4218 | if( status != PSA_SUCCESS ) |
| 4219 | return( psa_ssl_status_to_mbedtls( status ) ); |
| 4220 | else if( destruction_status != PSA_SUCCESS ) |
| 4221 | return( psa_ssl_status_to_mbedtls( destruction_status ) ); |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 4222 | |
| Neil Armstrong | 3bcef08 | 2022-03-23 18:16:54 +0100 | [diff] [blame] | 4223 | /* Write the ECDH computation length before the ECDH computation */ |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 4224 | MBEDTLS_PUT_UINT16_BE( zlen, psm, 0 ); |
| Neil Armstrong | 2d63da9 | 2022-03-23 18:17:31 +0100 | [diff] [blame] | 4225 | psm += zlen_size + zlen; |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 4226 | |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 4227 | const unsigned char *psk = NULL; |
| 4228 | size_t psk_len = 0; |
| 4229 | |
| 4230 | if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len ) |
| 4231 | == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ) |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 4232 | /* |
| 4233 | * This should never happen because the existence of a PSK is always |
| 4234 | * checked before calling this function |
| 4235 | */ |
| 4236 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 4237 | |
| Neil Armstrong | ede381c | 2022-04-05 10:02:59 +0200 | [diff] [blame] | 4238 | /* opaque psk<0..2^16-1>; */ |
| 4239 | if( (size_t)( psm_end - psm ) < ( 2 + psk_len ) ) |
| 4240 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| 4241 | |
| Neil Armstrong | 3bcef08 | 2022-03-23 18:16:54 +0100 | [diff] [blame] | 4242 | /* Write the PSK length as uint16 */ |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 4243 | MBEDTLS_PUT_UINT16_BE( psk_len, psm, 0 ); |
| 4244 | psm += 2; |
| 4245 | |
| Neil Armstrong | 3bcef08 | 2022-03-23 18:16:54 +0100 | [diff] [blame] | 4246 | /* Write the PSK itself */ |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 4247 | memcpy( psm, psk, psk_len ); |
| 4248 | psm += psk_len; |
| 4249 | |
| 4250 | ssl->handshake->pmslen = psm - ssl->handshake->premaster; |
| 4251 | } |
| 4252 | else |
| 4253 | #endif /* MBEDTLS_USE_PSA_CRYPTO && |
| 4254 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4255 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
| 4256 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) |
| Manuel Pégourié-Gonnard | 3ce3bbd | 2013-10-11 16:53:50 +0200 | [diff] [blame] | 4257 | { |
| Manuel Pégourié-Gonnard | 3ce3bbd | 2013-10-11 16:53:50 +0200 | [diff] [blame] | 4258 | if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) |
| 4259 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4260 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); |
| Manuel Pégourié-Gonnard | 3ce3bbd | 2013-10-11 16:53:50 +0200 | [diff] [blame] | 4261 | return( ret ); |
| 4262 | } |
| Manuel Pégourié-Gonnard | b59d699 | 2013-10-14 12:00:45 +0200 | [diff] [blame] | 4263 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4264 | if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, |
| Manuel Pégourié-Gonnard | b59d699 | 2013-10-14 12:00:45 +0200 | [diff] [blame] | 4265 | p, end - p ) ) != 0 ) |
| Manuel Pégourié-Gonnard | 3ce3bbd | 2013-10-11 16:53:50 +0200 | [diff] [blame] | 4266 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4267 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret ); |
| Hanno Becker | b24e74b | 2021-06-24 09:52:01 +0100 | [diff] [blame] | 4268 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Manuel Pégourié-Gonnard | 3ce3bbd | 2013-10-11 16:53:50 +0200 | [diff] [blame] | 4269 | } |
| 4270 | |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 4271 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 4272 | /* Opaque PSKs are currently only supported for PSK-only. */ |
| 4273 | if( ssl_use_opaque_psk( ssl ) == 1 ) |
| 4274 | return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); |
| 4275 | #endif |
| 4276 | |
| Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 4277 | MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, |
| 4278 | MBEDTLS_DEBUG_ECDH_QP ); |
| Manuel Pégourié-Gonnard | b59d699 | 2013-10-14 12:00:45 +0200 | [diff] [blame] | 4279 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4280 | if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, |
| Manuel Pégourié-Gonnard | bd1ae24 | 2013-10-14 13:09:25 +0200 | [diff] [blame] | 4281 | ciphersuite_info->key_exchange ) ) != 0 ) |
| Manuel Pégourié-Gonnard | 3ce3bbd | 2013-10-11 16:53:50 +0200 | [diff] [blame] | 4282 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4283 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); |
| Manuel Pégourié-Gonnard | 3ce3bbd | 2013-10-11 16:53:50 +0200 | [diff] [blame] | 4284 | return( ret ); |
| 4285 | } |
| Manuel Pégourié-Gonnard | 3ce3bbd | 2013-10-11 16:53:50 +0200 | [diff] [blame] | 4286 | } |
| 4287 | else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4288 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
| 4289 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) |
| 4290 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 4291 | { |
| Manuel Pégourié-Gonnard | 2114d72 | 2014-09-10 13:59:41 +0000 | [diff] [blame] | 4292 | if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 ) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 4293 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4294 | MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret ); |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 4295 | return( ret ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4296 | } |
| 4297 | } |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4298 | else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4299 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 4300 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 4301 | if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) |
| 4302 | { |
| 4303 | ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, |
| 4304 | p, end - p ); |
| 4305 | if( ret != 0 ) |
| 4306 | { |
| 4307 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); |
| Hanno Becker | cbc8f6f | 2021-06-24 10:32:31 +0100 | [diff] [blame] | 4308 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 4309 | } |
| 4310 | |
| 4311 | ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, |
| 4312 | ssl->handshake->premaster, 32, &ssl->handshake->pmslen, |
| 4313 | ssl->conf->f_rng, ssl->conf->p_rng ); |
| 4314 | if( ret != 0 ) |
| 4315 | { |
| 4316 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); |
| 4317 | return( ret ); |
| 4318 | } |
| 4319 | } |
| 4320 | else |
| 4321 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4322 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4323 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 4324 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4325 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4326 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4327 | if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) |
| Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 4328 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4329 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); |
| Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 4330 | return( ret ); |
| 4331 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4332 | |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4333 | ssl->state++; |
| 4334 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4335 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4336 | |
| 4337 | return( 0 ); |
| 4338 | } |
| 4339 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 4340 | #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4341 | static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4342 | { |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 4343 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 4344 | ssl->handshake->ciphersuite_info; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4345 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4346 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4347 | |
| Hanno Becker | 77adddc | 2019-02-07 12:32:43 +0000 | [diff] [blame] | 4348 | if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) |
| Paul Bakker | ed27a04 | 2013-04-18 22:46:23 +0200 | [diff] [blame] | 4349 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4350 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); |
| Paul Bakker | ed27a04 | 2013-04-18 22:46:23 +0200 | [diff] [blame] | 4351 | ssl->state++; |
| 4352 | return( 0 ); |
| 4353 | } |
| 4354 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4355 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); |
| 4356 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4357 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 4358 | #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4359 | static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4360 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4361 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Manuel Pégourié-Gonnard | 4528f3f | 2014-09-10 14:17:23 +0000 | [diff] [blame] | 4362 | size_t i, sig_len; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4363 | unsigned char hash[48]; |
| Manuel Pégourié-Gonnard | 4bd1284 | 2013-08-27 13:31:28 +0200 | [diff] [blame] | 4364 | unsigned char *hash_start = hash; |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 4365 | size_t hashlen; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4366 | mbedtls_pk_type_t pk_alg; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4367 | mbedtls_md_type_t md_alg; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 4368 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 4369 | ssl->handshake->ciphersuite_info; |
| Hanno Becker | a1ab9be | 2019-02-06 18:31:04 +0000 | [diff] [blame] | 4370 | mbedtls_pk_context * peer_pk; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4371 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4372 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4373 | |
| Hanno Becker | 2a831a4 | 2019-02-07 13:17:25 +0000 | [diff] [blame] | 4374 | if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4375 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4376 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4377 | ssl->state++; |
| 4378 | return( 0 ); |
| 4379 | } |
| 4380 | |
| Hanno Becker | 2a831a4 | 2019-02-07 13:17:25 +0000 | [diff] [blame] | 4381 | #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 4382 | if( ssl->session_negotiate->peer_cert == NULL ) |
| 4383 | { |
| 4384 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); |
| 4385 | ssl->state++; |
| 4386 | return( 0 ); |
| 4387 | } |
| 4388 | #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 4389 | if( ssl->session_negotiate->peer_cert_digest == NULL ) |
| 4390 | { |
| 4391 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); |
| 4392 | ssl->state++; |
| 4393 | return( 0 ); |
| 4394 | } |
| 4395 | #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 4396 | |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4397 | /* Read the message without adding it to the checksum */ |
| Hanno Becker | 327c93b | 2018-08-15 13:56:18 +0100 | [diff] [blame] | 4398 | ret = mbedtls_ssl_read_record( ssl, 0 /* no checksum update */ ); |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4399 | if( 0 != ret ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4400 | { |
| Hanno Becker | 327c93b | 2018-08-15 13:56:18 +0100 | [diff] [blame] | 4401 | MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record" ), ret ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4402 | return( ret ); |
| 4403 | } |
| 4404 | |
| 4405 | ssl->state++; |
| 4406 | |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4407 | /* Process the message contents */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4408 | if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || |
| 4409 | ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4410 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4411 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); |
| Hanno Becker | d934a2a | 2021-06-24 10:23:45 +0100 | [diff] [blame] | 4412 | return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4413 | } |
| 4414 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4415 | i = mbedtls_ssl_hs_hdr_len( ssl ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4416 | |
| Hanno Becker | a1ab9be | 2019-02-06 18:31:04 +0000 | [diff] [blame] | 4417 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 4418 | peer_pk = &ssl->handshake->peer_pubkey; |
| 4419 | #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 4420 | if( ssl->session_negotiate->peer_cert == NULL ) |
| 4421 | { |
| 4422 | /* Should never happen */ |
| 4423 | return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); |
| 4424 | } |
| 4425 | peer_pk = &ssl->session_negotiate->peer_cert->pk; |
| 4426 | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 4427 | |
| Manuel Pégourié-Gonnard | 4528f3f | 2014-09-10 14:17:23 +0000 | [diff] [blame] | 4428 | /* |
| 4429 | * struct { |
| 4430 | * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only |
| 4431 | * opaque signature<0..2^16-1>; |
| 4432 | * } DigitallySigned; |
| 4433 | */ |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4434 | if( i + 2 > ssl->in_hslen ) |
| Manuel Pégourié-Gonnard | b3d9187 | 2013-08-14 15:56:19 +0200 | [diff] [blame] | 4435 | { |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4436 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); |
| 4437 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| 4438 | } |
| Manuel Pégourié-Gonnard | 5ee9654 | 2014-09-10 14:27:21 +0000 | [diff] [blame] | 4439 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4440 | /* |
| 4441 | * Hash |
| 4442 | */ |
| 4443 | md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] ); |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4444 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4445 | if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) ) |
| 4446 | { |
| 4447 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" |
| 4448 | " for verify message" ) ); |
| 4449 | return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); |
| 4450 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4451 | |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4452 | #if !defined(MBEDTLS_MD_SHA1) |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4453 | if( MBEDTLS_MD_SHA1 == md_alg ) |
| 4454 | hash_start += 16; |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4455 | #endif |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 4456 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4457 | /* Info from md_alg will be used instead */ |
| 4458 | hashlen = 0; |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 4459 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4460 | i++; |
| Manuel Pégourié-Gonnard | 4528f3f | 2014-09-10 14:17:23 +0000 | [diff] [blame] | 4461 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4462 | /* |
| 4463 | * Signature |
| 4464 | */ |
| 4465 | if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) ) |
| 4466 | == MBEDTLS_PK_NONE ) |
| Paul Bakker | 577e006 | 2013-08-28 11:57:20 +0200 | [diff] [blame] | 4467 | { |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4468 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" |
| 4469 | " for verify message" ) ); |
| 4470 | return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); |
| Manuel Pégourié-Gonnard | b3d9187 | 2013-08-14 15:56:19 +0200 | [diff] [blame] | 4471 | } |
| Manuel Pégourié-Gonnard | ff56da3 | 2013-07-11 10:46:21 +0200 | [diff] [blame] | 4472 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4473 | /* |
| 4474 | * Check the certificate's key type matches the signature alg |
| 4475 | */ |
| 4476 | if( !mbedtls_pk_can_do( peer_pk, pk_alg ) ) |
| 4477 | { |
| 4478 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) ); |
| 4479 | return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); |
| 4480 | } |
| 4481 | |
| 4482 | i++; |
| 4483 | |
| Manuel Pégourié-Gonnard | 5ee9654 | 2014-09-10 14:27:21 +0000 | [diff] [blame] | 4484 | if( i + 2 > ssl->in_hslen ) |
| 4485 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4486 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); |
| Hanno Becker | d934a2a | 2021-06-24 10:23:45 +0100 | [diff] [blame] | 4487 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Manuel Pégourié-Gonnard | 5ee9654 | 2014-09-10 14:27:21 +0000 | [diff] [blame] | 4488 | } |
| 4489 | |
| Manuel Pégourié-Gonnard | 4528f3f | 2014-09-10 14:17:23 +0000 | [diff] [blame] | 4490 | sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1]; |
| 4491 | i += 2; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 4492 | |
| Manuel Pégourié-Gonnard | 4528f3f | 2014-09-10 14:17:23 +0000 | [diff] [blame] | 4493 | if( i + sig_len != ssl->in_hslen ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4494 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4495 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); |
| Hanno Becker | d934a2a | 2021-06-24 10:23:45 +0100 | [diff] [blame] | 4496 | return( MBEDTLS_ERR_SSL_DECODE_ERROR ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4497 | } |
| 4498 | |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4499 | /* Calculate hash and verify signature */ |
| Manuel Pégourié-Gonnard | de718b9 | 2019-05-03 11:43:28 +0200 | [diff] [blame] | 4500 | { |
| 4501 | size_t dummy_hlen; |
| 4502 | ssl->handshake->calc_verify( ssl, hash, &dummy_hlen ); |
| 4503 | } |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4504 | |
| Hanno Becker | a1ab9be | 2019-02-06 18:31:04 +0000 | [diff] [blame] | 4505 | if( ( ret = mbedtls_pk_verify( peer_pk, |
| Manuel Pégourié-Gonnard | 4bd1284 | 2013-08-27 13:31:28 +0200 | [diff] [blame] | 4506 | md_alg, hash_start, hashlen, |
| Manuel Pégourié-Gonnard | 4528f3f | 2014-09-10 14:17:23 +0000 | [diff] [blame] | 4507 | ssl->in_msg + i, sig_len ) ) != 0 ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4508 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4509 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4510 | return( ret ); |
| 4511 | } |
| 4512 | |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4513 | mbedtls_ssl_update_handshake_status( ssl ); |
| 4514 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4515 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4516 | |
| Paul Bakker | ed27a04 | 2013-04-18 22:46:23 +0200 | [diff] [blame] | 4517 | return( ret ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4518 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 4519 | #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4520 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4521 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| 4522 | static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl ) |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4523 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 4524 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 4525 | size_t tlen; |
| Manuel Pégourié-Gonnard | b0394be | 2015-05-19 11:40:30 +0200 | [diff] [blame] | 4526 | uint32_t lifetime; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4527 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4528 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) ); |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4529 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4530 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 4531 | ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4532 | |
| 4533 | /* |
| 4534 | * struct { |
| 4535 | * uint32 ticket_lifetime_hint; |
| 4536 | * opaque ticket<0..2^16-1>; |
| 4537 | * } NewSessionTicket; |
| 4538 | * |
| 4539 | * 4 . 7 ticket_lifetime_hint (0 = unspecified) |
| 4540 | * 8 . 9 ticket_len (n) |
| 4541 | * 10 . 9+n ticket content |
| 4542 | */ |
| Manuel Pégourié-Gonnard | 164d894 | 2013-09-23 22:01:39 +0200 | [diff] [blame] | 4543 | |
| Manuel Pégourié-Gonnard | d59675d | 2015-05-19 15:28:00 +0200 | [diff] [blame] | 4544 | if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket, |
| Manuel Pégourié-Gonnard | 69f1728 | 2015-05-18 14:35:08 +0200 | [diff] [blame] | 4545 | ssl->session_negotiate, |
| 4546 | ssl->out_msg + 10, |
| Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 4547 | ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN, |
| Manuel Pégourié-Gonnard | b0394be | 2015-05-19 11:40:30 +0200 | [diff] [blame] | 4548 | &tlen, &lifetime ) ) != 0 ) |
| Manuel Pégourié-Gonnard | 990c51a | 2013-08-03 15:37:58 +0200 | [diff] [blame] | 4549 | { |
| Manuel Pégourié-Gonnard | a4a4735 | 2015-05-15 15:14:54 +0200 | [diff] [blame] | 4550 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret ); |
| Manuel Pégourié-Gonnard | 990c51a | 2013-08-03 15:37:58 +0200 | [diff] [blame] | 4551 | tlen = 0; |
| 4552 | } |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4553 | |
| Joe Subbiani | 6dd7364 | 2021-07-19 11:56:54 +0100 | [diff] [blame] | 4554 | MBEDTLS_PUT_UINT32_BE( lifetime, ssl->out_msg, 4 ); |
| 4555 | MBEDTLS_PUT_UINT16_BE( tlen, ssl->out_msg, 8 ); |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 4556 | ssl->out_msglen = 10 + tlen; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4557 | |
| Manuel Pégourié-Gonnard | 145dfcb | 2014-02-26 14:23:33 +0100 | [diff] [blame] | 4558 | /* |
| 4559 | * Morally equivalent to updating ssl->state, but NewSessionTicket and |
| 4560 | * ChangeCipherSpec share the same state. |
| 4561 | */ |
| 4562 | ssl->handshake->new_session_ticket = 0; |
| 4563 | |
| Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 4564 | if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4565 | { |
| Manuel Pégourié-Gonnard | 31c1586 | 2017-09-13 09:38:11 +0200 | [diff] [blame] | 4566 | MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4567 | return( ret ); |
| 4568 | } |
| 4569 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4570 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) ); |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4571 | |
| 4572 | return( 0 ); |
| 4573 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4574 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4575 | |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4576 | /* |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4577 | * SSL handshake -- server side -- single step |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4578 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4579 | int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4580 | { |
| 4581 | int ret = 0; |
| 4582 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4583 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) ); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4584 | |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4585 | switch( ssl->state ) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4586 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4587 | case MBEDTLS_SSL_HELLO_REQUEST: |
| 4588 | ssl->state = MBEDTLS_SSL_CLIENT_HELLO; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4589 | break; |
| 4590 | |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4591 | /* |
| 4592 | * <== ClientHello |
| 4593 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4594 | case MBEDTLS_SSL_CLIENT_HELLO: |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4595 | ret = ssl_parse_client_hello( ssl ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4596 | break; |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4597 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4598 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 4599 | case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT: |
| 4600 | return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); |
| Manuel Pégourié-Gonnard | 579950c | 2014-09-29 17:47:33 +0200 | [diff] [blame] | 4601 | #endif |
| 4602 | |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4603 | /* |
| 4604 | * ==> ServerHello |
| 4605 | * Certificate |
| 4606 | * ( ServerKeyExchange ) |
| 4607 | * ( CertificateRequest ) |
| 4608 | * ServerHelloDone |
| 4609 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4610 | case MBEDTLS_SSL_SERVER_HELLO: |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4611 | ret = ssl_write_server_hello( ssl ); |
| 4612 | break; |
| 4613 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4614 | case MBEDTLS_SSL_SERVER_CERTIFICATE: |
| 4615 | ret = mbedtls_ssl_write_certificate( ssl ); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4616 | break; |
| 4617 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4618 | case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4619 | ret = ssl_write_server_key_exchange( ssl ); |
| 4620 | break; |
| 4621 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4622 | case MBEDTLS_SSL_CERTIFICATE_REQUEST: |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4623 | ret = ssl_write_certificate_request( ssl ); |
| 4624 | break; |
| 4625 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4626 | case MBEDTLS_SSL_SERVER_HELLO_DONE: |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4627 | ret = ssl_write_server_hello_done( ssl ); |
| 4628 | break; |
| 4629 | |
| 4630 | /* |
| 4631 | * <== ( Certificate/Alert ) |
| 4632 | * ClientKeyExchange |
| 4633 | * ( CertificateVerify ) |
| 4634 | * ChangeCipherSpec |
| 4635 | * Finished |
| 4636 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4637 | case MBEDTLS_SSL_CLIENT_CERTIFICATE: |
| 4638 | ret = mbedtls_ssl_parse_certificate( ssl ); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4639 | break; |
| 4640 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4641 | case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4642 | ret = ssl_parse_client_key_exchange( ssl ); |
| 4643 | break; |
| 4644 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4645 | case MBEDTLS_SSL_CERTIFICATE_VERIFY: |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4646 | ret = ssl_parse_certificate_verify( ssl ); |
| 4647 | break; |
| 4648 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4649 | case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: |
| 4650 | ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4651 | break; |
| 4652 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4653 | case MBEDTLS_SSL_CLIENT_FINISHED: |
| 4654 | ret = mbedtls_ssl_parse_finished( ssl ); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4655 | break; |
| 4656 | |
| 4657 | /* |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4658 | * ==> ( NewSessionTicket ) |
| 4659 | * ChangeCipherSpec |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4660 | * Finished |
| 4661 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4662 | case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: |
| 4663 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Manuel Pégourié-Gonnard | 7cd5924 | 2013-08-02 13:24:41 +0200 | [diff] [blame] | 4664 | if( ssl->handshake->new_session_ticket != 0 ) |
| 4665 | ret = ssl_write_new_session_ticket( ssl ); |
| 4666 | else |
| Paul Bakker | a503a63 | 2013-08-14 13:48:06 +0200 | [diff] [blame] | 4667 | #endif |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4668 | ret = mbedtls_ssl_write_change_cipher_spec( ssl ); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4669 | break; |
| 4670 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4671 | case MBEDTLS_SSL_SERVER_FINISHED: |
| 4672 | ret = mbedtls_ssl_write_finished( ssl ); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4673 | break; |
| 4674 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4675 | case MBEDTLS_SSL_FLUSH_BUFFERS: |
| 4676 | MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); |
| 4677 | ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4678 | break; |
| 4679 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4680 | case MBEDTLS_SSL_HANDSHAKE_WRAPUP: |
| 4681 | mbedtls_ssl_handshake_wrapup( ssl ); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4682 | break; |
| 4683 | |
| 4684 | default: |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4685 | MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); |
| 4686 | return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4687 | } |
| 4688 | |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4689 | return( ret ); |
| 4690 | } |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 4691 | |
| TRodziewicz | 3946f79 | 2021-06-14 12:11:18 +0200 | [diff] [blame] | 4692 | void mbedtls_ssl_conf_preference_order( mbedtls_ssl_config *conf, int order ) |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 4693 | { |
| TRodziewicz | 3946f79 | 2021-06-14 12:11:18 +0200 | [diff] [blame] | 4694 | conf->respect_cli_pref = order; |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 4695 | } |
| 4696 | |
| Jerry Yu | fb4b647 | 2022-01-27 15:03:26 +0800 | [diff] [blame] | 4697 | #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */ |