| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1 | /* |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 2 | * TLS client-side functions |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3 | * |
| Bence Szépkúti | 1e14827 | 2020-08-07 13:07:28 +0200 | [diff] [blame] | 4 | * Copyright The Mbed TLS Contributors |
| Manuel Pégourié-Gonnard | 37ff140 | 2015-09-04 14:21:07 +0200 | [diff] [blame] | 5 | * SPDX-License-Identifier: Apache-2.0 |
| 6 | * |
| 7 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 8 | * not use this file except in compliance with the License. |
| 9 | * You may obtain a copy of the License at |
| 10 | * |
| 11 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | * |
| 13 | * Unless required by applicable law or agreed to in writing, software |
| 14 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 15 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 16 | * See the License for the specific language governing permissions and |
| 17 | * limitations under the License. |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 18 | */ |
| 19 | |
| Gilles Peskine | db09ef6 | 2020-06-03 01:43:33 +0200 | [diff] [blame] | 20 | #include "common.h" |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 21 | |
| Jerry Yu | fb4b647 | 2022-01-27 15:03:26 +0800 | [diff] [blame] | 22 | #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 23 | |
| Manuel Pégourié-Gonnard | 7f80997 | 2015-03-09 17:05:11 +0000 | [diff] [blame] | 24 | #include "mbedtls/platform.h" |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 25 | |
| SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 26 | #include "mbedtls/ssl.h" |
| Ronald Cron | 7320e64 | 2022-03-08 13:34:49 +0100 | [diff] [blame] | 27 | #include "ssl_client.h" |
| Chris Jones | 84a773f | 2021-03-05 18:38:47 +0000 | [diff] [blame] | 28 | #include "ssl_misc.h" |
| Janos Follath | 73c616b | 2019-12-18 15:07:04 +0000 | [diff] [blame] | 29 | #include "mbedtls/debug.h" |
| 30 | #include "mbedtls/error.h" |
| Gabor Mezei | 765862c | 2021-10-19 12:22:25 +0200 | [diff] [blame] | 31 | #include "mbedtls/constant_time.h" |
| SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 32 | |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 33 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 34 | #include "mbedtls/psa_util.h" |
| Ronald Cron | 69a6342 | 2021-10-18 09:47:58 +0200 | [diff] [blame] | 35 | #include "psa/crypto.h" |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 36 | #define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ |
| 37 | psa_to_ssl_errors, \ |
| 38 | psa_generic_status_to_mbedtls) |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 39 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 40 | |
| SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 41 | #include <string.h> |
| 42 | |
| Manuel Pégourié-Gonnard | 9386664 | 2015-06-22 19:21:23 +0200 | [diff] [blame] | 43 | #include <stdint.h> |
| Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 44 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 45 | #if defined(MBEDTLS_HAVE_TIME) |
| Simon Butcher | b5b6af2 | 2016-07-13 14:46:18 +0100 | [diff] [blame] | 46 | #include "mbedtls/platform_time.h" |
| Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 47 | #endif |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 48 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 49 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Andres Amaya Garcia | 1f6301b | 2018-04-17 09:51:09 -0500 | [diff] [blame] | 50 | #include "mbedtls/platform_util.h" |
| Paul Bakker | 3461772 | 2014-06-13 17:20:13 +0200 | [diff] [blame] | 51 | #endif |
| 52 | |
| Andrzej Kurek | 0ce5921 | 2022-08-17 07:54:34 -0400 | [diff] [blame] | 53 | #include "hash_info.h" |
| 54 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 55 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 56 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 57 | static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl, |
| 58 | unsigned char *buf, |
| 59 | const unsigned char *end, |
| 60 | size_t *olen) |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 61 | { |
| 62 | unsigned char *p = buf; |
| 63 | |
| 64 | *olen = 0; |
| 65 | |
| Tom Cosgrove | ce7f18c | 2022-07-28 05:50:56 +0100 | [diff] [blame] | 66 | /* We're always including a TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the |
| Hanno Becker | 40f8b51 | 2017-10-12 14:58:55 +0100 | [diff] [blame] | 67 | * initial ClientHello, in which case also adding the renegotiation |
| 68 | * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 69 | if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { |
| 70 | return 0; |
| 71 | } |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 72 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 73 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 74 | ("client hello, adding renegotiation extension")); |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 75 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 76 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + ssl->verify_data_len); |
| Simon Butcher | ed99766 | 2015-09-28 02:14:30 +0100 | [diff] [blame] | 77 | |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 78 | /* |
| 79 | * Secure renegotiation |
| 80 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 81 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 82 | p += 2; |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 83 | |
| 84 | *p++ = 0x00; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 85 | *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len + 1); |
| 86 | *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len); |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 87 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 88 | memcpy(p, ssl->own_verify_data, ssl->verify_data_len); |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 89 | |
| 90 | *olen = 5 + ssl->verify_data_len; |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 91 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 92 | return 0; |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 93 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 94 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 95 | |
| Manuel Pégourié-Gonnard | f472179 | 2015-09-15 10:53:51 +0200 | [diff] [blame] | 96 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 97 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 98 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 99 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 100 | static int ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl, |
| 101 | unsigned char *buf, |
| 102 | const unsigned char *end, |
| 103 | size_t *olen) |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 104 | { |
| 105 | unsigned char *p = buf; |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 106 | (void) ssl; /* ssl used for debugging only */ |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 107 | |
| 108 | *olen = 0; |
| 109 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 110 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 111 | ("client hello, adding supported_point_formats extension")); |
| 112 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6); |
| Simon Butcher | ed99766 | 2015-09-28 02:14:30 +0100 | [diff] [blame] | 113 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 114 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 115 | p += 2; |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 116 | |
| 117 | *p++ = 0x00; |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 118 | *p++ = 2; |
| Manuel Pégourié-Gonnard | 6b8846d | 2013-08-15 17:42:02 +0200 | [diff] [blame] | 119 | |
| 120 | *p++ = 1; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 121 | *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 122 | |
| Manuel Pégourié-Gonnard | 6b8846d | 2013-08-15 17:42:02 +0200 | [diff] [blame] | 123 | *olen = 6; |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 124 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 125 | return 0; |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 126 | } |
| Darryl Green | 11999bb | 2018-03-13 15:22:58 +0000 | [diff] [blame] | 127 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 128 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Paul Bakker | d3edc86 | 2013-03-20 16:07:17 +0100 | [diff] [blame] | 129 | |
| Manuel Pégourié-Gonnard | eef142d | 2015-09-16 10:05:04 +0200 | [diff] [blame] | 130 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 131 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 132 | static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl, |
| 133 | unsigned char *buf, |
| 134 | const unsigned char *end, |
| 135 | size_t *olen) |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 136 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 137 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 138 | unsigned char *p = buf; |
| Valerio Setti | 02c25b5 | 2022-11-15 14:08:42 +0100 | [diff] [blame] | 139 | size_t kkpp_len = 0; |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 140 | |
| 141 | *olen = 0; |
| 142 | |
| 143 | /* Skip costly extension if we can't use EC J-PAKE anyway */ |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 144 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 145 | if (ssl->handshake->psa_pake_ctx_is_ok != 1) { |
| 146 | return 0; |
| 147 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 148 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 149 | if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) { |
| 150 | return 0; |
| 151 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 152 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 153 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 154 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 155 | ("client hello, adding ecjpake_kkpp extension")); |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 156 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 157 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4); |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 158 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 159 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 160 | p += 2; |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 161 | |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 162 | /* |
| 163 | * We may need to send ClientHello multiple times for Hello verification. |
| 164 | * We don't want to compute fresh values every time (both for performance |
| 165 | * and consistency reasons), so cache the extension content. |
| 166 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 167 | if (ssl->handshake->ecjpake_cache == NULL || |
| 168 | ssl->handshake->ecjpake_cache_len == 0) { |
| 169 | MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters")); |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 170 | |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 171 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Valerio Setti | 6b3dab0 | 2022-11-17 17:14:54 +0100 | [diff] [blame] | 172 | ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 173 | p + 2, end - p - 2, &kkpp_len, |
| 174 | MBEDTLS_ECJPAKE_ROUND_ONE); |
| 175 | if (ret != 0) { |
| 176 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 177 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| 178 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret); |
| 179 | return ret; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 180 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 181 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 182 | ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx, |
| 183 | p + 2, end - p - 2, &kkpp_len, |
| 184 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 185 | if (ret != 0) { |
| 186 | MBEDTLS_SSL_DEBUG_RET(1, |
| 187 | "mbedtls_ecjpake_write_round_one", ret); |
| 188 | return ret; |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 189 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 190 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 191 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 192 | ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len); |
| 193 | if (ssl->handshake->ecjpake_cache == NULL) { |
| 194 | MBEDTLS_SSL_DEBUG_MSG(1, ("allocation failed")); |
| 195 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 196 | } |
| 197 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 198 | memcpy(ssl->handshake->ecjpake_cache, p + 2, kkpp_len); |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 199 | ssl->handshake->ecjpake_cache_len = kkpp_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 200 | } else { |
| 201 | MBEDTLS_SSL_DEBUG_MSG(3, ("re-using cached ecjpake parameters")); |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 202 | |
| 203 | kkpp_len = ssl->handshake->ecjpake_cache_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 204 | MBEDTLS_SSL_CHK_BUF_PTR(p + 2, end, kkpp_len); |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 205 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 206 | memcpy(p + 2, ssl->handshake->ecjpake_cache, kkpp_len); |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 207 | } |
| 208 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 209 | MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 210 | p += 2; |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 211 | |
| 212 | *olen = kkpp_len + 4; |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 213 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 214 | return 0; |
| Manuel Pégourié-Gonnard | 294139b | 2015-09-15 16:55:05 +0200 | [diff] [blame] | 215 | } |
| Manuel Pégourié-Gonnard | eef142d | 2015-09-16 10:05:04 +0200 | [diff] [blame] | 216 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Paul Bakker | c3f177a | 2012-04-11 16:11:49 +0000 | [diff] [blame] | 217 | |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 218 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 219 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 220 | static int ssl_write_cid_ext(mbedtls_ssl_context *ssl, |
| 221 | unsigned char *buf, |
| 222 | const unsigned char *end, |
| 223 | size_t *olen) |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 224 | { |
| 225 | unsigned char *p = buf; |
| 226 | size_t ext_len; |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 227 | |
| 228 | /* |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 229 | * struct { |
| 230 | * opaque cid<0..2^8-1>; |
| 231 | * } ConnectionId; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 232 | */ |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 233 | |
| 234 | *olen = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 235 | if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || |
| 236 | ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) { |
| 237 | return 0; |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 238 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 239 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding CID extension")); |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 240 | |
| 241 | /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX |
| 242 | * which is at most 255, so the increment cannot overflow. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 243 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, (unsigned) (ssl->own_cid_len + 5)); |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 244 | |
| 245 | /* Add extension ID + size */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 246 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 247 | p += 2; |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 248 | ext_len = (size_t) ssl->own_cid_len + 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 249 | MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 250 | p += 2; |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 251 | |
| 252 | *p++ = (uint8_t) ssl->own_cid_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 253 | memcpy(p, ssl->own_cid, ssl->own_cid_len); |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 254 | |
| 255 | *olen = ssl->own_cid_len + 5; |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 256 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 257 | return 0; |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 258 | } |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 259 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| Hanno Becker | 49770ff | 2019-04-25 16:55:15 +0100 | [diff] [blame] | 260 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 261 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 262 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 263 | static int ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl, |
| 264 | unsigned char *buf, |
| 265 | const unsigned char *end, |
| 266 | size_t *olen) |
| Manuel Pégourié-Gonnard | a052849 | 2013-07-16 17:26:28 +0200 | [diff] [blame] | 267 | { |
| 268 | unsigned char *p = buf; |
| 269 | |
| Simon Butcher | 0fc94e9 | 2015-09-28 20:52:04 +0100 | [diff] [blame] | 270 | *olen = 0; |
| 271 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 272 | if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) { |
| 273 | return 0; |
| 274 | } |
| Manuel Pégourié-Gonnard | a052849 | 2013-07-16 17:26:28 +0200 | [diff] [blame] | 275 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 276 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 277 | ("client hello, adding max_fragment_length extension")); |
| Manuel Pégourié-Gonnard | a052849 | 2013-07-16 17:26:28 +0200 | [diff] [blame] | 278 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 279 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5); |
| Simon Butcher | ed99766 | 2015-09-28 02:14:30 +0100 | [diff] [blame] | 280 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 281 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 282 | p += 2; |
| Manuel Pégourié-Gonnard | a052849 | 2013-07-16 17:26:28 +0200 | [diff] [blame] | 283 | |
| 284 | *p++ = 0x00; |
| 285 | *p++ = 1; |
| 286 | |
| Manuel Pégourié-Gonnard | 7ca4e4d | 2015-05-04 10:55:58 +0200 | [diff] [blame] | 287 | *p++ = ssl->conf->mfl_code; |
| Manuel Pégourié-Gonnard | a052849 | 2013-07-16 17:26:28 +0200 | [diff] [blame] | 288 | |
| 289 | *olen = 5; |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 290 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 291 | return 0; |
| Manuel Pégourié-Gonnard | a052849 | 2013-07-16 17:26:28 +0200 | [diff] [blame] | 292 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 293 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| Manuel Pégourié-Gonnard | a052849 | 2013-07-16 17:26:28 +0200 | [diff] [blame] | 294 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 295 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 296 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 297 | static int ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl, |
| 298 | unsigned char *buf, |
| 299 | const unsigned char *end, |
| 300 | size_t *olen) |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 301 | { |
| 302 | unsigned char *p = buf; |
| 303 | |
| Simon Butcher | 0fc94e9 | 2015-09-28 20:52:04 +0100 | [diff] [blame] | 304 | *olen = 0; |
| 305 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 306 | if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) { |
| 307 | return 0; |
| 308 | } |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 309 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 310 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 311 | ("client hello, adding encrypt_then_mac extension")); |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 312 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 313 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4); |
| Simon Butcher | ed99766 | 2015-09-28 02:14:30 +0100 | [diff] [blame] | 314 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 315 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 316 | p += 2; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 317 | |
| 318 | *p++ = 0x00; |
| 319 | *p++ = 0x00; |
| 320 | |
| 321 | *olen = 4; |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 322 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 323 | return 0; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 324 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 325 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 326 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 327 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 328 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 329 | static int ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl, |
| 330 | unsigned char *buf, |
| 331 | const unsigned char *end, |
| 332 | size_t *olen) |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 333 | { |
| 334 | unsigned char *p = buf; |
| 335 | |
| Simon Butcher | 0fc94e9 | 2015-09-28 20:52:04 +0100 | [diff] [blame] | 336 | *olen = 0; |
| 337 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 338 | if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) { |
| 339 | return 0; |
| 340 | } |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 341 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 342 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 343 | ("client hello, adding extended_master_secret extension")); |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 344 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 345 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4); |
| Simon Butcher | ed99766 | 2015-09-28 02:14:30 +0100 | [diff] [blame] | 346 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 347 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 348 | p += 2; |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 349 | |
| 350 | *p++ = 0x00; |
| 351 | *p++ = 0x00; |
| 352 | |
| 353 | *olen = 4; |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 354 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 355 | return 0; |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 356 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 357 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 358 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 359 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 360 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 361 | static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl, |
| 362 | unsigned char *buf, |
| 363 | const unsigned char *end, |
| 364 | size_t *olen) |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 365 | { |
| 366 | unsigned char *p = buf; |
| 367 | size_t tlen = ssl->session_negotiate->ticket_len; |
| 368 | |
| Simon Butcher | 0fc94e9 | 2015-09-28 20:52:04 +0100 | [diff] [blame] | 369 | *olen = 0; |
| 370 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 371 | if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) { |
| 372 | return 0; |
| 373 | } |
| Manuel Pégourié-Gonnard | aa0d4d1 | 2013-08-03 13:02:31 +0200 | [diff] [blame] | 374 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 375 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 376 | ("client hello, adding session ticket extension")); |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 377 | |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 378 | /* The addition is safe here since the ticket length is 16 bit. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 379 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + tlen); |
| Simon Butcher | ed99766 | 2015-09-28 02:14:30 +0100 | [diff] [blame] | 380 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 381 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 382 | p += 2; |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 383 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 384 | MBEDTLS_PUT_UINT16_BE(tlen, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 385 | p += 2; |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 386 | |
| 387 | *olen = 4; |
| 388 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 389 | if (ssl->session_negotiate->ticket == NULL || tlen == 0) { |
| 390 | return 0; |
| 391 | } |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 392 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 393 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 394 | ("sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen)); |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 395 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 396 | memcpy(p, ssl->session_negotiate->ticket, tlen); |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 397 | |
| 398 | *olen += tlen; |
| Hanno Becker | 261602c | 2017-04-12 14:54:42 +0100 | [diff] [blame] | 399 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 400 | return 0; |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 401 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 402 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 403 | |
| Ron Eldor | a978804 | 2018-12-05 11:04:31 +0200 | [diff] [blame] | 404 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 405 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 406 | static int ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl, |
| 407 | unsigned char *buf, |
| 408 | const unsigned char *end, |
| 409 | size_t *olen) |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 410 | { |
| 411 | unsigned char *p = buf; |
| Johan Pascal | f6417ec | 2020-09-22 15:15:19 +0200 | [diff] [blame] | 412 | size_t protection_profiles_index = 0, ext_len = 0; |
| 413 | uint16_t mki_len = 0, profile_value = 0; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 414 | |
| 415 | *olen = 0; |
| 416 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 417 | if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || |
| 418 | (ssl->conf->dtls_srtp_profile_list == NULL) || |
| 419 | (ssl->conf->dtls_srtp_profile_list_len == 0)) { |
| 420 | return 0; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 421 | } |
| 422 | |
| Ron Eldor | a978804 | 2018-12-05 11:04:31 +0200 | [diff] [blame] | 423 | /* RFC 5764 section 4.1.1 |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 424 | * uint8 SRTPProtectionProfile[2]; |
| 425 | * |
| 426 | * struct { |
| 427 | * SRTPProtectionProfiles SRTPProtectionProfiles; |
| 428 | * opaque srtp_mki<0..255>; |
| 429 | * } UseSRTPData; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 430 | * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 431 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 432 | if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) { |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 433 | mki_len = ssl->dtls_srtp_info.mki_len; |
| 434 | } |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 435 | /* Extension length = 2 bytes for profiles length, |
| 436 | * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ), |
| 437 | * 1 byte for srtp_mki vector length and the mki_len value |
| 438 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 439 | ext_len = 2 + 2 * (ssl->conf->dtls_srtp_profile_list_len) + 1 + mki_len; |
| Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 440 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 441 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding use_srtp extension")); |
| Johan Pascal | 77696ee | 2020-09-22 21:49:40 +0200 | [diff] [blame] | 442 | |
| 443 | /* Check there is room in the buffer for the extension + 4 bytes |
| 444 | * - the extension tag (2 bytes) |
| 445 | * - the extension length (2 bytes) |
| 446 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 447 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, ext_len + 4); |
| Johan Pascal | 77696ee | 2020-09-22 21:49:40 +0200 | [diff] [blame] | 448 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 449 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 450 | p += 2; |
| Johan Pascal | 77696ee | 2020-09-22 21:49:40 +0200 | [diff] [blame] | 451 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 452 | MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 453 | p += 2; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 454 | |
| Ron Eldor | 3adb992 | 2017-12-21 10:15:08 +0200 | [diff] [blame] | 455 | /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */ |
| Johan Pascal | aae4d22 | 2020-09-22 21:21:39 +0200 | [diff] [blame] | 456 | /* micro-optimization: |
| 457 | * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH |
| 458 | * which is lower than 127, so the upper byte of the length is always 0 |
| 459 | * For the documentation, the more generic code is left in comments |
| 460 | * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len ) |
| 461 | * >> 8 ) & 0xFF ); |
| 462 | */ |
| 463 | *p++ = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 464 | *p++ = MBEDTLS_BYTE_0(2 * ssl->conf->dtls_srtp_profile_list_len); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 465 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 466 | for (protection_profiles_index = 0; |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 467 | protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 468 | protection_profiles_index++) { |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 469 | profile_value = mbedtls_ssl_check_srtp_profile_value |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 470 | (ssl->conf->dtls_srtp_profile_list[protection_profiles_index]); |
| 471 | if (profile_value != MBEDTLS_TLS_SRTP_UNSET) { |
| 472 | MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_write_use_srtp_ext, add profile: %04x", |
| 473 | profile_value)); |
| 474 | MBEDTLS_PUT_UINT16_BE(profile_value, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 475 | p += 2; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 476 | } else { |
| Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 477 | /* |
| 478 | * Note: we shall never arrive here as protection profiles |
| Johan Pascal | 76fdf1d | 2020-10-22 23:31:00 +0200 | [diff] [blame] | 479 | * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function |
| Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 480 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 481 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 482 | ("client hello, " |
| 483 | "illegal DTLS-SRTP protection profile %d", |
| 484 | ssl->conf->dtls_srtp_profile_list[protection_profiles_index] |
| 485 | )); |
| 486 | return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 487 | } |
| 488 | } |
| 489 | |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 490 | *p++ = mki_len & 0xFF; |
| 491 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 492 | if (mki_len != 0) { |
| 493 | memcpy(p, ssl->dtls_srtp_info.mki_value, mki_len); |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 494 | /* |
| 495 | * Increment p to point to the current position. |
| 496 | */ |
| 497 | p += mki_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 498 | MBEDTLS_SSL_DEBUG_BUF(3, "sending mki", ssl->dtls_srtp_info.mki_value, |
| 499 | ssl->dtls_srtp_info.mki_len); |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 500 | } |
| 501 | |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 502 | /* |
| 503 | * total extension length: extension type (2 bytes) |
| 504 | * + extension length (2 bytes) |
| 505 | * + protection profile length (2 bytes) |
| 506 | * + 2 * number of protection profiles |
| 507 | * + srtp_mki vector length(1 byte) |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 508 | * + mki value |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 509 | */ |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 510 | *olen = p - buf; |
| Johan Pascal | 77696ee | 2020-09-22 21:49:40 +0200 | [diff] [blame] | 511 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 512 | return 0; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 513 | } |
| 514 | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
| 515 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 516 | int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl, |
| 517 | unsigned char *buf, |
| 518 | const unsigned char *end, |
| 519 | int uses_ec, |
| 520 | size_t *out_len) |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 521 | { |
| 522 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 523 | unsigned char *p = buf; |
| 524 | size_t ext_len = 0; |
| 525 | |
| 526 | (void) ssl; |
| 527 | (void) end; |
| 528 | (void) uses_ec; |
| 529 | (void) ret; |
| 530 | (void) ext_len; |
| 531 | |
| 532 | *out_len = 0; |
| 533 | |
| 534 | /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added |
| 535 | * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */ |
| 536 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 537 | if ((ret = ssl_write_renegotiation_ext(ssl, p, end, &ext_len)) != 0) { |
| 538 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_renegotiation_ext", ret); |
| 539 | return ret; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 540 | } |
| 541 | p += ext_len; |
| 542 | #endif |
| 543 | |
| 544 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| 545 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 546 | if (uses_ec) { |
| 547 | if ((ret = ssl_write_supported_point_formats_ext(ssl, p, end, |
| 548 | &ext_len)) != 0) { |
| 549 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_point_formats_ext", ret); |
| 550 | return ret; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 551 | } |
| 552 | p += ext_len; |
| 553 | } |
| 554 | #endif |
| 555 | |
| 556 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 557 | if ((ret = ssl_write_ecjpake_kkpp_ext(ssl, p, end, &ext_len)) != 0) { |
| 558 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_ecjpake_kkpp_ext", ret); |
| 559 | return ret; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 560 | } |
| 561 | p += ext_len; |
| 562 | #endif |
| 563 | |
| 564 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 565 | if ((ret = ssl_write_cid_ext(ssl, p, end, &ext_len)) != 0) { |
| 566 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_cid_ext", ret); |
| 567 | return ret; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 568 | } |
| 569 | p += ext_len; |
| 570 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| 571 | |
| 572 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 573 | if ((ret = ssl_write_max_fragment_length_ext(ssl, p, end, |
| 574 | &ext_len)) != 0) { |
| 575 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_max_fragment_length_ext", ret); |
| 576 | return ret; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 577 | } |
| 578 | p += ext_len; |
| 579 | #endif |
| 580 | |
| 581 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 582 | if ((ret = ssl_write_encrypt_then_mac_ext(ssl, p, end, &ext_len)) != 0) { |
| 583 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_encrypt_then_mac_ext", ret); |
| 584 | return ret; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 585 | } |
| 586 | p += ext_len; |
| 587 | #endif |
| 588 | |
| 589 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 590 | if ((ret = ssl_write_extended_ms_ext(ssl, p, end, &ext_len)) != 0) { |
| 591 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_extended_ms_ext", ret); |
| 592 | return ret; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 593 | } |
| 594 | p += ext_len; |
| 595 | #endif |
| 596 | |
| 597 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 598 | if ((ret = ssl_write_use_srtp_ext(ssl, p, end, &ext_len)) != 0) { |
| 599 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_use_srtp_ext", ret); |
| 600 | return ret; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 601 | } |
| 602 | p += ext_len; |
| 603 | #endif |
| 604 | |
| 605 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 606 | if ((ret = ssl_write_session_ticket_ext(ssl, p, end, &ext_len)) != 0) { |
| 607 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_session_ticket_ext", ret); |
| 608 | return ret; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 609 | } |
| 610 | p += ext_len; |
| 611 | #endif |
| 612 | |
| 613 | *out_len = p - buf; |
| 614 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 615 | return 0; |
| Ronald Cron | 12dcdf0 | 2022-02-16 15:28:22 +0100 | [diff] [blame] | 616 | } |
| 617 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 618 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 619 | static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl, |
| 620 | const unsigned char *buf, |
| 621 | size_t len) |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 622 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 623 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 624 | if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { |
| Manuel Pégourié-Gonnard | 31ff1d2 | 2013-10-28 13:46:11 +0100 | [diff] [blame] | 625 | /* Check verify-data in constant-time. The length OTOH is no secret */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 626 | if (len != 1 + ssl->verify_data_len * 2 || |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 627 | buf[0] != ssl->verify_data_len * 2 || |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 628 | mbedtls_ct_memcmp(buf + 1, |
| 629 | ssl->own_verify_data, ssl->verify_data_len) != 0 || |
| 630 | mbedtls_ct_memcmp(buf + 1 + ssl->verify_data_len, |
| 631 | ssl->peer_verify_data, ssl->verify_data_len) != 0) { |
| 632 | MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 633 | mbedtls_ssl_send_alert_message( |
| 634 | ssl, |
| 635 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 636 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 637 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 638 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 639 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 640 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 641 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 642 | if (len != 1 || buf[0] != 0x00) { |
| 643 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 644 | ("non-zero length renegotiation info")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 645 | mbedtls_ssl_send_alert_message( |
| 646 | ssl, |
| 647 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 648 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 649 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 650 | } |
| 651 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 652 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 653 | } |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 654 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 655 | return 0; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 656 | } |
| Manuel Pégourié-Gonnard | 57c2852 | 2013-07-19 11:41:43 +0200 | [diff] [blame] | 657 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 658 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 659 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 660 | static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl, |
| 661 | const unsigned char *buf, |
| 662 | size_t len) |
| Manuel Pégourié-Gonnard | de600e5 | 2013-07-17 10:14:38 +0200 | [diff] [blame] | 663 | { |
| 664 | /* |
| 665 | * server should use the extension only if we did, |
| 666 | * and if so the server's value should match ours (and len is always 1) |
| 667 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 668 | if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || |
| Manuel Pégourié-Gonnard | de600e5 | 2013-07-17 10:14:38 +0200 | [diff] [blame] | 669 | len != 1 || |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 670 | buf[0] != ssl->conf->mfl_code) { |
| 671 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 672 | ("non-matching max fragment length extension")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 673 | mbedtls_ssl_send_alert_message( |
| 674 | ssl, |
| 675 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 676 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 677 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Manuel Pégourié-Gonnard | de600e5 | 2013-07-17 10:14:38 +0200 | [diff] [blame] | 678 | } |
| 679 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 680 | return 0; |
| Manuel Pégourié-Gonnard | de600e5 | 2013-07-17 10:14:38 +0200 | [diff] [blame] | 681 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 682 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 683 | |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 684 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 685 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 686 | static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl, |
| 687 | const unsigned char *buf, |
| 688 | size_t len) |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 689 | { |
| 690 | size_t peer_cid_len; |
| 691 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 692 | if ( /* CID extension only makes sense in DTLS */ |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 693 | ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || |
| 694 | /* The server must only send the CID extension if we have offered it. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 695 | ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) { |
| 696 | MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension unexpected")); |
| 697 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 698 | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); |
| 699 | return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; |
| Hanno Becker | 2262648 | 2019-05-03 12:46:59 +0100 | [diff] [blame] | 700 | } |
| 701 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 702 | if (len == 0) { |
| 703 | MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid")); |
| 704 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 705 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 706 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 707 | } |
| 708 | |
| 709 | peer_cid_len = *buf++; |
| 710 | len--; |
| 711 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 712 | if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) { |
| 713 | MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid")); |
| 714 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 715 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 716 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 717 | } |
| 718 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 719 | if (len != peer_cid_len) { |
| 720 | MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid")); |
| 721 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 722 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 723 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 724 | } |
| 725 | |
| Hanno Becker | 5a29990 | 2019-05-03 12:47:49 +0100 | [diff] [blame] | 726 | ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED; |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 727 | ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 728 | memcpy(ssl->handshake->peer_cid, buf, peer_cid_len); |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 729 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 730 | MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated")); |
| 731 | MBEDTLS_SSL_DEBUG_BUF(3, "Server CID", buf, peer_cid_len); |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 732 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 733 | return 0; |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 734 | } |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 735 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 736 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 737 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 738 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 739 | static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl, |
| 740 | const unsigned char *buf, |
| 741 | size_t len) |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 742 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 743 | if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || |
| 744 | len != 0) { |
| 745 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 746 | ("non-matching encrypt-then-MAC extension")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 747 | mbedtls_ssl_send_alert_message( |
| 748 | ssl, |
| 749 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 750 | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); |
| 751 | return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 752 | } |
| 753 | |
| 754 | ((void) buf); |
| 755 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 756 | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 757 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 758 | return 0; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 759 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 760 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 761 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 762 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 763 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 764 | static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl, |
| 765 | const unsigned char *buf, |
| 766 | size_t len) |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 767 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 768 | if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || |
| 769 | len != 0) { |
| 770 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 771 | ("non-matching extended master secret extension")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 772 | mbedtls_ssl_send_alert_message( |
| 773 | ssl, |
| 774 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 775 | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); |
| 776 | return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 777 | } |
| 778 | |
| 779 | ((void) buf); |
| 780 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 781 | ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 782 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 783 | return 0; |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 784 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 785 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 786 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 787 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 788 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 789 | static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl, |
| 790 | const unsigned char *buf, |
| 791 | size_t len) |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 792 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 793 | if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || |
| 794 | len != 0) { |
| 795 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 796 | ("non-matching session ticket extension")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 797 | mbedtls_ssl_send_alert_message( |
| 798 | ssl, |
| 799 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 800 | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); |
| 801 | return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; |
| Manuel Pégourié-Gonnard | aa0d4d1 | 2013-08-03 13:02:31 +0200 | [diff] [blame] | 802 | } |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 803 | |
| 804 | ((void) buf); |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 805 | |
| 806 | ssl->handshake->new_session_ticket = 1; |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 807 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 808 | return 0; |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 809 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 810 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 811 | |
| Robert Cragie | 136884c | 2015-10-02 13:34:31 +0100 | [diff] [blame] | 812 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 813 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 814 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 815 | static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl, |
| 816 | const unsigned char *buf, |
| 817 | size_t len) |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 818 | { |
| 819 | size_t list_size; |
| 820 | const unsigned char *p; |
| 821 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 822 | if (len == 0 || (size_t) (buf[0] + 1) != len) { |
| 823 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| 824 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 825 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 826 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 827 | } |
| Philippe Antoine | 747fd53 | 2018-05-30 09:13:21 +0200 | [diff] [blame] | 828 | list_size = buf[0]; |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 829 | |
| Manuel Pégourié-Gonnard | fd35af1 | 2014-06-23 14:10:13 +0200 | [diff] [blame] | 830 | p = buf + 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 831 | while (list_size > 0) { |
| 832 | if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || |
| 833 | p[0] == MBEDTLS_ECP_PF_COMPRESSED) { |
| Valerio Setti | 4642316 | 2023-03-27 14:33:27 +0200 | [diff] [blame] | 834 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C) |
| Manuel Pégourié-Gonnard | 5734b2d | 2013-08-15 19:04:02 +0200 | [diff] [blame] | 835 | ssl->handshake->ecdh_ctx.point_format = p[0]; |
| Valerio Setti | 77a904c | 2023-03-24 07:28:49 +0100 | [diff] [blame] | 836 | #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_ECDH_C */ |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 837 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 838 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 839 | mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx, |
| 840 | p[0]); |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 841 | #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 842 | MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0])); |
| 843 | return 0; |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 844 | } |
| 845 | |
| 846 | list_size--; |
| 847 | p++; |
| 848 | } |
| 849 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 850 | MBEDTLS_SSL_DEBUG_MSG(1, ("no point format in common")); |
| 851 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 852 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 853 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 854 | } |
| Darryl Green | 11999bb | 2018-03-13 15:22:58 +0000 | [diff] [blame] | 855 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 856 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 857 | |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 858 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 859 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 860 | static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl, |
| 861 | const unsigned char *buf, |
| 862 | size_t len) |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 863 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 864 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 865 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 866 | if (ssl->handshake->ciphersuite_info->key_exchange != |
| 867 | MBEDTLS_KEY_EXCHANGE_ECJPAKE) { |
| 868 | MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension")); |
| 869 | return 0; |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 870 | } |
| 871 | |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 872 | /* If we got here, we no longer need our cached extension */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 873 | mbedtls_free(ssl->handshake->ecjpake_cache); |
| Manuel Pégourié-Gonnard | d0d8cb3 | 2015-09-17 14:16:30 +0200 | [diff] [blame] | 874 | ssl->handshake->ecjpake_cache = NULL; |
| 875 | ssl->handshake->ecjpake_cache_len = 0; |
| 876 | |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 877 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 878 | if ((ret = mbedtls_psa_ecjpake_read_round( |
| 879 | &ssl->handshake->psa_pake_ctx, buf, len, |
| 880 | MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) { |
| 881 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 882 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 883 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 884 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 885 | mbedtls_ssl_send_alert_message( |
| 886 | ssl, |
| 887 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 888 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 889 | return ret; |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 890 | } |
| 891 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 892 | return 0; |
| 893 | #else |
| 894 | if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx, |
| 895 | buf, len)) != 0) { |
| 896 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret); |
| 897 | mbedtls_ssl_send_alert_message( |
| 898 | ssl, |
| 899 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 900 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 901 | return ret; |
| 902 | } |
| 903 | |
| 904 | return 0; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 905 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 906 | } |
| 907 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Manuel Pégourié-Gonnard | 57c2852 | 2013-07-19 11:41:43 +0200 | [diff] [blame] | 908 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 909 | #if defined(MBEDTLS_SSL_ALPN) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 910 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 911 | static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl, |
| 912 | const unsigned char *buf, size_t len) |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 913 | { |
| 914 | size_t list_len, name_len; |
| 915 | const char **p; |
| 916 | |
| 917 | /* If we didn't send it, the server shouldn't send it */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 918 | if (ssl->conf->alpn_list == NULL) { |
| 919 | MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching ALPN extension")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 920 | mbedtls_ssl_send_alert_message( |
| 921 | ssl, |
| 922 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 923 | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); |
| 924 | return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 925 | } |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 926 | |
| 927 | /* |
| 928 | * opaque ProtocolName<1..2^8-1>; |
| 929 | * |
| 930 | * struct { |
| 931 | * ProtocolName protocol_name_list<2..2^16-1> |
| 932 | * } ProtocolNameList; |
| 933 | * |
| 934 | * the "ProtocolNameList" MUST contain exactly one "ProtocolName" |
| 935 | */ |
| 936 | |
| 937 | /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 938 | if (len < 4) { |
| 939 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 940 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 941 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 942 | } |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 943 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 944 | list_len = (buf[0] << 8) | buf[1]; |
| 945 | if (list_len != len - 2) { |
| 946 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 947 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 948 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 949 | } |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 950 | |
| 951 | name_len = buf[2]; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 952 | if (name_len != list_len - 1) { |
| 953 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 954 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 955 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 956 | } |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 957 | |
| 958 | /* Check that the server chosen protocol was in our list and save it */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 959 | for (p = ssl->conf->alpn_list; *p != NULL; p++) { |
| 960 | if (name_len == strlen(*p) && |
| 961 | memcmp(buf + 3, *p, name_len) == 0) { |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 962 | ssl->alpn_chosen = *p; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 963 | return 0; |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 964 | } |
| 965 | } |
| 966 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 967 | MBEDTLS_SSL_DEBUG_MSG(1, ("ALPN extension: no matching protocol")); |
| 968 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 969 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 970 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 971 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 972 | #endif /* MBEDTLS_SSL_ALPN */ |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 973 | |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 974 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 975 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 976 | static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl, |
| 977 | const unsigned char *buf, |
| 978 | size_t len) |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 979 | { |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 980 | mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 981 | size_t i, mki_len = 0; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 982 | uint16_t server_protection_profile_value = 0; |
| 983 | |
| 984 | /* If use_srtp is not configured, just ignore the extension */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 985 | if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || |
| 986 | (ssl->conf->dtls_srtp_profile_list == NULL) || |
| 987 | (ssl->conf->dtls_srtp_profile_list_len == 0)) { |
| 988 | return 0; |
| 989 | } |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 990 | |
| Ron Eldor | a978804 | 2018-12-05 11:04:31 +0200 | [diff] [blame] | 991 | /* RFC 5764 section 4.1.1 |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 992 | * uint8 SRTPProtectionProfile[2]; |
| 993 | * |
| 994 | * struct { |
| 995 | * SRTPProtectionProfiles SRTPProtectionProfiles; |
| 996 | * opaque srtp_mki<0..255>; |
| 997 | * } UseSRTPData; |
| 998 | |
| 999 | * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>; |
| 1000 | * |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1001 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1002 | if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) { |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 1003 | mki_len = ssl->dtls_srtp_info.mki_len; |
| 1004 | } |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1005 | |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 1006 | /* |
| Johan Pascal | 76fdf1d | 2020-10-22 23:31:00 +0200 | [diff] [blame] | 1007 | * Length is 5 + optional mki_value : one protection profile length (2 bytes) |
| 1008 | * + protection profile (2 bytes) |
| 1009 | * + mki_len(1 byte) |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 1010 | * and optional srtp_mki |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 1011 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1012 | if ((len < 5) || (len != (buf[4] + 5u))) { |
| 1013 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1014 | } |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1015 | |
| 1016 | /* |
| 1017 | * get the server protection profile |
| 1018 | */ |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 1019 | |
| 1020 | /* |
| 1021 | * protection profile length must be 0x0002 as we must have only |
| 1022 | * one protection profile in server Hello |
| 1023 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1024 | if ((buf[0] != 0) || (buf[1] != 2)) { |
| 1025 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1026 | } |
| Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 1027 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1028 | server_protection_profile_value = (buf[2] << 8) | buf[3]; |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 1029 | server_protection = mbedtls_ssl_check_srtp_profile_value( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1030 | server_protection_profile_value); |
| 1031 | if (server_protection != MBEDTLS_TLS_SRTP_UNSET) { |
| 1032 | MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s", |
| 1033 | mbedtls_ssl_get_srtp_profile_as_string( |
| 1034 | server_protection))); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1035 | } |
| 1036 | |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 1037 | ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 1038 | |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1039 | /* |
| 1040 | * Check we have the server profile in our list |
| 1041 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1042 | for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) { |
| 1043 | if (server_protection == ssl->conf->dtls_srtp_profile_list[i]) { |
| Ron Eldor | 3adb992 | 2017-12-21 10:15:08 +0200 | [diff] [blame] | 1044 | ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i]; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1045 | MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s", |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 1046 | mbedtls_ssl_get_srtp_profile_as_string( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1047 | server_protection))); |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 1048 | break; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1049 | } |
| 1050 | } |
| 1051 | |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 1052 | /* If no match was found : server problem, it shall never answer with incompatible profile */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1053 | if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) { |
| 1054 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1055 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 1056 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 1057 | } |
| Johan Pascal | 20c7db3 | 2020-10-26 22:45:58 +0100 | [diff] [blame] | 1058 | |
| 1059 | /* If server does not use mki in its reply, make sure the client won't keep |
| 1060 | * one as negotiated */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1061 | if (len == 5) { |
| Johan Pascal | 20c7db3 | 2020-10-26 22:45:58 +0100 | [diff] [blame] | 1062 | ssl->dtls_srtp_info.mki_len = 0; |
| 1063 | } |
| 1064 | |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 1065 | /* |
| 1066 | * RFC5764: |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 1067 | * If the client detects a nonzero-length MKI in the server's response |
| 1068 | * that is different than the one the client offered, then the client |
| 1069 | * MUST abort the handshake and SHOULD send an invalid_parameter alert. |
| 1070 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1071 | if (len > 5 && (buf[4] != mki_len || |
| 1072 | (memcmp(ssl->dtls_srtp_info.mki_value, &buf[5], mki_len)))) { |
| 1073 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1074 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 1075 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 1076 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1077 | #if defined(MBEDTLS_DEBUG_C) |
| 1078 | if (len > 5) { |
| 1079 | MBEDTLS_SSL_DEBUG_BUF(3, "received mki", ssl->dtls_srtp_info.mki_value, |
| 1080 | ssl->dtls_srtp_info.mki_len); |
| Ron Eldor | b465539 | 2018-07-05 18:25:39 +0300 | [diff] [blame] | 1081 | } |
| 1082 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1083 | return 0; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1084 | } |
| 1085 | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
| 1086 | |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1087 | /* |
| 1088 | * Parse HelloVerifyRequest. Only called after verifying the HS type. |
| 1089 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1090 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1091 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1092 | static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl) |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1093 | { |
| Manuel Pégourié-Gonnard | b8b07aa | 2023-02-06 00:34:21 +0100 | [diff] [blame] | 1094 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1095 | const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); |
| Glenn Strauss | 8315811 | 2022-04-13 14:59:34 -0400 | [diff] [blame] | 1096 | uint16_t dtls_legacy_version; |
| Jerry Yu | e01304f | 2022-04-07 10:51:55 +0800 | [diff] [blame] | 1097 | |
| 1098 | #if !defined(MBEDTLS_SSL_PROTO_TLS1_3) |
| 1099 | uint8_t cookie_len; |
| 1100 | #else |
| 1101 | uint16_t cookie_len; |
| 1102 | #endif |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1103 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1104 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse hello verify request")); |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1105 | |
| Gilles Peskine | b64bf06 | 2019-09-27 14:02:44 +0200 | [diff] [blame] | 1106 | /* Check that there is enough room for: |
| 1107 | * - 2 bytes of version |
| 1108 | * - 1 byte of cookie_len |
| 1109 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1110 | if (mbedtls_ssl_hs_hdr_len(ssl) + 3 > ssl->in_msglen) { |
| 1111 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1112 | ("incoming HelloVerifyRequest message is too short")); |
| 1113 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1114 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1115 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Gilles Peskine | b64bf06 | 2019-09-27 14:02:44 +0200 | [diff] [blame] | 1116 | } |
| 1117 | |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1118 | /* |
| 1119 | * struct { |
| 1120 | * ProtocolVersion server_version; |
| 1121 | * opaque cookie<0..2^8-1>; |
| 1122 | * } HelloVerifyRequest; |
| 1123 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1124 | MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2); |
| 1125 | dtls_legacy_version = MBEDTLS_GET_UINT16_BE(p, 0); |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1126 | p += 2; |
| 1127 | |
| TRodziewicz | 2d8800e | 2021-05-13 19:14:19 +0200 | [diff] [blame] | 1128 | /* |
| Glenn Strauss | 8315811 | 2022-04-13 14:59:34 -0400 | [diff] [blame] | 1129 | * Since the RFC is not clear on this point, accept DTLS 1.0 (0xfeff) |
| 1130 | * The DTLS 1.3 (current draft) renames ProtocolVersion server_version to |
| 1131 | * legacy_version and locks the value of legacy_version to 0xfefd (DTLS 1.2) |
| TRodziewicz | 2d8800e | 2021-05-13 19:14:19 +0200 | [diff] [blame] | 1132 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1133 | if (dtls_legacy_version != 0xfefd && dtls_legacy_version != 0xfeff) { |
| 1134 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server version")); |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1135 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1136 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1137 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION); |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1138 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1139 | return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1140 | } |
| 1141 | |
| 1142 | cookie_len = *p++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1143 | if ((ssl->in_msg + ssl->in_msglen) - p < cookie_len) { |
| 1144 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1145 | ("cookie length does not match incoming message size")); |
| 1146 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1147 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1148 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Andres AG | 5a87c93 | 2016-09-26 14:53:05 +0100 | [diff] [blame] | 1149 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1150 | MBEDTLS_SSL_DEBUG_BUF(3, "cookie", p, cookie_len); |
| Andres AG | 5a87c93 | 2016-09-26 14:53:05 +0100 | [diff] [blame] | 1151 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1152 | mbedtls_free(ssl->handshake->cookie); |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1153 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1154 | ssl->handshake->cookie = mbedtls_calloc(1, cookie_len); |
| 1155 | if (ssl->handshake->cookie == NULL) { |
| 1156 | MBEDTLS_SSL_DEBUG_MSG(1, ("alloc failed (%d bytes)", cookie_len)); |
| 1157 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1158 | } |
| 1159 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1160 | memcpy(ssl->handshake->cookie, p, cookie_len); |
| Jerry Yu | ac5ca5a | 2022-03-04 12:50:46 +0800 | [diff] [blame] | 1161 | ssl->handshake->cookie_len = cookie_len; |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1162 | |
| Manuel Pégourié-Gonnard | 67427c0 | 2014-07-11 13:45:34 +0200 | [diff] [blame] | 1163 | /* Start over at ClientHello */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1164 | ssl->state = MBEDTLS_SSL_CLIENT_HELLO; |
| Manuel Pégourié-Gonnard | b8b07aa | 2023-02-06 00:34:21 +0100 | [diff] [blame] | 1165 | ret = mbedtls_ssl_reset_checksum(ssl); |
| 1166 | if (0 != ret) { |
| 1167 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_reset_checksum"), ret); |
| 1168 | return ret; |
| 1169 | } |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1170 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1171 | mbedtls_ssl_recv_flight_completed(ssl); |
| Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 1172 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1173 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse hello verify request")); |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1174 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1175 | return 0; |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1176 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1177 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1178 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1179 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1180 | static int ssl_parse_server_hello(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1181 | { |
| Manuel Pégourié-Gonnard | a0e1632 | 2014-07-14 17:38:41 +0200 | [diff] [blame] | 1182 | int ret, i; |
| Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 1183 | size_t n; |
| Manuel Pégourié-Gonnard | f7cdbc0 | 2014-10-17 17:02:10 +0200 | [diff] [blame] | 1184 | size_t ext_len; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1185 | unsigned char *buf, *ext; |
| Manuel Pégourié-Gonnard | 1cf7b30 | 2015-06-24 22:28:19 +0200 | [diff] [blame] | 1186 | unsigned char comp; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1187 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1188 | int renegotiation_info_seen = 0; |
| Manuel Pégourié-Gonnard | eaecbd3 | 2014-11-06 02:38:02 +0100 | [diff] [blame] | 1189 | #endif |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1190 | int handshake_failure = 0; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1191 | const mbedtls_ssl_ciphersuite_t *suite_info; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1192 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1193 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1194 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1195 | if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 1196 | /* No alert on a read error. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1197 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
| 1198 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1199 | } |
| 1200 | |
| Hanno Becker | 79594fd | 2019-05-08 09:38:41 +0100 | [diff] [blame] | 1201 | buf = ssl->in_msg; |
| 1202 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1203 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1204 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1205 | if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { |
| Manuel Pégourié-Gonnard | 44ade65 | 2014-08-19 13:58:40 +0200 | [diff] [blame] | 1206 | ssl->renego_records_seen++; |
| 1207 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1208 | if (ssl->conf->renego_max_records >= 0 && |
| 1209 | ssl->renego_records_seen > ssl->conf->renego_max_records) { |
| 1210 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1211 | ("renegotiation requested, but not honored by server")); |
| 1212 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Manuel Pégourié-Gonnard | 44ade65 | 2014-08-19 13:58:40 +0200 | [diff] [blame] | 1213 | } |
| 1214 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1215 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1216 | ("non-handshake message during renegotiation")); |
| Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 1217 | |
| 1218 | ssl->keep_current_message = 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1219 | return MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO; |
| Manuel Pégourié-Gonnard | 6591962 | 2014-08-19 12:50:30 +0200 | [diff] [blame] | 1220 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1221 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Manuel Pégourié-Gonnard | 6591962 | 2014-08-19 12:50:30 +0200 | [diff] [blame] | 1222 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1223 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1224 | mbedtls_ssl_send_alert_message( |
| 1225 | ssl, |
| 1226 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1227 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); |
| 1228 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1229 | } |
| 1230 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1231 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1232 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| 1233 | if (buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST) { |
| 1234 | MBEDTLS_SSL_DEBUG_MSG(2, ("received hello verify request")); |
| 1235 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello")); |
| 1236 | return ssl_parse_hello_verify_request(ssl); |
| 1237 | } else { |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1238 | /* We made it through the verification process */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1239 | mbedtls_free(ssl->handshake->cookie); |
| XiaokangQian | 9b93c0d | 2022-02-09 06:02:25 +0000 | [diff] [blame] | 1240 | ssl->handshake->cookie = NULL; |
| Jerry Yu | ac5ca5a | 2022-03-04 12:50:46 +0800 | [diff] [blame] | 1241 | ssl->handshake->cookie_len = 0; |
| Manuel Pégourié-Gonnard | 7484881 | 2014-07-11 02:43:49 +0200 | [diff] [blame] | 1242 | } |
| 1243 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1244 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1245 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1246 | if (ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len(ssl) || |
| 1247 | buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO) { |
| 1248 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| 1249 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1250 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1251 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1252 | } |
| 1253 | |
| Manuel Pégourié-Gonnard | 0b3400d | 2014-09-10 21:23:41 +0200 | [diff] [blame] | 1254 | /* |
| 1255 | * 0 . 1 server_version |
| 1256 | * 2 . 33 random (maybe including 4 bytes of Unix time) |
| 1257 | * 34 . 34 session_id length = n |
| 1258 | * 35 . 34+n session_id |
| 1259 | * 35+n . 36+n cipher_suite |
| 1260 | * 37+n . 37+n compression_method |
| 1261 | * |
| 1262 | * 38+n . 39+n extensions length (optional) |
| 1263 | * 40+n . .. extensions |
| 1264 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1265 | buf += mbedtls_ssl_hs_hdr_len(ssl); |
| Manuel Pégourié-Gonnard | 0b3400d | 2014-09-10 21:23:41 +0200 | [diff] [blame] | 1266 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1267 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", buf, 2); |
| 1268 | ssl->tls_version = mbedtls_ssl_read_version(buf, ssl->conf->transport); |
| Glenn Strauss | 60bfe60 | 2022-03-14 19:04:24 -0400 | [diff] [blame] | 1269 | ssl->session_negotiate->tls_version = ssl->tls_version; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1270 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1271 | if (ssl->tls_version < ssl->conf->min_tls_version || |
| 1272 | ssl->tls_version > ssl->conf->max_tls_version) { |
| 1273 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1274 | ( |
| 1275 | "server version out of bounds - min: [0x%x], server: [0x%x], max: [0x%x]", |
| 1276 | (unsigned) ssl->conf->min_tls_version, |
| 1277 | (unsigned) ssl->tls_version, |
| 1278 | (unsigned) ssl->conf->max_tls_version)); |
| Paul Bakker | 1d29fb5 | 2012-09-28 13:28:45 +0000 | [diff] [blame] | 1279 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1280 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1281 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION); |
| Paul Bakker | 1d29fb5 | 2012-09-28 13:28:45 +0000 | [diff] [blame] | 1282 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1283 | return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; |
| Paul Bakker | 1d29fb5 | 2012-09-28 13:28:45 +0000 | [diff] [blame] | 1284 | } |
| 1285 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1286 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %lu", |
| 1287 | ((unsigned long) buf[2] << 24) | |
| 1288 | ((unsigned long) buf[3] << 16) | |
| 1289 | ((unsigned long) buf[4] << 8) | |
| 1290 | ((unsigned long) buf[5]))); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1291 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1292 | memcpy(ssl->handshake->randbytes + 32, buf + 2, 32); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1293 | |
| Manuel Pégourié-Gonnard | 0b3400d | 2014-09-10 21:23:41 +0200 | [diff] [blame] | 1294 | n = buf[34]; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1295 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1296 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 2, 32); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1297 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1298 | if (n > 32) { |
| 1299 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| 1300 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1301 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1302 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1303 | } |
| 1304 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1305 | if (ssl->in_hslen > mbedtls_ssl_hs_hdr_len(ssl) + 39 + n) { |
| 1306 | ext_len = ((buf[38 + n] << 8) |
| 1307 | | (buf[39 + n])); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1308 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1309 | if ((ext_len > 0 && ext_len < 4) || |
| 1310 | ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 40 + n + ext_len) { |
| 1311 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1312 | mbedtls_ssl_send_alert_message( |
| 1313 | ssl, |
| 1314 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1315 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1316 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1317 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1318 | } else if (ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl) + 38 + n) { |
| Manuel Pégourié-Gonnard | f7cdbc0 | 2014-10-17 17:02:10 +0200 | [diff] [blame] | 1319 | ext_len = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1320 | } else { |
| 1321 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| 1322 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1323 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1324 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | f7cdbc0 | 2014-10-17 17:02:10 +0200 | [diff] [blame] | 1325 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1326 | |
| Manuel Pégourié-Gonnard | a0e1632 | 2014-07-14 17:38:41 +0200 | [diff] [blame] | 1327 | /* ciphersuite (used later) */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1328 | i = (buf[35 + n] << 8) | buf[36 + n]; |
| Manuel Pégourié-Gonnard | a0e1632 | 2014-07-14 17:38:41 +0200 | [diff] [blame] | 1329 | |
| 1330 | /* |
| 1331 | * Read and check compression |
| 1332 | */ |
| Manuel Pégourié-Gonnard | 0b3400d | 2014-09-10 21:23:41 +0200 | [diff] [blame] | 1333 | comp = buf[37 + n]; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1334 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1335 | if (comp != MBEDTLS_SSL_COMPRESS_NULL) { |
| 1336 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1337 | ("server hello, bad compression: %d", comp)); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1338 | mbedtls_ssl_send_alert_message( |
| 1339 | ssl, |
| 1340 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1341 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 1342 | return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Manuel Pégourié-Gonnard | a0e1632 | 2014-07-14 17:38:41 +0200 | [diff] [blame] | 1343 | } |
| 1344 | |
| Paul Bakker | 380da53 | 2012-04-18 16:10:25 +0000 | [diff] [blame] | 1345 | /* |
| 1346 | * Initialize update checksum functions |
| 1347 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1348 | ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(i); |
| 1349 | if (ssl->handshake->ciphersuite_info == NULL) { |
| 1350 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1351 | ("ciphersuite info for %04x not found", (unsigned int) i)); |
| 1352 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1353 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); |
| 1354 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 1355 | } |
| Paul Bakker | 380da53 | 2012-04-18 16:10:25 +0000 | [diff] [blame] | 1356 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1357 | mbedtls_ssl_optimize_checksum(ssl, ssl->handshake->ciphersuite_info); |
| Manuel Pégourié-Gonnard | 3c599f1 | 2014-03-10 13:25:07 +0100 | [diff] [blame] | 1358 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1359 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n)); |
| 1360 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 35, n); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1361 | |
| 1362 | /* |
| 1363 | * Check if the session can be resumed |
| 1364 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1365 | if (ssl->handshake->resume == 0 || n == 0 || |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1366 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 1367 | ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 1368 | #endif |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1369 | ssl->session_negotiate->ciphersuite != i || |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 1370 | ssl->session_negotiate->id_len != n || |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1371 | memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) { |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1372 | ssl->state++; |
| Paul Bakker | 0a59707 | 2012-09-25 21:55:46 +0000 | [diff] [blame] | 1373 | ssl->handshake->resume = 0; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1374 | #if defined(MBEDTLS_HAVE_TIME) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1375 | ssl->session_negotiate->start = mbedtls_time(NULL); |
| Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 1376 | #endif |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1377 | ssl->session_negotiate->ciphersuite = i; |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 1378 | ssl->session_negotiate->id_len = n; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1379 | memcpy(ssl->session_negotiate->id, buf + 35, n); |
| 1380 | } else { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1381 | ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1382 | } |
| 1383 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1384 | MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed", |
| 1385 | ssl->handshake->resume ? "a" : "no")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1386 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1387 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %04x", (unsigned) i)); |
| 1388 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: %d", |
| 1389 | buf[37 + n])); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1390 | |
| Andrzej Kurek | 03bac44 | 2018-04-25 05:06:07 -0400 | [diff] [blame] | 1391 | /* |
| 1392 | * Perform cipher suite validation in same way as in ssl_write_client_hello. |
| Mohammad Azim Khan | 1d3b508 | 2018-04-18 19:35:00 +0100 | [diff] [blame] | 1393 | */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1394 | i = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1395 | while (1) { |
| 1396 | if (ssl->conf->ciphersuite_list[i] == 0) { |
| 1397 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1398 | mbedtls_ssl_send_alert_message( |
| 1399 | ssl, |
| 1400 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1401 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 1402 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1403 | } |
| 1404 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1405 | if (ssl->conf->ciphersuite_list[i++] == |
| 1406 | ssl->session_negotiate->ciphersuite) { |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1407 | break; |
| Paul Bakker | 8f4ddae | 2013-04-15 15:09:54 +0200 | [diff] [blame] | 1408 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1409 | } |
| 1410 | |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1411 | suite_info = mbedtls_ssl_ciphersuite_from_id( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1412 | ssl->session_negotiate->ciphersuite); |
| 1413 | if (mbedtls_ssl_validate_ciphersuite(ssl, suite_info, ssl->tls_version, |
| 1414 | ssl->tls_version) != 0) { |
| 1415 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1416 | mbedtls_ssl_send_alert_message( |
| 1417 | ssl, |
| 1418 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1419 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 1420 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Mohammad Azim Khan | 1d3b508 | 2018-04-18 19:35:00 +0100 | [diff] [blame] | 1421 | } |
| 1422 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1423 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 1424 | ("server hello, chosen ciphersuite: %s", suite_info->name)); |
| Mohammad Azim Khan | 1d3b508 | 2018-04-18 19:35:00 +0100 | [diff] [blame] | 1425 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 1426 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1427 | if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA && |
| 1428 | ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { |
| Manuel Pégourié-Gonnard | da19f4c | 2018-06-12 12:40:54 +0200 | [diff] [blame] | 1429 | ssl->handshake->ecrs_enabled = 1; |
| 1430 | } |
| 1431 | #endif |
| 1432 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1433 | if (comp != MBEDTLS_SSL_COMPRESS_NULL) { |
| 1434 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1435 | mbedtls_ssl_send_alert_message( |
| 1436 | ssl, |
| 1437 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1438 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 1439 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1440 | } |
| 1441 | |
| Manuel Pégourié-Gonnard | 0b3400d | 2014-09-10 21:23:41 +0200 | [diff] [blame] | 1442 | ext = buf + 40 + n; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1443 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1444 | MBEDTLS_SSL_DEBUG_MSG(2, |
| 1445 | ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET, |
| 1446 | ext_len)); |
| Manuel Pégourié-Gonnard | a052849 | 2013-07-16 17:26:28 +0200 | [diff] [blame] | 1447 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1448 | while (ext_len) { |
| 1449 | unsigned int ext_id = ((ext[0] << 8) |
| 1450 | | (ext[1])); |
| 1451 | unsigned int ext_size = ((ext[2] << 8) |
| 1452 | | (ext[3])); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1453 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1454 | if (ext_size + 4 > ext_len) { |
| 1455 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1456 | mbedtls_ssl_send_alert_message( |
| 1457 | ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1458 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1459 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1460 | } |
| 1461 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1462 | switch (ext_id) { |
| 1463 | case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: |
| 1464 | MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension")); |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1465 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1466 | renegotiation_info_seen = 1; |
| Manuel Pégourié-Gonnard | eaecbd3 | 2014-11-06 02:38:02 +0100 | [diff] [blame] | 1467 | #endif |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1468 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1469 | if ((ret = ssl_parse_renegotiation_info(ssl, ext + 4, |
| 1470 | ext_size)) != 0) { |
| 1471 | return ret; |
| 1472 | } |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1473 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1474 | break; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1475 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1476 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1477 | case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: |
| 1478 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 1479 | ("found max_fragment_length extension")); |
| Manuel Pégourié-Gonnard | de600e5 | 2013-07-17 10:14:38 +0200 | [diff] [blame] | 1480 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1481 | if ((ret = ssl_parse_max_fragment_length_ext(ssl, |
| 1482 | ext + 4, ext_size)) != 0) { |
| 1483 | return ret; |
| 1484 | } |
| Manuel Pégourié-Gonnard | de600e5 | 2013-07-17 10:14:38 +0200 | [diff] [blame] | 1485 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1486 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1487 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| Manuel Pégourié-Gonnard | de600e5 | 2013-07-17 10:14:38 +0200 | [diff] [blame] | 1488 | |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1489 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1490 | case MBEDTLS_TLS_EXT_CID: |
| 1491 | MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension")); |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 1492 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1493 | if ((ret = ssl_parse_cid_ext(ssl, |
| 1494 | ext + 4, |
| 1495 | ext_size)) != 0) { |
| 1496 | return ret; |
| 1497 | } |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 1498 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1499 | break; |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1500 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| Hanno Becker | a8373a1 | 2019-04-26 15:37:26 +0100 | [diff] [blame] | 1501 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1502 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1503 | case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: |
| 1504 | MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt_then_mac extension")); |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1505 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1506 | if ((ret = ssl_parse_encrypt_then_mac_ext(ssl, |
| 1507 | ext + 4, ext_size)) != 0) { |
| 1508 | return ret; |
| 1509 | } |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1510 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1511 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1512 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1513 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1514 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1515 | case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: |
| 1516 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 1517 | ("found extended_master_secret extension")); |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1518 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1519 | if ((ret = ssl_parse_extended_ms_ext(ssl, |
| 1520 | ext + 4, ext_size)) != 0) { |
| 1521 | return ret; |
| 1522 | } |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1523 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1524 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1525 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1526 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1527 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1528 | case MBEDTLS_TLS_EXT_SESSION_TICKET: |
| 1529 | MBEDTLS_SSL_DEBUG_MSG(3, ("found session_ticket extension")); |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 1530 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1531 | if ((ret = ssl_parse_session_ticket_ext(ssl, |
| 1532 | ext + 4, ext_size)) != 0) { |
| 1533 | return ret; |
| 1534 | } |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 1535 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1536 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1537 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 60182ef | 2013-08-02 14:44:54 +0200 | [diff] [blame] | 1538 | |
| Robert Cragie | 136884c | 2015-10-02 13:34:31 +0100 | [diff] [blame] | 1539 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1540 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 1541 | case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: |
| 1542 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 1543 | ("found supported_point_formats extension")); |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 1544 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1545 | if ((ret = ssl_parse_supported_point_formats_ext(ssl, |
| 1546 | ext + 4, ext_size)) != 0) { |
| 1547 | return ret; |
| 1548 | } |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 1549 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1550 | break; |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 1551 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || |
| 1552 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 1553 | |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 1554 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1555 | case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: |
| 1556 | MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake_kkpp extension")); |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 1557 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1558 | if ((ret = ssl_parse_ecjpake_kkpp(ssl, |
| 1559 | ext + 4, ext_size)) != 0) { |
| 1560 | return ret; |
| 1561 | } |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 1562 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1563 | break; |
| Manuel Pégourié-Gonnard | 0a1324a | 2015-09-16 16:01:00 +0200 | [diff] [blame] | 1564 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1565 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1566 | #if defined(MBEDTLS_SSL_ALPN) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1567 | case MBEDTLS_TLS_EXT_ALPN: |
| 1568 | MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension")); |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 1569 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1570 | if ((ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size)) != 0) { |
| 1571 | return ret; |
| 1572 | } |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 1573 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1574 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1575 | #endif /* MBEDTLS_SSL_ALPN */ |
| Manuel Pégourié-Gonnard | 0b874dc | 2014-04-07 10:57:45 +0200 | [diff] [blame] | 1576 | |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1577 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1578 | case MBEDTLS_TLS_EXT_USE_SRTP: |
| 1579 | MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension")); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1580 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1581 | if ((ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size)) != 0) { |
| 1582 | return ret; |
| 1583 | } |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1584 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1585 | break; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1586 | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
| 1587 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1588 | default: |
| 1589 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 1590 | ("unknown extension found: %u (ignoring)", ext_id)); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1591 | } |
| 1592 | |
| 1593 | ext_len -= 4 + ext_size; |
| 1594 | ext += 4 + ext_size; |
| 1595 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1596 | if (ext_len > 0 && ext_len < 4) { |
| 1597 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
| 1598 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1599 | } |
| 1600 | } |
| 1601 | |
| 1602 | /* |
| Andrzej Kurek | 21b5080 | 2022-07-06 03:26:55 -0400 | [diff] [blame] | 1603 | * mbedtls_ssl_derive_keys() has to be called after the parsing of the |
| 1604 | * extensions. It sets the transform data for the resumed session which in |
| 1605 | * case of DTLS includes the server CID extracted from the CID extension. |
| 1606 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1607 | if (ssl->handshake->resume) { |
| 1608 | if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { |
| 1609 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); |
| Andrzej Kurek | 7cf8725 | 2022-06-14 07:12:33 -0400 | [diff] [blame] | 1610 | mbedtls_ssl_send_alert_message( |
| 1611 | ssl, |
| 1612 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1613 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); |
| 1614 | return ret; |
| Andrzej Kurek | 7cf8725 | 2022-06-14 07:12:33 -0400 | [diff] [blame] | 1615 | } |
| 1616 | } |
| 1617 | |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1618 | /* |
| 1619 | * Renegotiation security checks |
| 1620 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1621 | if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1622 | ssl->conf->allow_legacy_renegotiation == |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1623 | MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) { |
| 1624 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1625 | ("legacy renegotiation, breaking off handshake")); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1626 | handshake_failure = 1; |
| 1627 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1628 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1629 | else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1630 | ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1631 | renegotiation_info_seen == 0) { |
| 1632 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1633 | ("renegotiation_info extension missing (secure)")); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1634 | handshake_failure = 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1635 | } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| 1636 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| 1637 | ssl->conf->allow_legacy_renegotiation == |
| 1638 | MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) { |
| 1639 | MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed")); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1640 | handshake_failure = 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1641 | } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| 1642 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| 1643 | renegotiation_info_seen == 1) { |
| 1644 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1645 | ("renegotiation_info extension present (legacy)")); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1646 | handshake_failure = 1; |
| 1647 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1648 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1649 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1650 | if (handshake_failure == 1) { |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 1651 | mbedtls_ssl_send_alert_message( |
| 1652 | ssl, |
| 1653 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1654 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 1655 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1656 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1657 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1658 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1659 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1660 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1661 | } |
| 1662 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1663 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
| 1664 | defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1665 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1666 | static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl, |
| 1667 | unsigned char **p, |
| 1668 | unsigned char *end) |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1669 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1670 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Gilles Peskine | e8a2fc8 | 2020-12-08 22:46:11 +0100 | [diff] [blame] | 1671 | size_t dhm_actual_bitlen; |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1672 | |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1673 | /* |
| 1674 | * Ephemeral DH parameters: |
| 1675 | * |
| 1676 | * struct { |
| 1677 | * opaque dh_p<1..2^16-1>; |
| 1678 | * opaque dh_g<1..2^16-1>; |
| 1679 | * opaque dh_Ys<1..2^16-1>; |
| 1680 | * } ServerDHParams; |
| 1681 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1682 | if ((ret = mbedtls_dhm_read_params(&ssl->handshake->dhm_ctx, |
| 1683 | p, end)) != 0) { |
| 1684 | MBEDTLS_SSL_DEBUG_RET(2, ("mbedtls_dhm_read_params"), ret); |
| 1685 | return ret; |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1686 | } |
| 1687 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1688 | dhm_actual_bitlen = mbedtls_dhm_get_bitlen(&ssl->handshake->dhm_ctx); |
| 1689 | if (dhm_actual_bitlen < ssl->conf->dhm_min_bitlen) { |
| 1690 | MBEDTLS_SSL_DEBUG_MSG(1, ("DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u", |
| 1691 | dhm_actual_bitlen, |
| 1692 | ssl->conf->dhm_min_bitlen)); |
| 1693 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1694 | } |
| 1695 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1696 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P); |
| 1697 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G); |
| 1698 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY); |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1699 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1700 | return ret; |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1701 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1702 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || |
| 1703 | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1704 | |
| Neil Armstrong | d8419ff | 2022-04-12 14:39:12 +0200 | [diff] [blame] | 1705 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Andrzej Kurek | 468c506 | 2022-10-24 10:30:14 -0400 | [diff] [blame] | 1706 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| 1707 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ |
| 1708 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1709 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1710 | static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl, |
| 1711 | unsigned char **p, |
| 1712 | unsigned char *end) |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1713 | { |
| 1714 | uint16_t tls_id; |
| 1715 | uint8_t ecpoint_len; |
| 1716 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| Valerio Setti | 40d9ca9 | 2023-01-04 16:08:04 +0100 | [diff] [blame] | 1717 | psa_ecc_family_t ec_psa_family = 0; |
| 1718 | size_t ec_bits = 0; |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1719 | |
| 1720 | /* |
| Manuel Pégourié-Gonnard | e511989 | 2021-12-09 11:45:03 +0100 | [diff] [blame] | 1721 | * struct { |
| 1722 | * ECParameters curve_params; |
| 1723 | * ECPoint public; |
| 1724 | * } ServerECDHParams; |
| 1725 | * |
| Manuel Pégourié-Gonnard | 422370d | 2022-02-07 11:55:21 +0100 | [diff] [blame] | 1726 | * 1 curve_type (must be "named_curve") |
| Manuel Pégourié-Gonnard | e511989 | 2021-12-09 11:45:03 +0100 | [diff] [blame] | 1727 | * 2..3 NamedCurve |
| 1728 | * 4 ECPoint.len |
| 1729 | * 5+ ECPoint contents |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1730 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1731 | if (end - *p < 4) { |
| 1732 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1733 | } |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1734 | |
| 1735 | /* First byte is curve_type; only named_curve is handled */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1736 | if (*(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) { |
| 1737 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 1738 | } |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1739 | |
| 1740 | /* Next two bytes are the namedcurve value */ |
| 1741 | tls_id = *(*p)++; |
| 1742 | tls_id <<= 8; |
| 1743 | tls_id |= *(*p)++; |
| 1744 | |
| Manuel Pégourié-Gonnard | 141be6c | 2022-01-25 11:46:19 +0100 | [diff] [blame] | 1745 | /* Check it's a curve we offered */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1746 | if (mbedtls_ssl_check_curve_tls_id(ssl, tls_id) != 0) { |
| 1747 | MBEDTLS_SSL_DEBUG_MSG(2, |
| 1748 | ("bad server key exchange message (ECDHE curve): %u", |
| 1749 | (unsigned) tls_id)); |
| 1750 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Manuel Pégourié-Gonnard | ff229cf | 2022-02-07 12:00:32 +0100 | [diff] [blame] | 1751 | } |
| Manuel Pégourié-Gonnard | 141be6c | 2022-01-25 11:46:19 +0100 | [diff] [blame] | 1752 | |
| Valerio Setti | 40d9ca9 | 2023-01-04 16:08:04 +0100 | [diff] [blame] | 1753 | /* Convert EC's TLS ID to PSA key type. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1754 | if (mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &ec_psa_family, |
| 1755 | &ec_bits) == PSA_ERROR_NOT_SUPPORTED) { |
| 1756 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1757 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1758 | handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ec_psa_family); |
| Valerio Setti | 40d9ca9 | 2023-01-04 16:08:04 +0100 | [diff] [blame] | 1759 | handshake->ecdh_bits = ec_bits; |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1760 | |
| Manuel Pégourié-Gonnard | 4a0ac1f | 2022-01-18 12:30:40 +0100 | [diff] [blame] | 1761 | /* Keep a copy of the peer's public key */ |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1762 | ecpoint_len = *(*p)++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1763 | if ((size_t) (end - *p) < ecpoint_len) { |
| 1764 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1765 | } |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1766 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1767 | if (ecpoint_len > sizeof(handshake->ecdh_psa_peerkey)) { |
| 1768 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 1769 | } |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1770 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1771 | memcpy(handshake->ecdh_psa_peerkey, *p, ecpoint_len); |
| Manuel Pégourié-Gonnard | 4a0ac1f | 2022-01-18 12:30:40 +0100 | [diff] [blame] | 1772 | handshake->ecdh_psa_peerkey_len = ecpoint_len; |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1773 | *p += ecpoint_len; |
| Manuel Pégourié-Gonnard | 4a0ac1f | 2022-01-18 12:30:40 +0100 | [diff] [blame] | 1774 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1775 | return 0; |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1776 | } |
| Andrzej Kurek | 468c506 | 2022-10-24 10:30:14 -0400 | [diff] [blame] | 1777 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
| 1778 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || |
| 1779 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ |
| Neil Armstrong | d8419ff | 2022-04-12 14:39:12 +0200 | [diff] [blame] | 1780 | #else |
| Andrzej Kurek | 468c506 | 2022-10-24 10:30:14 -0400 | [diff] [blame] | 1781 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| 1782 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| 1783 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ |
| 1784 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
| 1785 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1786 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1787 | static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl) |
| Neil Armstrong | 1f198d8 | 2022-04-13 15:02:30 +0200 | [diff] [blame] | 1788 | { |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 1789 | uint16_t tls_id; |
| Neil Armstrong | 1f198d8 | 2022-04-13 15:02:30 +0200 | [diff] [blame] | 1790 | mbedtls_ecp_group_id grp_id; |
| 1791 | #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) |
| 1792 | grp_id = ssl->handshake->ecdh_ctx.grp.id; |
| 1793 | #else |
| 1794 | grp_id = ssl->handshake->ecdh_ctx.grp_id; |
| 1795 | #endif |
| Hanno Becker | bb89e27 | 2019-01-08 12:54:37 +0000 | [diff] [blame] | 1796 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1797 | tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id); |
| 1798 | if (tls_id == 0) { |
| 1799 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 1800 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Neil Armstrong | 1f198d8 | 2022-04-13 15:02:30 +0200 | [diff] [blame] | 1801 | } |
| 1802 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1803 | MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s", |
| 1804 | mbedtls_ssl_get_curve_name_from_tls_id(tls_id))); |
| Neil Armstrong | 1f198d8 | 2022-04-13 15:02:30 +0200 | [diff] [blame] | 1805 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1806 | if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) { |
| 1807 | return -1; |
| 1808 | } |
| Neil Armstrong | 1f198d8 | 2022-04-13 15:02:30 +0200 | [diff] [blame] | 1809 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1810 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 1811 | MBEDTLS_DEBUG_ECDH_QP); |
| Neil Armstrong | 1f198d8 | 2022-04-13 15:02:30 +0200 | [diff] [blame] | 1812 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1813 | return 0; |
| Neil Armstrong | 1f198d8 | 2022-04-13 15:02:30 +0200 | [diff] [blame] | 1814 | } |
| 1815 | |
| Andrzej Kurek | 468c506 | 2022-10-24 10:30:14 -0400 | [diff] [blame] | 1816 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
| 1817 | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
| 1818 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || |
| 1819 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || |
| 1820 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| 1821 | |
| 1822 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| 1823 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ |
| 1824 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1825 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1826 | static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl, |
| 1827 | unsigned char **p, |
| 1828 | unsigned char *end) |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1829 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1830 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1831 | |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1832 | /* |
| 1833 | * Ephemeral ECDH parameters: |
| 1834 | * |
| 1835 | * struct { |
| 1836 | * ECParameters curve_params; |
| 1837 | * ECPoint public; |
| 1838 | * } ServerECDHParams; |
| 1839 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1840 | if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx, |
| 1841 | (const unsigned char **) p, end)) != 0) { |
| 1842 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret); |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 1843 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1844 | if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { |
| Manuel Pégourié-Gonnard | 1c1c20e | 2018-09-12 10:34:43 +0200 | [diff] [blame] | 1845 | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1846 | } |
| Manuel Pégourié-Gonnard | 558da9c | 2018-06-13 12:02:12 +0200 | [diff] [blame] | 1847 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1848 | return ret; |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1849 | } |
| 1850 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1851 | if (ssl_check_server_ecdh_params(ssl) != 0) { |
| 1852 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1853 | ("bad server key exchange message (ECDHE curve)")); |
| 1854 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1855 | } |
| 1856 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1857 | return ret; |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1858 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1859 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \ |
| 1860 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \ |
| Andrzej Kurek | 468c506 | 2022-10-24 10:30:14 -0400 | [diff] [blame] | 1861 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ |
| 1862 | #endif /* !MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 1863 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1864 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1865 | static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl, |
| 1866 | unsigned char **p, |
| 1867 | unsigned char *end) |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 1868 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1869 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| irwir | 6527bd6 | 2019-09-21 18:51:25 +0300 | [diff] [blame] | 1870 | uint16_t len; |
| Paul Bakker | c5a79cc | 2013-06-26 15:08:35 +0200 | [diff] [blame] | 1871 | ((void) ssl); |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 1872 | |
| 1873 | /* |
| 1874 | * PSK parameters: |
| 1875 | * |
| 1876 | * opaque psk_identity_hint<0..2^16-1>; |
| 1877 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1878 | if (end - (*p) < 2) { |
| 1879 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1880 | ("bad server key exchange message (psk_identity_hint length)")); |
| 1881 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Krzysztof Stachowiak | 740b218 | 2018-03-13 11:31:14 +0100 | [diff] [blame] | 1882 | } |
| Manuel Pégourié-Gonnard | 59b9fe2 | 2013-10-15 11:55:33 +0200 | [diff] [blame] | 1883 | len = (*p)[0] << 8 | (*p)[1]; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 1884 | *p += 2; |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 1885 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1886 | if (end - (*p) < len) { |
| 1887 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1888 | ("bad server key exchange message (psk_identity_hint length)")); |
| 1889 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 1890 | } |
| 1891 | |
| Manuel Pégourié-Gonnard | 9d62412 | 2016-02-22 11:10:14 +0100 | [diff] [blame] | 1892 | /* |
| Tom Cosgrove | ed4f59e | 2022-12-05 12:07:50 +0000 | [diff] [blame] | 1893 | * Note: we currently ignore the PSK identity hint, as we only allow one |
| Tom Cosgrove | 1797b05 | 2022-12-04 17:19:59 +0000 | [diff] [blame] | 1894 | * PSK to be provisioned on the client. This could be changed later if |
| Manuel Pégourié-Gonnard | 9d62412 | 2016-02-22 11:10:14 +0100 | [diff] [blame] | 1895 | * someone needs that feature. |
| 1896 | */ |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 1897 | *p += len; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 1898 | ret = 0; |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 1899 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1900 | return ret; |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 1901 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 1902 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 1903 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1904 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ |
| 1905 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1906 | /* |
| 1907 | * Generate a pre-master secret and encrypt it with the server's RSA key |
| 1908 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1909 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1910 | static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl, |
| 1911 | size_t offset, size_t *olen, |
| 1912 | size_t pms_offset) |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1913 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 1914 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 1915 | size_t len_bytes = 2; |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1916 | unsigned char *p = ssl->handshake->premaster + pms_offset; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1917 | mbedtls_pk_context *peer_pk; |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1918 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1919 | if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) { |
| 1920 | MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms")); |
| 1921 | return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; |
| Manuel Pégourié-Gonnard | c6b5d83 | 2015-08-27 16:37:35 +0200 | [diff] [blame] | 1922 | } |
| 1923 | |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1924 | /* |
| 1925 | * Generate (part of) the pre-master as |
| 1926 | * struct { |
| 1927 | * ProtocolVersion client_version; |
| 1928 | * opaque random[46]; |
| 1929 | * } PreMasterSecret; |
| 1930 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1931 | mbedtls_ssl_write_version(p, ssl->conf->transport, |
| 1932 | MBEDTLS_SSL_VERSION_TLS1_2); |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1933 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1934 | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) { |
| 1935 | MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret); |
| 1936 | return ret; |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1937 | } |
| 1938 | |
| 1939 | ssl->handshake->pmslen = 48; |
| 1940 | |
| Hanno Becker | c7d7e29 | 2019-02-06 16:49:54 +0000 | [diff] [blame] | 1941 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 1942 | peer_pk = &ssl->handshake->peer_pubkey; |
| 1943 | #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1944 | if (ssl->session_negotiate->peer_cert == NULL) { |
| Hanno Becker | 8273df8 | 2019-02-06 17:37:32 +0000 | [diff] [blame] | 1945 | /* Should never happen */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1946 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 1947 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Manuel Pégourié-Gonnard | 7f2f062 | 2015-09-03 10:44:32 +0200 | [diff] [blame] | 1948 | } |
| Hanno Becker | c7d7e29 | 2019-02-06 16:49:54 +0000 | [diff] [blame] | 1949 | peer_pk = &ssl->session_negotiate->peer_cert->pk; |
| 1950 | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| Manuel Pégourié-Gonnard | 7f2f062 | 2015-09-03 10:44:32 +0200 | [diff] [blame] | 1951 | |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1952 | /* |
| 1953 | * Now write it out, encrypted |
| 1954 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1955 | if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) { |
| 1956 | MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch")); |
| 1957 | return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1958 | } |
| 1959 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1960 | if ((ret = mbedtls_pk_encrypt(peer_pk, |
| 1961 | p, ssl->handshake->pmslen, |
| 1962 | ssl->out_msg + offset + len_bytes, olen, |
| 1963 | MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes, |
| 1964 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 1965 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret); |
| 1966 | return ret; |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1967 | } |
| 1968 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1969 | if (len_bytes == 2) { |
| 1970 | MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset); |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1971 | *olen += 2; |
| 1972 | } |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1973 | |
| Hanno Becker | ae553dd | 2019-02-08 14:06:00 +0000 | [diff] [blame] | 1974 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 1975 | /* We don't need the peer's public key anymore. Free it. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1976 | mbedtls_pk_free(peer_pk); |
| Hanno Becker | ae553dd | 2019-02-08 14:06:00 +0000 | [diff] [blame] | 1977 | #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1978 | return 0; |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 1979 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1980 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || |
| 1981 | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 1982 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1983 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| 1984 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1985 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1986 | static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 1987 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 1988 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1989 | mbedtls_pk_context *peer_pk; |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 1990 | |
| Hanno Becker | be7f508 | 2019-02-06 17:44:07 +0000 | [diff] [blame] | 1991 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 1992 | peer_pk = &ssl->handshake->peer_pubkey; |
| 1993 | #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1994 | if (ssl->session_negotiate->peer_cert == NULL) { |
| Hanno Becker | 8273df8 | 2019-02-06 17:37:32 +0000 | [diff] [blame] | 1995 | /* Should never happen */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1996 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 1997 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Manuel Pégourié-Gonnard | 7f2f062 | 2015-09-03 10:44:32 +0200 | [diff] [blame] | 1998 | } |
| Hanno Becker | be7f508 | 2019-02-06 17:44:07 +0000 | [diff] [blame] | 1999 | peer_pk = &ssl->session_negotiate->peer_cert->pk; |
| 2000 | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| Manuel Pégourié-Gonnard | 7f2f062 | 2015-09-03 10:44:32 +0200 | [diff] [blame] | 2001 | |
| Manuel Pégourié-Gonnard | 66b0d61 | 2022-06-17 10:49:29 +0200 | [diff] [blame] | 2002 | /* This is a public key, so it can't be opaque, so can_do() is a good |
| 2003 | * enough check to ensure pk_ec() is safe to use below. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2004 | if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECKEY)) { |
| 2005 | MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable")); |
| 2006 | return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2007 | } |
| 2008 | |
| Valerio Setti | 9720778 | 2023-05-18 18:59:06 +0200 | [diff] [blame] | 2009 | #if defined(MBEDTLS_ECP_C) |
| 2010 | const mbedtls_ecp_keypair *peer_key = mbedtls_pk_ec_ro(*peer_pk); |
| 2011 | #endif /* MBEDTLS_ECP_C */ |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2012 | |
| Przemek Stekiel | ea4000f | 2022-03-16 09:49:33 +0100 | [diff] [blame] | 2013 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Valerio Setti | 2b5d3de | 2023-01-09 11:04:52 +0100 | [diff] [blame] | 2014 | uint16_t tls_id = 0; |
| 2015 | psa_ecc_family_t ecc_family; |
| Valerio Setti | 9720778 | 2023-05-18 18:59:06 +0200 | [diff] [blame] | 2016 | mbedtls_ecp_group_id grp_id = mbedtls_pk_get_group_id(peer_pk); |
| Przemek Stekiel | 561a423 | 2022-03-16 13:16:24 +0100 | [diff] [blame] | 2017 | |
| Valerio Setti | 9720778 | 2023-05-18 18:59:06 +0200 | [diff] [blame] | 2018 | if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2019 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)")); |
| 2020 | return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; |
| Przemek Stekiel | 561a423 | 2022-03-16 13:16:24 +0100 | [diff] [blame] | 2021 | } |
| Przemek Stekiel | ea4000f | 2022-03-16 09:49:33 +0100 | [diff] [blame] | 2022 | |
| Valerio Setti | 9720778 | 2023-05-18 18:59:06 +0200 | [diff] [blame] | 2023 | tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2024 | if (tls_id == 0) { |
| 2025 | MBEDTLS_SSL_DEBUG_MSG(1, ("ECC group %u not suported", |
| Valerio Setti | 9720778 | 2023-05-18 18:59:06 +0200 | [diff] [blame] | 2026 | grp_id)); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2027 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Przemek Stekiel | ea4000f | 2022-03-16 09:49:33 +0100 | [diff] [blame] | 2028 | } |
| 2029 | |
| Valerio Setti | 1e868cc | 2023-01-09 17:30:01 +0100 | [diff] [blame] | 2030 | /* If the above conversion to TLS ID was fine, then also this one will be, |
| 2031 | so there is no need to check the return value here */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2032 | mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &ecc_family, |
| 2033 | &ssl->handshake->ecdh_bits); |
| Valerio Setti | 2b5d3de | 2023-01-09 11:04:52 +0100 | [diff] [blame] | 2034 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2035 | ssl->handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ecc_family); |
| Przemek Stekiel | ea4000f | 2022-03-16 09:49:33 +0100 | [diff] [blame] | 2036 | |
| Przemek Stekiel | ea4000f | 2022-03-16 09:49:33 +0100 | [diff] [blame] | 2037 | /* Store peer's public key in psa format. */ |
| Valerio Setti | d7ca395 | 2023-05-17 15:36:18 +0200 | [diff] [blame] | 2038 | #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) |
| 2039 | memcpy(ssl->handshake->ecdh_psa_peerkey, peer_pk->pub_raw, peer_pk->pub_raw_len); |
| 2040 | ssl->handshake->ecdh_psa_peerkey_len = peer_pk->pub_raw_len; |
| 2041 | ret = 0; |
| Valerio Setti | 9720778 | 2023-05-18 18:59:06 +0200 | [diff] [blame] | 2042 | #else /* MBEDTLS_PK_USE_PSA_EC_DATA */ |
| Valerio Setti | d7ca395 | 2023-05-17 15:36:18 +0200 | [diff] [blame] | 2043 | size_t olen = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2044 | ret = mbedtls_ecp_point_write_binary(&peer_key->grp, &peer_key->Q, |
| 2045 | MBEDTLS_ECP_PF_UNCOMPRESSED, &olen, |
| 2046 | ssl->handshake->ecdh_psa_peerkey, |
| 2047 | MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH); |
| Przemek Stekiel | ea4000f | 2022-03-16 09:49:33 +0100 | [diff] [blame] | 2048 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2049 | if (ret != 0) { |
| 2050 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecp_point_write_binary"), ret); |
| 2051 | return ret; |
| Przemek Stekiel | 561a423 | 2022-03-16 13:16:24 +0100 | [diff] [blame] | 2052 | } |
| Przemek Stekiel | 561a423 | 2022-03-16 13:16:24 +0100 | [diff] [blame] | 2053 | ssl->handshake->ecdh_psa_peerkey_len = olen; |
| Valerio Setti | 9720778 | 2023-05-18 18:59:06 +0200 | [diff] [blame] | 2054 | #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ |
| 2055 | #else /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2056 | if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key, |
| 2057 | MBEDTLS_ECDH_THEIRS)) != 0) { |
| 2058 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret); |
| 2059 | return ret; |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2060 | } |
| 2061 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2062 | if (ssl_check_server_ecdh_params(ssl) != 0) { |
| 2063 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)")); |
| 2064 | return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2065 | } |
| Valerio Setti | 9720778 | 2023-05-18 18:59:06 +0200 | [diff] [blame] | 2066 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Hanno Becker | ae553dd | 2019-02-08 14:06:00 +0000 | [diff] [blame] | 2067 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 2068 | /* We don't need the peer's public key anymore. Free it, |
| 2069 | * so that more RAM is available for upcoming expensive |
| 2070 | * operations like ECDHE. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2071 | mbedtls_pk_free(peer_pk); |
| Hanno Becker | ae553dd | 2019-02-08 14:06:00 +0000 | [diff] [blame] | 2072 | #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 2073 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2074 | return ret; |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2075 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2076 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || |
| 2077 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2078 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2079 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2080 | static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2081 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2082 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 2083 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 2084 | ssl->handshake->ciphersuite_info; |
| Andres Amaya Garcia | 53c77cc | 2017-06-27 16:15:06 +0100 | [diff] [blame] | 2085 | unsigned char *p = NULL, *end = NULL; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2086 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2087 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2088 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2089 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2090 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) { |
| 2091 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2092 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2093 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2094 | } |
| Manuel Pégourié-Gonnard | bac0e3b | 2013-10-15 11:54:47 +0200 | [diff] [blame] | 2095 | ((void) p); |
| 2096 | ((void) end); |
| 2097 | #endif |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2098 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2099 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| 2100 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2101 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || |
| 2102 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { |
| 2103 | if ((ret = ssl_get_ecdh_params_from_cert(ssl)) != 0) { |
| 2104 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2105 | mbedtls_ssl_send_alert_message( |
| 2106 | ssl, |
| 2107 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2108 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 2109 | return ret; |
| Manuel Pégourié-Gonnard | ab24010 | 2014-02-04 16:18:07 +0100 | [diff] [blame] | 2110 | } |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2111 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2112 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange")); |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2113 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2114 | return 0; |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2115 | } |
| 2116 | ((void) p); |
| 2117 | ((void) end); |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2118 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
| 2119 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| Manuel Pégourié-Gonnard | d18cc57 | 2013-12-11 17:45:46 +0100 | [diff] [blame] | 2120 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2121 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2122 | if (ssl->handshake->ecrs_enabled && |
| 2123 | ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing) { |
| Manuel Pégourié-Gonnard | 0b23f16 | 2017-08-24 12:08:33 +0200 | [diff] [blame] | 2124 | goto start_processing; |
| Manuel Pégourié-Gonnard | d27d1a5 | 2017-08-15 11:49:08 +0200 | [diff] [blame] | 2125 | } |
| Manuel Pégourié-Gonnard | 1f1f2a1 | 2017-05-18 11:27:06 +0200 | [diff] [blame] | 2126 | #endif |
| 2127 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2128 | if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { |
| 2129 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
| 2130 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2131 | } |
| 2132 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2133 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
| 2134 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2135 | mbedtls_ssl_send_alert_message( |
| 2136 | ssl, |
| 2137 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2138 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); |
| 2139 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2140 | } |
| 2141 | |
| Manuel Pégourié-Gonnard | 09258b9 | 2013-10-15 10:43:36 +0200 | [diff] [blame] | 2142 | /* |
| 2143 | * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server |
| 2144 | * doesn't use a psk_identity_hint |
| 2145 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2146 | if (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE) { |
| 2147 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || |
| 2148 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { |
| Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 2149 | /* Current message is probably either |
| 2150 | * CertificateRequest or ServerHelloDone */ |
| 2151 | ssl->keep_current_message = 1; |
| Paul Bakker | 188c8de | 2013-04-19 09:13:37 +0200 | [diff] [blame] | 2152 | goto exit; |
| 2153 | } |
| 2154 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2155 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 2156 | ("server key exchange message must not be skipped")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2157 | mbedtls_ssl_send_alert_message( |
| 2158 | ssl, |
| 2159 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2160 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); |
| Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 2161 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2162 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2163 | } |
| 2164 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2165 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2166 | if (ssl->handshake->ecrs_enabled) { |
| Manuel Pégourié-Gonnard | 0b23f16 | 2017-08-24 12:08:33 +0200 | [diff] [blame] | 2167 | ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2168 | } |
| Manuel Pégourié-Gonnard | 0b23f16 | 2017-08-24 12:08:33 +0200 | [diff] [blame] | 2169 | |
| 2170 | start_processing: |
| 2171 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2172 | p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); |
| Paul Bakker | 3b6a07b | 2013-03-21 11:56:50 +0100 | [diff] [blame] | 2173 | end = ssl->in_msg + ssl->in_hslen; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2174 | MBEDTLS_SSL_DEBUG_BUF(3, "server key exchange", p, end - p); |
| Paul Bakker | 3b6a07b | 2013-03-21 11:56:50 +0100 | [diff] [blame] | 2175 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2176 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2177 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2178 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || |
| 2179 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2180 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { |
| 2181 | if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) { |
| 2182 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2183 | mbedtls_ssl_send_alert_message( |
| 2184 | ssl, |
| 2185 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2186 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 2187 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 09258b9 | 2013-10-15 10:43:36 +0200 | [diff] [blame] | 2188 | } |
| Shaun Case | 8b0ecbc | 2021-12-20 21:14:10 -0800 | [diff] [blame] | 2189 | } /* FALLTHROUGH */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2190 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
| Manuel Pégourié-Gonnard | 09258b9 | 2013-10-15 10:43:36 +0200 | [diff] [blame] | 2191 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2192 | #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ |
| 2193 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2194 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || |
| 2195 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { |
| Manuel Pégourié-Gonnard | 09258b9 | 2013-10-15 10:43:36 +0200 | [diff] [blame] | 2196 | ; /* nothing more to do */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2197 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2198 | #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || |
| 2199 | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
| 2200 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
| 2201 | defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2202 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || |
| 2203 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { |
| 2204 | if (ssl_parse_server_dh_params(ssl, &p, end) != 0) { |
| 2205 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2206 | mbedtls_ssl_send_alert_message( |
| 2207 | ssl, |
| 2208 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2209 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 2210 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 2211 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2212 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2213 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || |
| 2214 | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| Neil Armstrong | d8419ff | 2022-04-12 14:39:12 +0200 | [diff] [blame] | 2215 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| 2216 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2217 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2218 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2219 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2220 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) { |
| 2221 | if (ssl_parse_server_ecdh_params(ssl, &p, end) != 0) { |
| 2222 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2223 | mbedtls_ssl_send_alert_message( |
| 2224 | ssl, |
| 2225 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2226 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 2227 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2228 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2229 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2230 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
| 2231 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || |
| 2232 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 2233 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2234 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2235 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Valerio Setti | 9bed8ec | 2022-11-17 16:36:19 +0100 | [diff] [blame] | 2236 | /* |
| 2237 | * The first 3 bytes are: |
| 2238 | * [0] MBEDTLS_ECP_TLS_NAMED_CURVE |
| 2239 | * [1, 2] elliptic curve's TLS ID |
| 2240 | * |
| 2241 | * However since we only support secp256r1 for now, we check only |
| 2242 | * that TLS ID here |
| 2243 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2244 | uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE(p, 1); |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 2245 | uint16_t exp_tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2246 | MBEDTLS_ECP_DP_SECP256R1); |
| Valerio Setti | 9bed8ec | 2022-11-17 16:36:19 +0100 | [diff] [blame] | 2247 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2248 | if (exp_tls_id == 0) { |
| 2249 | return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Valerio Setti | 9bed8ec | 2022-11-17 16:36:19 +0100 | [diff] [blame] | 2250 | } |
| 2251 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2252 | if ((*p != MBEDTLS_ECP_TLS_NAMED_CURVE) || |
| 2253 | (read_tls_id != exp_tls_id)) { |
| 2254 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Valerio Setti | 5151bdf | 2022-11-21 14:30:02 +0100 | [diff] [blame] | 2255 | } |
| Valerio Setti | 9bed8ec | 2022-11-17 16:36:19 +0100 | [diff] [blame] | 2256 | |
| 2257 | p += 3; |
| 2258 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2259 | if ((ret = mbedtls_psa_ecjpake_read_round( |
| 2260 | &ssl->handshake->psa_pake_ctx, p, end - p, |
| 2261 | MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) { |
| 2262 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 2263 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2264 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2265 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret); |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2266 | mbedtls_ssl_send_alert_message( |
| 2267 | ssl, |
| 2268 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2269 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 2270 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2271 | } |
| 2272 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2273 | ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx, |
| 2274 | p, end - p); |
| 2275 | if (ret != 0) { |
| 2276 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2277 | mbedtls_ssl_send_alert_message( |
| 2278 | ssl, |
| 2279 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2280 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 2281 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 2282 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2283 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2284 | } else |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 2285 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2286 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2287 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 2288 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2289 | } |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 2290 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2291 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2292 | if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) { |
| Manuel Pégourié-Gonnard | d92d6a1 | 2014-09-10 15:25:02 +0000 | [diff] [blame] | 2293 | size_t sig_len, hashlen; |
| Przemek Stekiel | 40afdd2 | 2022-09-06 13:08:28 +0200 | [diff] [blame] | 2294 | unsigned char hash[MBEDTLS_HASH_MAX_SIZE]; |
| 2295 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2296 | mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; |
| 2297 | mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2298 | unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); |
| Manuel Pégourié-Gonnard | d92d6a1 | 2014-09-10 15:25:02 +0000 | [diff] [blame] | 2299 | size_t params_len = p - params; |
| Manuel Pégourié-Gonnard | 1f1f2a1 | 2017-05-18 11:27:06 +0200 | [diff] [blame] | 2300 | void *rs_ctx = NULL; |
| Jerry Yu | 693a47a | 2022-06-23 14:02:28 +0800 | [diff] [blame] | 2301 | uint16_t sig_alg; |
| Manuel Pégourié-Gonnard | efebb0a | 2013-08-19 12:06:38 +0200 | [diff] [blame] | 2302 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2303 | mbedtls_pk_context *peer_pk; |
| Hanno Becker | a6899bb | 2019-02-06 18:26:03 +0000 | [diff] [blame] | 2304 | |
| Jerry Yu | 693a47a | 2022-06-23 14:02:28 +0800 | [diff] [blame] | 2305 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 2306 | peer_pk = &ssl->handshake->peer_pubkey; |
| 2307 | #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2308 | if (ssl->session_negotiate->peer_cert == NULL) { |
| Jerry Yu | 693a47a | 2022-06-23 14:02:28 +0800 | [diff] [blame] | 2309 | /* Should never happen */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2310 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 2311 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Jerry Yu | 693a47a | 2022-06-23 14:02:28 +0800 | [diff] [blame] | 2312 | } |
| 2313 | peer_pk = &ssl->session_negotiate->peer_cert->pk; |
| 2314 | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 2315 | |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 2316 | /* |
| 2317 | * Handle the digitally-signed structure |
| 2318 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2319 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); |
| 2320 | sig_alg = MBEDTLS_GET_UINT16_BE(p, 0); |
| 2321 | if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( |
| 2322 | sig_alg, &pk_alg, &md_alg) != 0 && |
| 2323 | !mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg) && |
| 2324 | !mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg)) { |
| 2325 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 2326 | ("bad server key exchange message")); |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 2327 | mbedtls_ssl_send_alert_message( |
| 2328 | ssl, |
| 2329 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2330 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 2331 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 2332 | } |
| Jerry Yu | 693a47a | 2022-06-23 14:02:28 +0800 | [diff] [blame] | 2333 | p += 2; |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 2334 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2335 | if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { |
| 2336 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 2337 | ("bad server key exchange message")); |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 2338 | mbedtls_ssl_send_alert_message( |
| 2339 | ssl, |
| 2340 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2341 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 2342 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Paul Bakker | 9659dae | 2013-08-28 16:21:34 +0200 | [diff] [blame] | 2343 | } |
| Manuel Pégourié-Gonnard | 4bd1284 | 2013-08-27 13:31:28 +0200 | [diff] [blame] | 2344 | |
| 2345 | /* |
| 2346 | * Read signature |
| 2347 | */ |
| Krzysztof Stachowiak | a1098f8 | 2018-03-13 11:28:49 +0100 | [diff] [blame] | 2348 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2349 | if (p > end - 2) { |
| 2350 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2351 | mbedtls_ssl_send_alert_message( |
| 2352 | ssl, |
| 2353 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2354 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 2355 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Krzysztof Stachowiak | a1098f8 | 2018-03-13 11:28:49 +0100 | [diff] [blame] | 2356 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2357 | sig_len = (p[0] << 8) | p[1]; |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 2358 | p += 2; |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 2359 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2360 | if (p != end - sig_len) { |
| 2361 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2362 | mbedtls_ssl_send_alert_message( |
| 2363 | ssl, |
| 2364 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2365 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 2366 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2367 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2368 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2369 | MBEDTLS_SSL_DEBUG_BUF(3, "signature", p, sig_len); |
| Manuel Pégourié-Gonnard | ff56da3 | 2013-07-11 10:46:21 +0200 | [diff] [blame] | 2370 | |
| Manuel Pégourié-Gonnard | efebb0a | 2013-08-19 12:06:38 +0200 | [diff] [blame] | 2371 | /* |
| 2372 | * Compute the hash that has been signed |
| 2373 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2374 | if (md_alg != MBEDTLS_MD_NONE) { |
| 2375 | ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen, |
| 2376 | params, params_len, |
| 2377 | md_alg); |
| 2378 | if (ret != 0) { |
| 2379 | return ret; |
| 2380 | } |
| 2381 | } else { |
| 2382 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 2383 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | 577e006 | 2013-08-28 11:57:20 +0200 | [diff] [blame] | 2384 | } |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 2385 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2386 | MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen); |
| Paul Bakker | 29e1f12 | 2013-04-16 13:07:56 +0200 | [diff] [blame] | 2387 | |
| Manuel Pégourié-Gonnard | efebb0a | 2013-08-19 12:06:38 +0200 | [diff] [blame] | 2388 | /* |
| 2389 | * Verify signature |
| 2390 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2391 | if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { |
| 2392 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2393 | mbedtls_ssl_send_alert_message( |
| 2394 | ssl, |
| 2395 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2396 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 2397 | return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
| Manuel Pégourié-Gonnard | efebb0a | 2013-08-19 12:06:38 +0200 | [diff] [blame] | 2398 | } |
| 2399 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2400 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2401 | if (ssl->handshake->ecrs_enabled) { |
| Manuel Pégourié-Gonnard | 15d7df2 | 2017-08-17 14:33:31 +0200 | [diff] [blame] | 2402 | rs_ctx = &ssl->handshake->ecrs_ctx.pk; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2403 | } |
| Manuel Pégourié-Gonnard | 1f1f2a1 | 2017-05-18 11:27:06 +0200 | [diff] [blame] | 2404 | #endif |
| 2405 | |
| Jerry Yu | 693a47a | 2022-06-23 14:02:28 +0800 | [diff] [blame] | 2406 | #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2407 | if (pk_alg == MBEDTLS_PK_RSASSA_PSS) { |
| Jerry Yu | 693a47a | 2022-06-23 14:02:28 +0800 | [diff] [blame] | 2408 | mbedtls_pk_rsassa_pss_options rsassa_pss_options; |
| 2409 | rsassa_pss_options.mgf1_hash_id = md_alg; |
| Andrzej Kurek | 0ce5921 | 2022-08-17 07:54:34 -0400 | [diff] [blame] | 2410 | rsassa_pss_options.expected_salt_len = |
| Manuel Pégourié-Gonnard | 9b41eb8 | 2023-03-28 11:14:24 +0200 | [diff] [blame^] | 2411 | mbedtls_md_get_size_from_type(md_alg); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2412 | if (rsassa_pss_options.expected_salt_len == 0) { |
| 2413 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 2414 | } |
| Andrzej Kurek | 0ce5921 | 2022-08-17 07:54:34 -0400 | [diff] [blame] | 2415 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2416 | ret = mbedtls_pk_verify_ext(pk_alg, &rsassa_pss_options, |
| 2417 | peer_pk, |
| 2418 | md_alg, hash, hashlen, |
| 2419 | p, sig_len); |
| 2420 | } else |
| Jerry Yu | 693a47a | 2022-06-23 14:02:28 +0800 | [diff] [blame] | 2421 | #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2422 | ret = mbedtls_pk_verify_restartable(peer_pk, |
| 2423 | md_alg, hash, hashlen, p, sig_len, rs_ctx); |
| Jerry Yu | 693a47a | 2022-06-23 14:02:28 +0800 | [diff] [blame] | 2424 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2425 | if (ret != 0) { |
| David Horstmann | b21bbef | 2022-10-06 17:49:31 +0100 | [diff] [blame] | 2426 | int send_alert_msg = 1; |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2427 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2428 | send_alert_msg = (ret != MBEDTLS_ERR_ECP_IN_PROGRESS); |
| Manuel Pégourié-Gonnard | 1f1f2a1 | 2017-05-18 11:27:06 +0200 | [diff] [blame] | 2429 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2430 | if (send_alert_msg) { |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2431 | mbedtls_ssl_send_alert_message( |
| 2432 | ssl, |
| 2433 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2434 | MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR); |
| 2435 | } |
| 2436 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret); |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2437 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2438 | if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { |
| Manuel Pégourié-Gonnard | 558da9c | 2018-06-13 12:02:12 +0200 | [diff] [blame] | 2439 | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2440 | } |
| Manuel Pégourié-Gonnard | 558da9c | 2018-06-13 12:02:12 +0200 | [diff] [blame] | 2441 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2442 | return ret; |
| Paul Bakker | c3f177a | 2012-04-11 16:11:49 +0000 | [diff] [blame] | 2443 | } |
| Hanno Becker | ae553dd | 2019-02-08 14:06:00 +0000 | [diff] [blame] | 2444 | |
| 2445 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 2446 | /* We don't need the peer's public key anymore. Free it, |
| 2447 | * so that more RAM is available for upcoming expensive |
| 2448 | * operations like ECDHE. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2449 | mbedtls_pk_free(peer_pk); |
| Hanno Becker | ae553dd | 2019-02-08 14:06:00 +0000 | [diff] [blame] | 2450 | #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2451 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2452 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2453 | |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 2454 | exit: |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2455 | ssl->state++; |
| 2456 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2457 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2458 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2459 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2460 | } |
| 2461 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2462 | #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2463 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2464 | static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl) |
| Manuel Pégourié-Gonnard | da1ff38 | 2013-11-25 17:38:36 +0100 | [diff] [blame] | 2465 | { |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 2466 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 2467 | ssl->handshake->ciphersuite_info; |
| Manuel Pégourié-Gonnard | da1ff38 | 2013-11-25 17:38:36 +0100 | [diff] [blame] | 2468 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2469 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request")); |
| Manuel Pégourié-Gonnard | da1ff38 | 2013-11-25 17:38:36 +0100 | [diff] [blame] | 2470 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2471 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
| 2472 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request")); |
| Manuel Pégourié-Gonnard | da1ff38 | 2013-11-25 17:38:36 +0100 | [diff] [blame] | 2473 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2474 | return 0; |
| Manuel Pégourié-Gonnard | da1ff38 | 2013-11-25 17:38:36 +0100 | [diff] [blame] | 2475 | } |
| 2476 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2477 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 2478 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Manuel Pégourié-Gonnard | da1ff38 | 2013-11-25 17:38:36 +0100 | [diff] [blame] | 2479 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2480 | #else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2481 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2482 | static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2483 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2484 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | d1b7f2b | 2016-02-24 14:13:22 +0000 | [diff] [blame] | 2485 | unsigned char *buf; |
| 2486 | size_t n = 0; |
| Paul Bakker | d2f068e | 2013-08-27 21:19:20 +0200 | [diff] [blame] | 2487 | size_t cert_type_len = 0, dn_len = 0; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 2488 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 2489 | ssl->handshake->ciphersuite_info; |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 2490 | size_t sig_alg_len; |
| 2491 | #if defined(MBEDTLS_DEBUG_C) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2492 | unsigned char *sig_alg; |
| 2493 | unsigned char *dn; |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 2494 | #endif |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2495 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2496 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2497 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2498 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
| 2499 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request")); |
| Manuel Pégourié-Gonnard | da1ff38 | 2013-11-25 17:38:36 +0100 | [diff] [blame] | 2500 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2501 | return 0; |
| Manuel Pégourié-Gonnard | da1ff38 | 2013-11-25 17:38:36 +0100 | [diff] [blame] | 2502 | } |
| 2503 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2504 | if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { |
| 2505 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
| 2506 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2507 | } |
| 2508 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2509 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
| 2510 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 2511 | mbedtls_ssl_send_alert_message( |
| 2512 | ssl, |
| 2513 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2514 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); |
| 2515 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 2516 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2517 | |
| Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 2518 | ssl->state++; |
| Jerry Yu | fb28b88 | 2022-01-28 11:05:58 +0800 | [diff] [blame] | 2519 | ssl->handshake->client_auth = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2520 | (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2521 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2522 | MBEDTLS_SSL_DEBUG_MSG(3, ("got %s certificate request", |
| 2523 | ssl->handshake->client_auth ? "a" : "no")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2524 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2525 | if (ssl->handshake->client_auth == 0) { |
| Johan Pascal | a89ca86 | 2020-08-25 10:03:19 +0200 | [diff] [blame] | 2526 | /* Current message is probably the ServerHelloDone */ |
| 2527 | ssl->keep_current_message = 1; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2528 | goto exit; |
| Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 2529 | } |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 2530 | |
| Manuel Pégourié-Gonnard | 04c1b4e | 2014-09-10 19:25:43 +0200 | [diff] [blame] | 2531 | /* |
| 2532 | * struct { |
| 2533 | * ClientCertificateType certificate_types<1..2^8-1>; |
| 2534 | * SignatureAndHashAlgorithm |
| 2535 | * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only |
| 2536 | * DistinguishedName certificate_authorities<0..2^16-1>; |
| 2537 | * } CertificateRequest; |
| Manuel Pégourié-Gonnard | d1b7f2b | 2016-02-24 14:13:22 +0000 | [diff] [blame] | 2538 | * |
| 2539 | * Since we only support a single certificate on clients, let's just |
| 2540 | * ignore all the information that's supposed to help us pick a |
| 2541 | * certificate. |
| 2542 | * |
| 2543 | * We could check that our certificate matches the request, and bail out |
| 2544 | * if it doesn't, but it's simpler to just send the certificate anyway, |
| 2545 | * and give the server the opportunity to decide if it should terminate |
| 2546 | * the connection when it doesn't like our certificate. |
| 2547 | * |
| 2548 | * Same goes for the hash in TLS 1.2's signature_algorithms: at this |
| 2549 | * point we only have one hash available (see comments in |
| Simon Butcher | c0957bd | 2016-03-01 13:16:57 +0000 | [diff] [blame] | 2550 | * write_certificate_verify), so let's just use what we have. |
| Manuel Pégourié-Gonnard | d1b7f2b | 2016-02-24 14:13:22 +0000 | [diff] [blame] | 2551 | * |
| 2552 | * However, we still minimally parse the message to check it is at least |
| 2553 | * superficially sane. |
| Manuel Pégourié-Gonnard | 04c1b4e | 2014-09-10 19:25:43 +0200 | [diff] [blame] | 2554 | */ |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2555 | buf = ssl->in_msg; |
| Paul Bakker | f7abd42 | 2013-04-16 13:15:56 +0200 | [diff] [blame] | 2556 | |
| Manuel Pégourié-Gonnard | d1b7f2b | 2016-02-24 14:13:22 +0000 | [diff] [blame] | 2557 | /* certificate_types */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2558 | if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)) { |
| 2559 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); |
| 2560 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 2561 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 2562 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Krzysztof Stachowiak | 73b183c | 2018-04-05 10:20:09 +0200 | [diff] [blame] | 2563 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2564 | cert_type_len = buf[mbedtls_ssl_hs_hdr_len(ssl)]; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2565 | n = cert_type_len; |
| 2566 | |
| Krzysztof Stachowiak | bc145f7 | 2018-03-20 11:19:50 +0100 | [diff] [blame] | 2567 | /* |
| Krzysztof Stachowiak | 94d4997 | 2018-04-05 14:48:55 +0200 | [diff] [blame] | 2568 | * In the subsequent code there are two paths that read from buf: |
| Krzysztof Stachowiak | bc145f7 | 2018-03-20 11:19:50 +0100 | [diff] [blame] | 2569 | * * the length of the signature algorithms field (if minor version of |
| 2570 | * SSL is 3), |
| 2571 | * * distinguished name length otherwise. |
| 2572 | * Both reach at most the index: |
| 2573 | * ...hdr_len + 2 + n, |
| 2574 | * therefore the buffer length at this point must be greater than that |
| 2575 | * regardless of the actual code path. |
| 2576 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2577 | if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 2 + n) { |
| 2578 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); |
| 2579 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 2580 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 2581 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2582 | } |
| 2583 | |
| Manuel Pégourié-Gonnard | d1b7f2b | 2016-02-24 14:13:22 +0000 | [diff] [blame] | 2584 | /* supported_signature_algorithms */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2585 | sig_alg_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8) |
| 2586 | | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n])); |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 2587 | |
| 2588 | /* |
| 2589 | * The furthest access in buf is in the loop few lines below: |
| 2590 | * sig_alg[i + 1], |
| 2591 | * where: |
| 2592 | * sig_alg = buf + ...hdr_len + 3 + n, |
| 2593 | * max(i) = sig_alg_len - 1. |
| 2594 | * Therefore the furthest access is: |
| 2595 | * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1], |
| 2596 | * which reduces to: |
| 2597 | * buf[...hdr_len + 3 + n + sig_alg_len], |
| 2598 | * which is one less than we need the buf to be. |
| 2599 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2600 | if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 3 + n + sig_alg_len) { |
| 2601 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 2602 | mbedtls_ssl_send_alert_message( |
| 2603 | ssl, |
| 2604 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2605 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 2606 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | f7abd42 | 2013-04-16 13:15:56 +0200 | [diff] [blame] | 2607 | } |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2608 | |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 2609 | #if defined(MBEDTLS_DEBUG_C) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2610 | sig_alg = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n; |
| 2611 | for (size_t i = 0; i < sig_alg_len; i += 2) { |
| 2612 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 2613 | ("Supported Signature Algorithm found: %02x %02x", |
| 2614 | sig_alg[i], sig_alg[i + 1])); |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 2615 | } |
| 2616 | #endif |
| 2617 | |
| 2618 | n += 2 + sig_alg_len; |
| 2619 | |
| Manuel Pégourié-Gonnard | d1b7f2b | 2016-02-24 14:13:22 +0000 | [diff] [blame] | 2620 | /* certificate_authorities */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2621 | dn_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8) |
| 2622 | | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n])); |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2623 | |
| 2624 | n += dn_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2625 | if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 3 + n) { |
| 2626 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); |
| 2627 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 2628 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 2629 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2630 | } |
| 2631 | |
| Glenn Strauss | bd10c4e | 2022-06-25 03:15:48 -0400 | [diff] [blame] | 2632 | #if defined(MBEDTLS_DEBUG_C) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2633 | dn = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n - dn_len; |
| 2634 | for (size_t i = 0, dni_len = 0; i < dn_len; i += 2 + dni_len) { |
| Glenn Strauss | bd10c4e | 2022-06-25 03:15:48 -0400 | [diff] [blame] | 2635 | unsigned char *p = dn + i + 2; |
| 2636 | mbedtls_x509_name name; |
| Glenn Strauss | bd10c4e | 2022-06-25 03:15:48 -0400 | [diff] [blame] | 2637 | size_t asn1_len; |
| 2638 | char s[MBEDTLS_X509_MAX_DN_NAME_SIZE]; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2639 | memset(&name, 0, sizeof(name)); |
| 2640 | dni_len = MBEDTLS_GET_UINT16_BE(dn + i, 0); |
| 2641 | if (dni_len > dn_len - i - 2 || |
| 2642 | mbedtls_asn1_get_tag(&p, p + dni_len, &asn1_len, |
| 2643 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) != 0 || |
| 2644 | mbedtls_x509_get_name(&p, p + asn1_len, &name) != 0) { |
| 2645 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); |
| Glenn Strauss | bd10c4e | 2022-06-25 03:15:48 -0400 | [diff] [blame] | 2646 | mbedtls_ssl_send_alert_message( |
| 2647 | ssl, |
| 2648 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2649 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 2650 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Glenn Strauss | bd10c4e | 2022-06-25 03:15:48 -0400 | [diff] [blame] | 2651 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2652 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 2653 | ("DN hint: %.*s", |
| 2654 | mbedtls_x509_dn_gets(s, sizeof(s), &name), s)); |
| 2655 | mbedtls_asn1_free_named_data_list_shallow(name.next); |
| Glenn Strauss | bd10c4e | 2022-06-25 03:15:48 -0400 | [diff] [blame] | 2656 | } |
| 2657 | #endif |
| 2658 | |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2659 | exit: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2660 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2661 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2662 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2663 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2664 | #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2665 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2666 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2667 | static int ssl_parse_server_hello_done(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2668 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2669 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2670 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2671 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello done")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2672 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2673 | if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { |
| 2674 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
| 2675 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2676 | } |
| Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 2677 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2678 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
| 2679 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message")); |
| 2680 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Hanno Becker | af0665d | 2017-05-24 09:16:26 +0100 | [diff] [blame] | 2681 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2682 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2683 | if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) || |
| 2684 | ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE) { |
| 2685 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message")); |
| 2686 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 2687 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 2688 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2689 | } |
| 2690 | |
| 2691 | ssl->state++; |
| 2692 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2693 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2694 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| 2695 | mbedtls_ssl_recv_flight_completed(ssl); |
| 2696 | } |
| Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 2697 | #endif |
| 2698 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2699 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello done")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2700 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2701 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2702 | } |
| 2703 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2704 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2705 | static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2706 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2707 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 2708 | |
| 2709 | size_t header_len; |
| 2710 | size_t content_len; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 2711 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 2712 | ssl->handshake->ciphersuite_info; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2713 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2714 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client key exchange")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2715 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2716 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2717 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) { |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2718 | /* |
| 2719 | * DHM key exchange -- send G^X mod P |
| 2720 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2721 | content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2722 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2723 | MBEDTLS_PUT_UINT16_BE(content_len, ssl->out_msg, 4); |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 2724 | header_len = 6; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2725 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2726 | ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx, |
| 2727 | (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx), |
| 2728 | &ssl->out_msg[header_len], content_len, |
| 2729 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 2730 | if (ret != 0) { |
| 2731 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret); |
| 2732 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2733 | } |
| 2734 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2735 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X); |
| 2736 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2737 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2738 | if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, |
| 2739 | ssl->handshake->premaster, |
| 2740 | MBEDTLS_PREMASTER_SIZE, |
| 2741 | &ssl->handshake->pmslen, |
| 2742 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 2743 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); |
| 2744 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2745 | } |
| 2746 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2747 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); |
| 2748 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2749 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ |
| Neil Armstrong | d8419ff | 2022-04-12 14:39:12 +0200 | [diff] [blame] | 2750 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| 2751 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
| 2752 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| 2753 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2754 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
| Przemek Stekiel | d905d33 | 2022-03-16 09:50:56 +0100 | [diff] [blame] | 2755 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || |
| 2756 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2757 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { |
| Neil Armstrong | 11d4945 | 2022-04-13 15:03:43 +0200 | [diff] [blame] | 2758 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Andrzej Kurek | a0237f8 | 2022-02-24 13:24:52 -0500 | [diff] [blame] | 2759 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| 2760 | psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; |
| Janos Follath | 53b8ec2 | 2019-08-08 10:28:27 +0100 | [diff] [blame] | 2761 | psa_key_attributes_t key_attributes; |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2762 | |
| 2763 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| 2764 | |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 2765 | header_len = 4; |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2766 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2767 | MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation.")); |
| Hanno Becker | 0a94a64 | 2019-01-11 14:35:30 +0000 | [diff] [blame] | 2768 | |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2769 | /* |
| 2770 | * Generate EC private key for ECDHE exchange. |
| 2771 | */ |
| 2772 | |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2773 | /* The master secret is obtained from the shared ECDH secret by |
| 2774 | * applying the TLS 1.2 PRF with a specific salt and label. While |
| 2775 | * the PSA Crypto API encourages combining key agreement schemes |
| 2776 | * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not |
| 2777 | * yet support the provisioning of salt + label to the KDF. |
| 2778 | * For the time being, we therefore need to split the computation |
| 2779 | * of the ECDH secret and the application of the TLS 1.2 PRF. */ |
| Janos Follath | 53b8ec2 | 2019-08-08 10:28:27 +0100 | [diff] [blame] | 2780 | key_attributes = psa_key_attributes_init(); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2781 | psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); |
| 2782 | psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); |
| 2783 | psa_set_key_type(&key_attributes, handshake->ecdh_psa_type); |
| 2784 | psa_set_key_bits(&key_attributes, handshake->ecdh_bits); |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2785 | |
| 2786 | /* Generate ECDH private key. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2787 | status = psa_generate_key(&key_attributes, |
| 2788 | &handshake->ecdh_psa_privkey); |
| 2789 | if (status != PSA_SUCCESS) { |
| 2790 | return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; |
| 2791 | } |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2792 | |
| Manuel Pégourié-Gonnard | 58d2383 | 2022-01-18 12:17:15 +0100 | [diff] [blame] | 2793 | /* Export the public part of the ECDH private key from PSA. |
| Manuel Pégourié-Gonnard | 5d6053f | 2022-02-08 10:26:19 +0100 | [diff] [blame] | 2794 | * The export format is an ECPoint structure as expected by TLS, |
| Manuel Pégourié-Gonnard | 58d2383 | 2022-01-18 12:17:15 +0100 | [diff] [blame] | 2795 | * but we just need to add a length byte before that. */ |
| 2796 | unsigned char *own_pubkey = ssl->out_msg + header_len + 1; |
| 2797 | unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2798 | size_t own_pubkey_max_len = (size_t) (end - own_pubkey); |
| Manuel Pégourié-Gonnard | 58d2383 | 2022-01-18 12:17:15 +0100 | [diff] [blame] | 2799 | size_t own_pubkey_len; |
| 2800 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2801 | status = psa_export_public_key(handshake->ecdh_psa_privkey, |
| 2802 | own_pubkey, own_pubkey_max_len, |
| 2803 | &own_pubkey_len); |
| 2804 | if (status != PSA_SUCCESS) { |
| 2805 | psa_destroy_key(handshake->ecdh_psa_privkey); |
| Andrzej Kurek | a0237f8 | 2022-02-24 13:24:52 -0500 | [diff] [blame] | 2806 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2807 | return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; |
| Andrzej Kurek | a0237f8 | 2022-02-24 13:24:52 -0500 | [diff] [blame] | 2808 | } |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2809 | |
| Manuel Pégourié-Gonnard | 58d2383 | 2022-01-18 12:17:15 +0100 | [diff] [blame] | 2810 | ssl->out_msg[header_len] = (unsigned char) own_pubkey_len; |
| 2811 | content_len = own_pubkey_len + 1; |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2812 | |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2813 | /* The ECDH secret is the premaster secret used for key derivation. */ |
| 2814 | |
| Janos Follath | df3b089 | 2019-08-08 11:12:24 +0100 | [diff] [blame] | 2815 | /* Compute ECDH shared secret. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2816 | status = psa_raw_key_agreement(PSA_ALG_ECDH, |
| 2817 | handshake->ecdh_psa_privkey, |
| 2818 | handshake->ecdh_psa_peerkey, |
| 2819 | handshake->ecdh_psa_peerkey_len, |
| 2820 | ssl->handshake->premaster, |
| 2821 | sizeof(ssl->handshake->premaster), |
| 2822 | &ssl->handshake->pmslen); |
| Hanno Becker | 4a63ed4 | 2019-01-08 11:39:35 +0000 | [diff] [blame] | 2823 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2824 | destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey); |
| Ronald Cron | cf56a0a | 2020-08-04 09:51:30 +0200 | [diff] [blame] | 2825 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Andrzej Kurek | a0237f8 | 2022-02-24 13:24:52 -0500 | [diff] [blame] | 2826 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2827 | if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) { |
| 2828 | return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; |
| 2829 | } |
| Neil Armstrong | d8419ff | 2022-04-12 14:39:12 +0200 | [diff] [blame] | 2830 | #else |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2831 | /* |
| 2832 | * ECDH key exchange -- send client public value |
| 2833 | */ |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 2834 | header_len = 4; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2835 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2836 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2837 | if (ssl->handshake->ecrs_enabled) { |
| 2838 | if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret) { |
| Manuel Pégourié-Gonnard | d27d1a5 | 2017-08-15 11:49:08 +0200 | [diff] [blame] | 2839 | goto ecdh_calc_secret; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2840 | } |
| Manuel Pégourié-Gonnard | 23e4162 | 2017-05-18 12:35:37 +0200 | [diff] [blame] | 2841 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2842 | mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx); |
| Manuel Pégourié-Gonnard | d27d1a5 | 2017-08-15 11:49:08 +0200 | [diff] [blame] | 2843 | } |
| Manuel Pégourié-Gonnard | 2350b4e | 2017-05-16 09:26:48 +0200 | [diff] [blame] | 2844 | #endif |
| 2845 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2846 | ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx, |
| 2847 | &content_len, |
| 2848 | &ssl->out_msg[header_len], 1000, |
| 2849 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 2850 | if (ret != 0) { |
| 2851 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret); |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2852 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2853 | if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { |
| Manuel Pégourié-Gonnard | 558da9c | 2018-06-13 12:02:12 +0200 | [diff] [blame] | 2854 | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2855 | } |
| Manuel Pégourié-Gonnard | 558da9c | 2018-06-13 12:02:12 +0200 | [diff] [blame] | 2856 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2857 | return ret; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2858 | } |
| 2859 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2860 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 2861 | MBEDTLS_DEBUG_ECDH_Q); |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2862 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2863 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2864 | if (ssl->handshake->ecrs_enabled) { |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 2865 | ssl->handshake->ecrs_n = content_len; |
| Manuel Pégourié-Gonnard | c37423f | 2018-10-16 10:28:17 +0200 | [diff] [blame] | 2866 | ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret; |
| Manuel Pégourié-Gonnard | d27d1a5 | 2017-08-15 11:49:08 +0200 | [diff] [blame] | 2867 | } |
| Manuel Pégourié-Gonnard | 2350b4e | 2017-05-16 09:26:48 +0200 | [diff] [blame] | 2868 | |
| 2869 | ecdh_calc_secret: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2870 | if (ssl->handshake->ecrs_enabled) { |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 2871 | content_len = ssl->handshake->ecrs_n; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2872 | } |
| Manuel Pégourié-Gonnard | 2350b4e | 2017-05-16 09:26:48 +0200 | [diff] [blame] | 2873 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2874 | if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, |
| 2875 | &ssl->handshake->pmslen, |
| 2876 | ssl->handshake->premaster, |
| 2877 | MBEDTLS_MPI_MAX_SIZE, |
| 2878 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 2879 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret); |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2880 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2881 | if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { |
| Manuel Pégourié-Gonnard | 558da9c | 2018-06-13 12:02:12 +0200 | [diff] [blame] | 2882 | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2883 | } |
| Manuel Pégourié-Gonnard | 558da9c | 2018-06-13 12:02:12 +0200 | [diff] [blame] | 2884 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2885 | return ret; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2886 | } |
| 2887 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2888 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 2889 | MBEDTLS_DEBUG_ECDH_Z); |
| Neil Armstrong | 11d4945 | 2022-04-13 15:03:43 +0200 | [diff] [blame] | 2890 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2891 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2892 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
| 2893 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || |
| 2894 | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
| 2895 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2896 | #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
| 2897 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2898 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2899 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| 2900 | psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; |
| 2901 | psa_key_attributes_t key_attributes; |
| 2902 | |
| 2903 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| 2904 | |
| 2905 | /* |
| 2906 | * opaque psk_identity<0..2^16-1>; |
| 2907 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2908 | if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) { |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2909 | /* We don't offer PSK suites if we don't have a PSK, |
| 2910 | * and we check that the server's choice is among the |
| 2911 | * ciphersuites we offered, so this should never happen. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2912 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 2913 | } |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2914 | |
| Neil Armstrong | fc834f2 | 2022-03-23 17:54:38 +0100 | [diff] [blame] | 2915 | /* uint16 to store content length */ |
| 2916 | const size_t content_len_size = 2; |
| 2917 | |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2918 | header_len = 4; |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2919 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2920 | if (header_len + content_len_size + ssl->conf->psk_identity_len |
| 2921 | > MBEDTLS_SSL_OUT_CONTENT_LEN) { |
| 2922 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 2923 | ("psk identity too long or SSL buffer too short")); |
| 2924 | return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2925 | } |
| 2926 | |
| Neil Armstrong | b7ca76b | 2022-04-04 18:27:15 +0200 | [diff] [blame] | 2927 | unsigned char *p = ssl->out_msg + header_len; |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2928 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2929 | *p++ = MBEDTLS_BYTE_1(ssl->conf->psk_identity_len); |
| 2930 | *p++ = MBEDTLS_BYTE_0(ssl->conf->psk_identity_len); |
| Neil Armstrong | b7ca76b | 2022-04-04 18:27:15 +0200 | [diff] [blame] | 2931 | header_len += content_len_size; |
| 2932 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2933 | memcpy(p, ssl->conf->psk_identity, |
| 2934 | ssl->conf->psk_identity_len); |
| Neil Armstrong | b7ca76b | 2022-04-04 18:27:15 +0200 | [diff] [blame] | 2935 | p += ssl->conf->psk_identity_len; |
| 2936 | |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2937 | header_len += ssl->conf->psk_identity_len; |
| 2938 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2939 | MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation.")); |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2940 | |
| 2941 | /* |
| 2942 | * Generate EC private key for ECDHE exchange. |
| 2943 | */ |
| 2944 | |
| 2945 | /* The master secret is obtained from the shared ECDH secret by |
| 2946 | * applying the TLS 1.2 PRF with a specific salt and label. While |
| 2947 | * the PSA Crypto API encourages combining key agreement schemes |
| 2948 | * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not |
| 2949 | * yet support the provisioning of salt + label to the KDF. |
| 2950 | * For the time being, we therefore need to split the computation |
| 2951 | * of the ECDH secret and the application of the TLS 1.2 PRF. */ |
| 2952 | key_attributes = psa_key_attributes_init(); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2953 | psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); |
| 2954 | psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); |
| 2955 | psa_set_key_type(&key_attributes, handshake->ecdh_psa_type); |
| 2956 | psa_set_key_bits(&key_attributes, handshake->ecdh_bits); |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2957 | |
| 2958 | /* Generate ECDH private key. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2959 | status = psa_generate_key(&key_attributes, |
| 2960 | &handshake->ecdh_psa_privkey); |
| 2961 | if (status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 2962 | return PSA_TO_MBEDTLS_ERR(status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2963 | } |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2964 | |
| 2965 | /* Export the public part of the ECDH private key from PSA. |
| 2966 | * The export format is an ECPoint structure as expected by TLS, |
| 2967 | * but we just need to add a length byte before that. */ |
| Neil Armstrong | b7ca76b | 2022-04-04 18:27:15 +0200 | [diff] [blame] | 2968 | unsigned char *own_pubkey = p + 1; |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2969 | unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2970 | size_t own_pubkey_max_len = (size_t) (end - own_pubkey); |
| Neil Armstrong | bc5e8f9 | 2022-03-23 17:42:50 +0100 | [diff] [blame] | 2971 | size_t own_pubkey_len = 0; |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2972 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2973 | status = psa_export_public_key(handshake->ecdh_psa_privkey, |
| 2974 | own_pubkey, own_pubkey_max_len, |
| 2975 | &own_pubkey_len); |
| 2976 | if (status != PSA_SUCCESS) { |
| 2977 | psa_destroy_key(handshake->ecdh_psa_privkey); |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2978 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 2979 | return PSA_TO_MBEDTLS_ERR(status); |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2980 | } |
| 2981 | |
| Neil Armstrong | b7ca76b | 2022-04-04 18:27:15 +0200 | [diff] [blame] | 2982 | *p = (unsigned char) own_pubkey_len; |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2983 | content_len = own_pubkey_len + 1; |
| 2984 | |
| Neil Armstrong | 2540045 | 2022-03-23 17:44:07 +0100 | [diff] [blame] | 2985 | /* As RFC 5489 section 2, the premaster secret is formed as follows: |
| 2986 | * - a uint16 containing the length (in octets) of the ECDH computation |
| 2987 | * - the octet string produced by the ECDH computation |
| 2988 | * - a uint16 containing the length (in octets) of the PSK |
| 2989 | * - the PSK itself |
| 2990 | */ |
| Neil Armstrong | b7ca76b | 2022-04-04 18:27:15 +0200 | [diff] [blame] | 2991 | unsigned char *pms = ssl->handshake->premaster; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2992 | const unsigned char * const pms_end = pms + |
| 2993 | sizeof(ssl->handshake->premaster); |
| Neil Armstrong | 0bdb68a | 2022-03-23 17:46:32 +0100 | [diff] [blame] | 2994 | /* uint16 to store length (in octets) of the ECDH computation */ |
| 2995 | const size_t zlen_size = 2; |
| Neil Armstrong | bc5e8f9 | 2022-03-23 17:42:50 +0100 | [diff] [blame] | 2996 | size_t zlen = 0; |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 2997 | |
| Neil Armstrong | 2540045 | 2022-03-23 17:44:07 +0100 | [diff] [blame] | 2998 | /* Perform ECDH computation after the uint16 reserved for the length */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2999 | status = psa_raw_key_agreement(PSA_ALG_ECDH, |
| 3000 | handshake->ecdh_psa_privkey, |
| 3001 | handshake->ecdh_psa_peerkey, |
| 3002 | handshake->ecdh_psa_peerkey_len, |
| 3003 | pms + zlen_size, |
| 3004 | pms_end - (pms + zlen_size), |
| 3005 | &zlen); |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 3006 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3007 | destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey); |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 3008 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 3009 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3010 | if (status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 3011 | return PSA_TO_MBEDTLS_ERR(status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3012 | } else if (destruction_status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 3013 | return PSA_TO_MBEDTLS_ERR(destruction_status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3014 | } |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 3015 | |
| Neil Armstrong | 2540045 | 2022-03-23 17:44:07 +0100 | [diff] [blame] | 3016 | /* Write the ECDH computation length before the ECDH computation */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3017 | MBEDTLS_PUT_UINT16_BE(zlen, pms, 0); |
| Neil Armstrong | b7ca76b | 2022-04-04 18:27:15 +0200 | [diff] [blame] | 3018 | pms += zlen_size + zlen; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3019 | } else |
| Neil Armstrong | 868af82 | 2022-03-09 10:26:25 +0100 | [diff] [blame] | 3020 | #endif /* MBEDTLS_USE_PSA_CRYPTO && |
| 3021 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3022 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3023 | if (mbedtls_ssl_ciphersuite_uses_psk(ciphersuite_info)) { |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 3024 | /* |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 3025 | * opaque psk_identity<0..2^16-1>; |
| 3026 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3027 | if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) { |
| Hanno Becker | 2e4f616 | 2018-10-23 11:54:44 +0100 | [diff] [blame] | 3028 | /* We don't offer PSK suites if we don't have a PSK, |
| 3029 | * and we check that the server's choice is among the |
| 3030 | * ciphersuites we offered, so this should never happen. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3031 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Manuel Pégourié-Gonnard | b4b19f3 | 2015-07-07 11:41:21 +0200 | [diff] [blame] | 3032 | } |
| Paul Bakker | d4a56ec | 2013-04-16 18:05:29 +0200 | [diff] [blame] | 3033 | |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 3034 | header_len = 4; |
| 3035 | content_len = ssl->conf->psk_identity_len; |
| Manuel Pégourié-Gonnard | c6b5d83 | 2015-08-27 16:37:35 +0200 | [diff] [blame] | 3036 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3037 | if (header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN) { |
| 3038 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 3039 | ("psk identity too long or SSL buffer too short")); |
| 3040 | return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; |
| Manuel Pégourié-Gonnard | c6b5d83 | 2015-08-27 16:37:35 +0200 | [diff] [blame] | 3041 | } |
| 3042 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3043 | ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len); |
| 3044 | ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3045 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3046 | memcpy(ssl->out_msg + header_len, |
| 3047 | ssl->conf->psk_identity, |
| 3048 | ssl->conf->psk_identity_len); |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 3049 | header_len += ssl->conf->psk_identity_len; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3050 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3051 | #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3052 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) { |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 3053 | content_len = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3054 | } else |
| Manuel Pégourié-Gonnard | 72fb62d | 2013-10-14 14:01:58 +0200 | [diff] [blame] | 3055 | #endif |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3056 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3057 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { |
| 3058 | if ((ret = ssl_write_encrypted_pms(ssl, header_len, |
| 3059 | &content_len, 2)) != 0) { |
| 3060 | return ret; |
| 3061 | } |
| 3062 | } else |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 3063 | #endif |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3064 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3065 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { |
| Manuel Pégourié-Gonnard | 72fb62d | 2013-10-14 14:01:58 +0200 | [diff] [blame] | 3066 | /* |
| 3067 | * ClientDiffieHellmanPublic public (DHM send G^X mod P) |
| 3068 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3069 | content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx); |
| Manuel Pégourié-Gonnard | c6b5d83 | 2015-08-27 16:37:35 +0200 | [diff] [blame] | 3070 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3071 | if (header_len + 2 + content_len > |
| 3072 | MBEDTLS_SSL_OUT_CONTENT_LEN) { |
| 3073 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 3074 | ("psk identity or DHM size too long or SSL buffer too short")); |
| 3075 | return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; |
| Manuel Pégourié-Gonnard | c6b5d83 | 2015-08-27 16:37:35 +0200 | [diff] [blame] | 3076 | } |
| 3077 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3078 | ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len); |
| 3079 | ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3080 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3081 | ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx, |
| 3082 | (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx), |
| 3083 | &ssl->out_msg[header_len], content_len, |
| 3084 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 3085 | if (ret != 0) { |
| 3086 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret); |
| 3087 | return ret; |
| Manuel Pégourié-Gonnard | 72fb62d | 2013-10-14 14:01:58 +0200 | [diff] [blame] | 3088 | } |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3089 | |
| 3090 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 3091 | unsigned char *pms = ssl->handshake->premaster; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3092 | unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster); |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3093 | size_t pms_len; |
| 3094 | |
| 3095 | /* Write length only when we know the actual value */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3096 | if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, |
| 3097 | pms + 2, pms_end - (pms + 2), &pms_len, |
| 3098 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 3099 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); |
| 3100 | return ret; |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3101 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3102 | MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0); |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3103 | pms += 2 + pms_len; |
| 3104 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3105 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3106 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3107 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3108 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| Neil Armstrong | d8419ff | 2022-04-12 14:39:12 +0200 | [diff] [blame] | 3109 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3110 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
| 3111 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { |
| Manuel Pégourié-Gonnard | 72fb62d | 2013-10-14 14:01:58 +0200 | [diff] [blame] | 3112 | /* |
| 3113 | * ClientECDiffieHellmanPublic public; |
| 3114 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3115 | ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx, |
| 3116 | &content_len, |
| 3117 | &ssl->out_msg[header_len], |
| 3118 | MBEDTLS_SSL_OUT_CONTENT_LEN - header_len, |
| 3119 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 3120 | if (ret != 0) { |
| 3121 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret); |
| 3122 | return ret; |
| Manuel Pégourié-Gonnard | 72fb62d | 2013-10-14 14:01:58 +0200 | [diff] [blame] | 3123 | } |
| Manuel Pégourié-Gonnard | 3ce3bbd | 2013-10-11 16:53:50 +0200 | [diff] [blame] | 3124 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3125 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 3126 | MBEDTLS_DEBUG_ECDH_Q); |
| 3127 | } else |
| Neil Armstrong | d8419ff | 2022-04-12 14:39:12 +0200 | [diff] [blame] | 3128 | #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
| Manuel Pégourié-Gonnard | 72fb62d | 2013-10-14 14:01:58 +0200 | [diff] [blame] | 3129 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3130 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 3131 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3132 | } |
| 3133 | |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3134 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3135 | if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, |
| 3136 | ciphersuite_info->key_exchange)) != 0) { |
| 3137 | MBEDTLS_SSL_DEBUG_RET(1, |
| 3138 | "mbedtls_ssl_psk_derive_premaster", ret); |
| 3139 | return ret; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3140 | } |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3141 | #endif /* !MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3142 | } else |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3143 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3144 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3145 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) { |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 3146 | header_len = 4; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3147 | if ((ret = ssl_write_encrypted_pms(ssl, header_len, |
| 3148 | &content_len, 0)) != 0) { |
| 3149 | return ret; |
| 3150 | } |
| 3151 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3152 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 3153 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3154 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 3155 | header_len = 4; |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 3156 | |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 3157 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 3158 | unsigned char *out_p = ssl->out_msg + header_len; |
| 3159 | unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - |
| 3160 | header_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3161 | ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, |
| 3162 | out_p, end_p - out_p, &content_len, |
| 3163 | MBEDTLS_ECJPAKE_ROUND_TWO); |
| 3164 | if (ret != 0) { |
| 3165 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 3166 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| 3167 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret); |
| 3168 | return ret; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 3169 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 3170 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3171 | ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx, |
| 3172 | ssl->out_msg + header_len, |
| 3173 | MBEDTLS_SSL_OUT_CONTENT_LEN - header_len, |
| 3174 | &content_len, |
| 3175 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 3176 | if (ret != 0) { |
| 3177 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret); |
| 3178 | return ret; |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 3179 | } |
| 3180 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3181 | ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx, |
| 3182 | ssl->handshake->premaster, 32, &ssl->handshake->pmslen, |
| 3183 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 3184 | if (ret != 0) { |
| 3185 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret); |
| 3186 | return ret; |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 3187 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 3188 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3189 | } else |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 3190 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ |
| Paul Bakker | ed27a04 | 2013-04-18 22:46:23 +0200 | [diff] [blame] | 3191 | { |
| 3192 | ((void) ciphersuite_info); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3193 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 3194 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | ed27a04 | 2013-04-18 22:46:23 +0200 | [diff] [blame] | 3195 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3196 | |
| Hanno Becker | c14a3bb | 2019-01-14 09:41:16 +0000 | [diff] [blame] | 3197 | ssl->out_msglen = header_len + content_len; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3198 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 3199 | ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3200 | |
| 3201 | ssl->state++; |
| 3202 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3203 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
| 3204 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
| 3205 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3206 | } |
| 3207 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3208 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client key exchange")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3209 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3210 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3211 | } |
| 3212 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3213 | #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3214 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3215 | static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3216 | { |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 3217 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 3218 | ssl->handshake->ciphersuite_info; |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3219 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3220 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3221 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3222 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3223 | if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { |
| 3224 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); |
| 3225 | return ret; |
| Manuel Pégourié-Gonnard | ada3030 | 2014-10-20 20:33:10 +0200 | [diff] [blame] | 3226 | } |
| 3227 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3228 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
| 3229 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify")); |
| Paul Bakker | ed27a04 | 2013-04-18 22:46:23 +0200 | [diff] [blame] | 3230 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3231 | return 0; |
| Paul Bakker | ed27a04 | 2013-04-18 22:46:23 +0200 | [diff] [blame] | 3232 | } |
| 3233 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3234 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 3235 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3236 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3237 | #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3238 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3239 | static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3240 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3241 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 3242 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 3243 | ssl->handshake->ciphersuite_info; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3244 | size_t n = 0, offset = 0; |
| 3245 | unsigned char hash[48]; |
| Manuel Pégourié-Gonnard | 4bd1284 | 2013-08-27 13:31:28 +0200 | [diff] [blame] | 3246 | unsigned char *hash_start = hash; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3247 | mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; |
| Manuel Pégourié-Gonnard | de718b9 | 2019-05-03 11:43:28 +0200 | [diff] [blame] | 3248 | size_t hashlen; |
| Manuel Pégourié-Gonnard | 862cde5 | 2017-05-17 11:56:15 +0200 | [diff] [blame] | 3249 | void *rs_ctx = NULL; |
| Gilles Peskine | f00f152 | 2021-06-22 00:09:00 +0200 | [diff] [blame] | 3250 | #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3251 | size_t out_buf_len = ssl->out_buf_len - (ssl->out_msg - ssl->out_buf); |
| Gilles Peskine | f00f152 | 2021-06-22 00:09:00 +0200 | [diff] [blame] | 3252 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3253 | size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (ssl->out_msg - ssl->out_buf); |
| Gilles Peskine | f00f152 | 2021-06-22 00:09:00 +0200 | [diff] [blame] | 3254 | #endif |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3255 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3256 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify")); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3257 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3258 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3259 | if (ssl->handshake->ecrs_enabled && |
| 3260 | ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign) { |
| Manuel Pégourié-Gonnard | 0b23f16 | 2017-08-24 12:08:33 +0200 | [diff] [blame] | 3261 | goto sign; |
| Manuel Pégourié-Gonnard | d27d1a5 | 2017-08-15 11:49:08 +0200 | [diff] [blame] | 3262 | } |
| Manuel Pégourié-Gonnard | 862cde5 | 2017-05-17 11:56:15 +0200 | [diff] [blame] | 3263 | #endif |
| 3264 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3265 | if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { |
| 3266 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); |
| 3267 | return ret; |
| Manuel Pégourié-Gonnard | ada3030 | 2014-10-20 20:33:10 +0200 | [diff] [blame] | 3268 | } |
| 3269 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3270 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
| 3271 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify")); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3272 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3273 | return 0; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3274 | } |
| 3275 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3276 | if (ssl->handshake->client_auth == 0 || |
| 3277 | mbedtls_ssl_own_cert(ssl) == NULL) { |
| 3278 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify")); |
| Johan Pascal | a89ca86 | 2020-08-25 10:03:19 +0200 | [diff] [blame] | 3279 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3280 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3281 | } |
| 3282 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3283 | if (mbedtls_ssl_own_key(ssl) == NULL) { |
| 3284 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key for certificate")); |
| 3285 | return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3286 | } |
| 3287 | |
| 3288 | /* |
| Manuel Pégourié-Gonnard | 0b23f16 | 2017-08-24 12:08:33 +0200 | [diff] [blame] | 3289 | * Make a signature of the handshake digests |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3290 | */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3291 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3292 | if (ssl->handshake->ecrs_enabled) { |
| Manuel Pégourié-Gonnard | 0b23f16 | 2017-08-24 12:08:33 +0200 | [diff] [blame] | 3293 | ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3294 | } |
| Manuel Pégourié-Gonnard | 0b23f16 | 2017-08-24 12:08:33 +0200 | [diff] [blame] | 3295 | |
| 3296 | sign: |
| 3297 | #endif |
| 3298 | |
| Manuel Pégourié-Gonnard | b8b07aa | 2023-02-06 00:34:21 +0100 | [diff] [blame] | 3299 | ret = ssl->handshake->calc_verify(ssl, hash, &hashlen); |
| 3300 | if (0 != ret) { |
| 3301 | MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret); |
| 3302 | return ret; |
| 3303 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3304 | |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 3305 | /* |
| 3306 | * digitally-signed struct { |
| 3307 | * opaque handshake_messages[handshake_messages_length]; |
| 3308 | * }; |
| 3309 | * |
| 3310 | * Taking shortcut here. We assume that the server always allows the |
| 3311 | * PRF Hash function and has sent it in the allowed signature |
| 3312 | * algorithms list received in the Certificate Request message. |
| 3313 | * |
| 3314 | * Until we encounter a server that does not, we will take this |
| 3315 | * shortcut. |
| 3316 | * |
| 3317 | * Reason: Otherwise we should have running hashes for SHA512 and |
| 3318 | * SHA224 in order to satisfy 'weird' needs from the server |
| 3319 | * side. |
| 3320 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3321 | if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) { |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 3322 | md_alg = MBEDTLS_MD_SHA384; |
| 3323 | ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3324 | } else { |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 3325 | md_alg = MBEDTLS_MD_SHA256; |
| 3326 | ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; |
| Paul Bakker | 577e006 | 2013-08-28 11:57:20 +0200 | [diff] [blame] | 3327 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3328 | ssl->out_msg[5] = mbedtls_ssl_sig_from_pk(mbedtls_ssl_own_key(ssl)); |
| Ronald Cron | 90915f2 | 2022-03-07 11:11:36 +0100 | [diff] [blame] | 3329 | |
| 3330 | /* Info from md_alg will be used instead */ |
| 3331 | hashlen = 0; |
| 3332 | offset = 2; |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 3333 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3334 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3335 | if (ssl->handshake->ecrs_enabled) { |
| Manuel Pégourié-Gonnard | 15d7df2 | 2017-08-17 14:33:31 +0200 | [diff] [blame] | 3336 | rs_ctx = &ssl->handshake->ecrs_ctx.pk; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3337 | } |
| Manuel Pégourié-Gonnard | 862cde5 | 2017-05-17 11:56:15 +0200 | [diff] [blame] | 3338 | #endif |
| 3339 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3340 | if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl), |
| 3341 | md_alg, hash_start, hashlen, |
| 3342 | ssl->out_msg + 6 + offset, |
| 3343 | out_buf_len - 6 - offset, |
| 3344 | &n, |
| 3345 | ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx)) != 0) { |
| 3346 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret); |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3347 | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3348 | if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { |
| Manuel Pégourié-Gonnard | 558da9c | 2018-06-13 12:02:12 +0200 | [diff] [blame] | 3349 | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3350 | } |
| Manuel Pégourié-Gonnard | 558da9c | 2018-06-13 12:02:12 +0200 | [diff] [blame] | 3351 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3352 | return ret; |
| Manuel Pégourié-Gonnard | 76c18a1 | 2013-08-20 16:50:40 +0200 | [diff] [blame] | 3353 | } |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 3354 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3355 | MBEDTLS_PUT_UINT16_BE(n, ssl->out_msg, offset + 4); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3356 | |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 3357 | ssl->out_msglen = 6 + n + offset; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3358 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 3359 | ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3360 | |
| 3361 | ssl->state++; |
| 3362 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3363 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
| 3364 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
| 3365 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3366 | } |
| 3367 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3368 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3369 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3370 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3371 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3372 | #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3373 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3374 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3375 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3376 | static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl) |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3377 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3378 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3379 | uint32_t lifetime; |
| 3380 | size_t ticket_len; |
| 3381 | unsigned char *ticket; |
| Manuel Pégourié-Gonnard | 000d5ae | 2014-09-10 21:52:12 +0200 | [diff] [blame] | 3382 | const unsigned char *msg; |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3383 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3384 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket")); |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3385 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3386 | if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { |
| 3387 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
| 3388 | return ret; |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3389 | } |
| 3390 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3391 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
| 3392 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message")); |
| Hanno Becker | b2fff6d | 2017-05-08 11:06:19 +0100 | [diff] [blame] | 3393 | mbedtls_ssl_send_alert_message( |
| 3394 | ssl, |
| 3395 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3396 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); |
| 3397 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3398 | } |
| 3399 | |
| 3400 | /* |
| 3401 | * struct { |
| 3402 | * uint32 ticket_lifetime_hint; |
| 3403 | * opaque ticket<0..2^16-1>; |
| 3404 | * } NewSessionTicket; |
| 3405 | * |
| Manuel Pégourié-Gonnard | 000d5ae | 2014-09-10 21:52:12 +0200 | [diff] [blame] | 3406 | * 0 . 3 ticket_lifetime_hint |
| 3407 | * 4 . 5 ticket_len (n) |
| 3408 | * 6 . 5+n ticket content |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3409 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3410 | if (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || |
| 3411 | ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len(ssl)) { |
| 3412 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message")); |
| 3413 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 3414 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 3415 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3416 | } |
| 3417 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3418 | msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3419 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3420 | lifetime = (((uint32_t) msg[0]) << 24) | (msg[1] << 16) | |
| 3421 | (msg[2] << 8) | (msg[3]); |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3422 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3423 | ticket_len = (msg[4] << 8) | (msg[5]); |
| Manuel Pégourié-Gonnard | 000d5ae | 2014-09-10 21:52:12 +0200 | [diff] [blame] | 3424 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3425 | if (ticket_len + 6 + mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_hslen) { |
| 3426 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message")); |
| 3427 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 3428 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 3429 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3430 | } |
| 3431 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3432 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len)); |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3433 | |
| Manuel Pégourié-Gonnard | 7cd5924 | 2013-08-02 13:24:41 +0200 | [diff] [blame] | 3434 | /* We're not waiting for a NewSessionTicket message any more */ |
| 3435 | ssl->handshake->new_session_ticket = 0; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3436 | ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; |
| Manuel Pégourié-Gonnard | 7cd5924 | 2013-08-02 13:24:41 +0200 | [diff] [blame] | 3437 | |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3438 | /* |
| 3439 | * Zero-length ticket means the server changed his mind and doesn't want |
| 3440 | * to send a ticket after all, so just forget it |
| 3441 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3442 | if (ticket_len == 0) { |
| 3443 | return 0; |
| 3444 | } |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3445 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3446 | if (ssl->session != NULL && ssl->session->ticket != NULL) { |
| 3447 | mbedtls_platform_zeroize(ssl->session->ticket, |
| 3448 | ssl->session->ticket_len); |
| 3449 | mbedtls_free(ssl->session->ticket); |
| Hanno Becker | b2964cb | 2019-01-30 14:46:35 +0000 | [diff] [blame] | 3450 | ssl->session->ticket = NULL; |
| 3451 | ssl->session->ticket_len = 0; |
| 3452 | } |
| 3453 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3454 | mbedtls_platform_zeroize(ssl->session_negotiate->ticket, |
| 3455 | ssl->session_negotiate->ticket_len); |
| 3456 | mbedtls_free(ssl->session_negotiate->ticket); |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3457 | ssl->session_negotiate->ticket = NULL; |
| 3458 | ssl->session_negotiate->ticket_len = 0; |
| 3459 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3460 | if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) { |
| 3461 | MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed")); |
| 3462 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 3463 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); |
| 3464 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3465 | } |
| 3466 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3467 | memcpy(ticket, msg + 6, ticket_len); |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3468 | |
| 3469 | ssl->session_negotiate->ticket = ticket; |
| 3470 | ssl->session_negotiate->ticket_len = ticket_len; |
| 3471 | ssl->session_negotiate->ticket_lifetime = lifetime; |
| 3472 | |
| 3473 | /* |
| 3474 | * RFC 5077 section 3.4: |
| 3475 | * "If the client receives a session ticket from the server, then it |
| 3476 | * discards any Session ID that was sent in the ServerHello." |
| 3477 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3478 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket in use, discarding session id")); |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 3479 | ssl->session_negotiate->id_len = 0; |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3480 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3481 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket")); |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3482 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3483 | return 0; |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3484 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3485 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | a5cc602 | 2013-07-31 12:58:16 +0200 | [diff] [blame] | 3486 | |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3487 | /* |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 3488 | * SSL handshake -- client side -- single step |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3489 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3490 | int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3491 | { |
| 3492 | int ret = 0; |
| 3493 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3494 | /* Change state now, so that it is right in mbedtls_ssl_read_record(), used |
| Manuel Pégourié-Gonnard | cd32a50 | 2014-09-20 13:54:12 +0200 | [diff] [blame] | 3495 | * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3496 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3497 | if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && |
| 3498 | ssl->handshake->new_session_ticket != 0) { |
| Jerry Yu | a357cf4 | 2022-07-12 05:36:45 +0000 | [diff] [blame] | 3499 | ssl->state = MBEDTLS_SSL_NEW_SESSION_TICKET; |
| Manuel Pégourié-Gonnard | cd32a50 | 2014-09-20 13:54:12 +0200 | [diff] [blame] | 3500 | } |
| 3501 | #endif |
| 3502 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3503 | switch (ssl->state) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3504 | case MBEDTLS_SSL_HELLO_REQUEST: |
| 3505 | ssl->state = MBEDTLS_SSL_CLIENT_HELLO; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3506 | break; |
| 3507 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3508 | /* |
| 3509 | * ==> ClientHello |
| 3510 | */ |
| 3511 | case MBEDTLS_SSL_CLIENT_HELLO: |
| 3512 | ret = mbedtls_ssl_write_client_hello(ssl); |
| 3513 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3514 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3515 | /* |
| 3516 | * <== ServerHello |
| 3517 | * Certificate |
| 3518 | * ( ServerKeyExchange ) |
| 3519 | * ( CertificateRequest ) |
| 3520 | * ServerHelloDone |
| 3521 | */ |
| 3522 | case MBEDTLS_SSL_SERVER_HELLO: |
| 3523 | ret = ssl_parse_server_hello(ssl); |
| 3524 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3525 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3526 | case MBEDTLS_SSL_SERVER_CERTIFICATE: |
| 3527 | ret = mbedtls_ssl_parse_certificate(ssl); |
| 3528 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3529 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3530 | case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: |
| 3531 | ret = ssl_parse_server_key_exchange(ssl); |
| 3532 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3533 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3534 | case MBEDTLS_SSL_CERTIFICATE_REQUEST: |
| 3535 | ret = ssl_parse_certificate_request(ssl); |
| 3536 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3537 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3538 | case MBEDTLS_SSL_SERVER_HELLO_DONE: |
| 3539 | ret = ssl_parse_server_hello_done(ssl); |
| 3540 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3541 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3542 | /* |
| 3543 | * ==> ( Certificate/Alert ) |
| 3544 | * ClientKeyExchange |
| 3545 | * ( CertificateVerify ) |
| 3546 | * ChangeCipherSpec |
| 3547 | * Finished |
| 3548 | */ |
| 3549 | case MBEDTLS_SSL_CLIENT_CERTIFICATE: |
| 3550 | ret = mbedtls_ssl_write_certificate(ssl); |
| 3551 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3552 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3553 | case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: |
| 3554 | ret = ssl_write_client_key_exchange(ssl); |
| 3555 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3556 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3557 | case MBEDTLS_SSL_CERTIFICATE_VERIFY: |
| 3558 | ret = ssl_write_certificate_verify(ssl); |
| 3559 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3560 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3561 | case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: |
| 3562 | ret = mbedtls_ssl_write_change_cipher_spec(ssl); |
| 3563 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3564 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3565 | case MBEDTLS_SSL_CLIENT_FINISHED: |
| 3566 | ret = mbedtls_ssl_write_finished(ssl); |
| 3567 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3568 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3569 | /* |
| 3570 | * <== ( NewSessionTicket ) |
| 3571 | * ChangeCipherSpec |
| 3572 | * Finished |
| 3573 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3574 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3575 | case MBEDTLS_SSL_NEW_SESSION_TICKET: |
| 3576 | ret = ssl_parse_new_session_ticket(ssl); |
| 3577 | break; |
| Paul Bakker | a503a63 | 2013-08-14 13:48:06 +0200 | [diff] [blame] | 3578 | #endif |
| Manuel Pégourié-Gonnard | cd32a50 | 2014-09-20 13:54:12 +0200 | [diff] [blame] | 3579 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3580 | case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: |
| 3581 | ret = mbedtls_ssl_parse_change_cipher_spec(ssl); |
| 3582 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3583 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3584 | case MBEDTLS_SSL_SERVER_FINISHED: |
| 3585 | ret = mbedtls_ssl_parse_finished(ssl); |
| 3586 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3587 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3588 | case MBEDTLS_SSL_FLUSH_BUFFERS: |
| 3589 | MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done")); |
| 3590 | ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; |
| 3591 | break; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3592 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3593 | case MBEDTLS_SSL_HANDSHAKE_WRAPUP: |
| 3594 | mbedtls_ssl_handshake_wrapup(ssl); |
| 3595 | break; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 3596 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3597 | default: |
| 3598 | MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state)); |
| 3599 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| 3600 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3601 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3602 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3603 | } |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 3604 | |
| Jerry Yu | fb4b647 | 2022-01-27 15:03:26 +0800 | [diff] [blame] | 3605 | #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_2 */ |