| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1 | /* |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 2 | * TLS server-side functions |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3 | * |
| Bence Szépkúti | 1e14827 | 2020-08-07 13:07:28 +0200 | [diff] [blame] | 4 | * Copyright The Mbed TLS Contributors |
| Manuel Pégourié-Gonnard | 37ff140 | 2015-09-04 14:21:07 +0200 | [diff] [blame] | 5 | * SPDX-License-Identifier: Apache-2.0 |
| 6 | * |
| 7 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 8 | * not use this file except in compliance with the License. |
| 9 | * You may obtain a copy of the License at |
| 10 | * |
| 11 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | * |
| 13 | * Unless required by applicable law or agreed to in writing, software |
| 14 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 15 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 16 | * See the License for the specific language governing permissions and |
| 17 | * limitations under the License. |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 18 | */ |
| 19 | |
| Gilles Peskine | db09ef6 | 2020-06-03 01:43:33 +0200 | [diff] [blame] | 20 | #include "common.h" |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 21 | |
| Jerry Yu | fb4b647 | 2022-01-27 15:03:26 +0800 | [diff] [blame] | 22 | #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 23 | |
| SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 24 | #include "mbedtls/platform.h" |
| SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 25 | |
| Manuel Pégourié-Gonnard | 7f80997 | 2015-03-09 17:05:11 +0000 | [diff] [blame] | 26 | #include "mbedtls/ssl.h" |
| Chris Jones | 84a773f | 2021-03-05 18:38:47 +0000 | [diff] [blame] | 27 | #include "ssl_misc.h" |
| Janos Follath | 73c616b | 2019-12-18 15:07:04 +0000 | [diff] [blame] | 28 | #include "mbedtls/debug.h" |
| 29 | #include "mbedtls/error.h" |
| Andres Amaya Garcia | 8491406 | 2018-04-24 08:40:46 -0500 | [diff] [blame] | 30 | #include "mbedtls/platform_util.h" |
| Gabor Mezei | 22c9a6f | 2021-10-20 12:09:35 +0200 | [diff] [blame] | 31 | #include "constant_time_internal.h" |
| Gabor Mezei | 765862c | 2021-10-19 12:22:25 +0200 | [diff] [blame] | 32 | #include "mbedtls/constant_time.h" |
| Rich Evans | 00ab470 | 2015-02-06 13:43:58 +0000 | [diff] [blame] | 33 | |
| 34 | #include <string.h> |
| 35 | |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 36 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 37 | #define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ |
| 38 | psa_to_ssl_errors, \ |
| 39 | psa_generic_status_to_mbedtls) |
| 40 | #endif |
| 41 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 42 | #if defined(MBEDTLS_ECP_C) |
| Manuel Pégourié-Gonnard | 7f80997 | 2015-03-09 17:05:11 +0000 | [diff] [blame] | 43 | #include "mbedtls/ecp.h" |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 44 | #endif |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 45 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 46 | #if defined(MBEDTLS_HAVE_TIME) |
| Simon Butcher | b5b6af2 | 2016-07-13 14:46:18 +0100 | [diff] [blame] | 47 | #include "mbedtls/platform_time.h" |
| Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 48 | #endif |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 49 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 50 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 51 | int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl, |
| 52 | const unsigned char *info, |
| 53 | size_t ilen) |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 54 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 55 | if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) { |
| 56 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| 57 | } |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 58 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 59 | mbedtls_free(ssl->cli_id); |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 60 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 61 | if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) { |
| 62 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
| 63 | } |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 64 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 65 | memcpy(ssl->cli_id, info, ilen); |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 66 | ssl->cli_id_len = ilen; |
| 67 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 68 | return 0; |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 69 | } |
| Manuel Pégourié-Gonnard | d485d19 | 2014-07-23 14:56:15 +0200 | [diff] [blame] | 70 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 71 | void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf, |
| 72 | mbedtls_ssl_cookie_write_t *f_cookie_write, |
| 73 | mbedtls_ssl_cookie_check_t *f_cookie_check, |
| 74 | void *p_cookie) |
| Manuel Pégourié-Gonnard | d485d19 | 2014-07-23 14:56:15 +0200 | [diff] [blame] | 75 | { |
| Manuel Pégourié-Gonnard | d36e33f | 2015-05-05 10:45:39 +0200 | [diff] [blame] | 76 | conf->f_cookie_write = f_cookie_write; |
| 77 | conf->f_cookie_check = f_cookie_check; |
| 78 | conf->p_cookie = p_cookie; |
| Manuel Pégourié-Gonnard | d485d19 | 2014-07-23 14:56:15 +0200 | [diff] [blame] | 79 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 80 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 81 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 82 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 83 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 84 | static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf) |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 85 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 86 | if (conf->f_psk != NULL) { |
| 87 | return 1; |
| 88 | } |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 89 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 90 | if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) { |
| 91 | return 0; |
| 92 | } |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 93 | |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 94 | |
| 95 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 96 | if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { |
| 97 | return 1; |
| 98 | } |
| Neil Armstrong | 8ecd668 | 2022-05-05 11:40:35 +0200 | [diff] [blame] | 99 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 100 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 101 | if (conf->psk != NULL && conf->psk_len != 0) { |
| 102 | return 1; |
| 103 | } |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 104 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 105 | return 0; |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 106 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 107 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 108 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 109 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 110 | static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl, |
| 111 | const unsigned char *buf, |
| 112 | size_t len) |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 113 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 114 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 115 | if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 116 | /* Check verify-data in constant-time. The length OTOH is no secret */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 117 | if (len != 1 + ssl->verify_data_len || |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 118 | buf[0] != ssl->verify_data_len || |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 119 | mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data, |
| 120 | ssl->verify_data_len) != 0) { |
| 121 | MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info")); |
| 122 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 123 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 124 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 125 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 126 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 127 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 128 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 129 | if (len != 1 || buf[0] != 0x0) { |
| 130 | MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info")); |
| 131 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 132 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 133 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 134 | } |
| 135 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 136 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 137 | } |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 138 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 139 | return 0; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 140 | } |
| 141 | |
| Valerio Setti | 1fa5c56 | 2023-03-20 13:56:38 +0100 | [diff] [blame] | 142 | #if defined(MBEDTLS_PK_CAN_ECDH) || defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \ |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 143 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Jerry Yu | b925f21 | 2022-01-12 11:17:02 +0800 | [diff] [blame] | 144 | /* |
| Jerry Yu | d491ea4 | 2022-01-13 16:15:25 +0800 | [diff] [blame] | 145 | * Function for parsing a supported groups (TLS 1.3) or supported elliptic |
| 146 | * curves (TLS 1.2) extension. |
| 147 | * |
| 148 | * The "extension_data" field of a supported groups extension contains a |
| 149 | * "NamedGroupList" value (TLS 1.3 RFC8446): |
| 150 | * enum { |
| 151 | * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019), |
| 152 | * x25519(0x001D), x448(0x001E), |
| 153 | * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102), |
| 154 | * ffdhe6144(0x0103), ffdhe8192(0x0104), |
| 155 | * ffdhe_private_use(0x01FC..0x01FF), |
| 156 | * ecdhe_private_use(0xFE00..0xFEFF), |
| 157 | * (0xFFFF) |
| 158 | * } NamedGroup; |
| 159 | * struct { |
| 160 | * NamedGroup named_group_list<2..2^16-1>; |
| 161 | * } NamedGroupList; |
| 162 | * |
| 163 | * The "extension_data" field of a supported elliptic curves extension contains |
| 164 | * a "NamedCurveList" value (TLS 1.2 RFC 8422): |
| 165 | * enum { |
| 166 | * deprecated(1..22), |
| 167 | * secp256r1 (23), secp384r1 (24), secp521r1 (25), |
| 168 | * x25519(29), x448(30), |
| 169 | * reserved (0xFE00..0xFEFF), |
| 170 | * deprecated(0xFF01..0xFF02), |
| 171 | * (0xFFFF) |
| 172 | * } NamedCurve; |
| 173 | * struct { |
| 174 | * NamedCurve named_curve_list<2..2^16-1> |
| 175 | * } NamedCurveList; |
| 176 | * |
| Jerry Yu | b925f21 | 2022-01-12 11:17:02 +0800 | [diff] [blame] | 177 | * The TLS 1.3 supported groups extension was defined to be a compatible |
| 178 | * generalization of the TLS 1.2 supported elliptic curves extension. They both |
| 179 | * share the same extension identifier. |
| Jerry Yu | d491ea4 | 2022-01-13 16:15:25 +0800 | [diff] [blame] | 180 | * |
| 181 | * DHE groups are not supported yet. |
| Jerry Yu | b925f21 | 2022-01-12 11:17:02 +0800 | [diff] [blame] | 182 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 183 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 184 | static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl, |
| 185 | const unsigned char *buf, |
| 186 | size_t len) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 187 | { |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 188 | size_t list_size, our_size; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 189 | const unsigned char *p; |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 190 | uint16_t *curves_tls_id; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 191 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 192 | if (len < 2) { |
| 193 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 194 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 195 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 196 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Philippe Antoine | 747fd53 | 2018-05-30 09:13:21 +0200 | [diff] [blame] | 197 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 198 | list_size = ((buf[0] << 8) | (buf[1])); |
| 199 | if (list_size + 2 != len || |
| 200 | list_size % 2 != 0) { |
| 201 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 202 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 203 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 204 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 205 | } |
| 206 | |
| Manuel Pégourié-Gonnard | 43c3b28 | 2014-10-17 12:42:11 +0200 | [diff] [blame] | 207 | /* Should never happen unless client duplicates the extension */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 208 | if (ssl->handshake->curves_tls_id != NULL) { |
| 209 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 210 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 211 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 212 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Manuel Pégourié-Gonnard | 43c3b28 | 2014-10-17 12:42:11 +0200 | [diff] [blame] | 213 | } |
| 214 | |
| Manuel Pégourié-Gonnard | c3f6b62c | 2014-02-06 10:13:09 +0100 | [diff] [blame] | 215 | /* Don't allow our peer to make us allocate too much memory, |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 216 | * and leave room for a final 0 */ |
| 217 | our_size = list_size / 2 + 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 218 | if (our_size > MBEDTLS_ECP_DP_MAX) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 219 | our_size = MBEDTLS_ECP_DP_MAX; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 220 | } |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 221 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 222 | if ((curves_tls_id = mbedtls_calloc(our_size, |
| 223 | sizeof(*curves_tls_id))) == NULL) { |
| 224 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 225 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); |
| 226 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 227 | } |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 228 | |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 229 | ssl->handshake->curves_tls_id = curves_tls_id; |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 230 | |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 231 | p = buf + 2; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 232 | while (list_size > 0 && our_size > 1) { |
| 233 | uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0); |
| Manuel Pégourié-Gonnard | 568c9cf | 2013-09-16 17:30:04 +0200 | [diff] [blame] | 234 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 235 | if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) != |
| 236 | MBEDTLS_ECP_DP_NONE) { |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 237 | *curves_tls_id++ = curr_tls_id; |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 238 | our_size--; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 239 | } |
| 240 | |
| 241 | list_size -= 2; |
| 242 | p += 2; |
| 243 | } |
| 244 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 245 | return 0; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 246 | } |
| 247 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 248 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 249 | static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl, |
| 250 | const unsigned char *buf, |
| 251 | size_t len) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 252 | { |
| 253 | size_t list_size; |
| 254 | const unsigned char *p; |
| 255 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 256 | if (len == 0 || (size_t) (buf[0] + 1) != len) { |
| 257 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 258 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 259 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 260 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 261 | } |
| Philippe Antoine | 747fd53 | 2018-05-30 09:13:21 +0200 | [diff] [blame] | 262 | list_size = buf[0]; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 263 | |
| Manuel Pégourié-Gonnard | c1b46d0 | 2015-09-16 11:18:32 +0200 | [diff] [blame] | 264 | p = buf + 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 265 | while (list_size > 0) { |
| 266 | if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || |
| 267 | p[0] == MBEDTLS_ECP_PF_COMPRESSED) { |
| Valerio Setti | 77a904c | 2023-03-24 07:28:49 +0100 | [diff] [blame] | 268 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C) |
| Manuel Pégourié-Gonnard | 5734b2d | 2013-08-15 19:04:02 +0200 | [diff] [blame] | 269 | ssl->handshake->ecdh_ctx.point_format = p[0]; |
| Valerio Setti | 77a904c | 2023-03-24 07:28:49 +0100 | [diff] [blame] | 270 | #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_ECDH_C */ |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 271 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 272 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 273 | mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx, |
| 274 | p[0]); |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 275 | #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 276 | MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0])); |
| 277 | return 0; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 278 | } |
| 279 | |
| 280 | list_size--; |
| 281 | p++; |
| 282 | } |
| 283 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 284 | return 0; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 285 | } |
| Valerio Setti | 1fa5c56 | 2023-03-20 13:56:38 +0100 | [diff] [blame] | 286 | #endif /* MBEDTLS_PK_CAN_ECDH || MBEDTLS_PK_CAN_ECDSA_SOME || |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 287 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 288 | |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 289 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 290 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 291 | static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl, |
| 292 | const unsigned char *buf, |
| 293 | size_t len) |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 294 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 295 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 296 | |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 297 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 298 | if (ssl->handshake->psa_pake_ctx_is_ok != 1) |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 299 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 300 | if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 301 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 302 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 303 | MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension")); |
| 304 | return 0; |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 305 | } |
| 306 | |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 307 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 308 | if ((ret = mbedtls_psa_ecjpake_read_round( |
| 309 | &ssl->handshake->psa_pake_ctx, buf, len, |
| 310 | MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) { |
| 311 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 312 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 313 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 314 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret); |
| Valerio Setti | 02c25b5 | 2022-11-15 14:08:42 +0100 | [diff] [blame] | 315 | mbedtls_ssl_send_alert_message( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 316 | ssl, |
| 317 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 318 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 319 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 320 | return ret; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 321 | } |
| 322 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 323 | if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx, |
| 324 | buf, len)) != 0) { |
| 325 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret); |
| 326 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 327 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 328 | return ret; |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 329 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 330 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 331 | |
| 332 | /* Only mark the extension as OK when we're sure it is */ |
| 333 | ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; |
| 334 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 335 | return 0; |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 336 | } |
| 337 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 338 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 339 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 340 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 341 | static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl, |
| 342 | const unsigned char *buf, |
| 343 | size_t len) |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 344 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 345 | if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) { |
| 346 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 347 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 348 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 349 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 350 | } |
| 351 | |
| Manuel Pégourié-Gonnard | ed4af8b | 2013-07-18 14:07:09 +0200 | [diff] [blame] | 352 | ssl->session_negotiate->mfl_code = buf[0]; |
| 353 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 354 | return 0; |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 355 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 356 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 357 | |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 358 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 359 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 360 | static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl, |
| 361 | const unsigned char *buf, |
| 362 | size_t len) |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 363 | { |
| 364 | size_t peer_cid_len; |
| 365 | |
| 366 | /* CID extension only makes sense in DTLS */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 367 | if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| 368 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 369 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 370 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 371 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 372 | } |
| 373 | |
| 374 | /* |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 375 | * struct { |
| 376 | * opaque cid<0..2^8-1>; |
| 377 | * } ConnectionId; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 378 | */ |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 379 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 380 | if (len < 1) { |
| 381 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 382 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 383 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 384 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 385 | } |
| 386 | |
| 387 | peer_cid_len = *buf++; |
| 388 | len--; |
| 389 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 390 | if (len != peer_cid_len) { |
| 391 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 392 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 393 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 394 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 395 | } |
| 396 | |
| 397 | /* Ignore CID if the user has disabled its use. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 398 | if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) { |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 399 | /* Leave ssl->handshake->cid_in_use in its default |
| 400 | * value of MBEDTLS_SSL_CID_DISABLED. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 401 | MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled")); |
| 402 | return 0; |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 403 | } |
| 404 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 405 | if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) { |
| 406 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 407 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 408 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 409 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 410 | } |
| 411 | |
| Hanno Becker | 08556bf | 2019-05-03 12:43:44 +0100 | [diff] [blame] | 412 | ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED; |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 413 | ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 414 | memcpy(ssl->handshake->peer_cid, buf, peer_cid_len); |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 415 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 416 | MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated")); |
| 417 | MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len); |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 418 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 419 | return 0; |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 420 | } |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 421 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 422 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 423 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 424 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 425 | static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl, |
| 426 | const unsigned char *buf, |
| 427 | size_t len) |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 428 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 429 | if (len != 0) { |
| 430 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 431 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 432 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 433 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 434 | } |
| 435 | |
| 436 | ((void) buf); |
| 437 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 438 | if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 439 | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 440 | } |
| 441 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 442 | return 0; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 443 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 444 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 445 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 446 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 447 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 448 | static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl, |
| 449 | const unsigned char *buf, |
| 450 | size_t len) |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 451 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 452 | if (len != 0) { |
| 453 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 454 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 455 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 456 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 457 | } |
| 458 | |
| 459 | ((void) buf); |
| 460 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 461 | if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 462 | ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; |
| Manuel Pégourié-Gonnard | b575b54 | 2014-10-24 15:12:31 +0200 | [diff] [blame] | 463 | } |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 464 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 465 | return 0; |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 466 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 467 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 468 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 469 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 470 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 471 | static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl, |
| 472 | unsigned char *buf, |
| 473 | size_t len) |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 474 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 475 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 69f1728 | 2015-05-18 14:35:08 +0200 | [diff] [blame] | 476 | mbedtls_ssl_session session; |
| Manuel Pégourié-Gonnard | 990c51a | 2013-08-03 15:37:58 +0200 | [diff] [blame] | 477 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 478 | mbedtls_ssl_session_init(&session); |
| Manuel Pégourié-Gonnard | bae389b | 2015-06-24 10:45:58 +0200 | [diff] [blame] | 479 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 480 | if (ssl->conf->f_ticket_parse == NULL || |
| 481 | ssl->conf->f_ticket_write == NULL) { |
| 482 | return 0; |
| Manuel Pégourié-Gonnard | d59675d | 2015-05-19 15:28:00 +0200 | [diff] [blame] | 483 | } |
| Manuel Pégourié-Gonnard | aa0d4d1 | 2013-08-03 13:02:31 +0200 | [diff] [blame] | 484 | |
| Manuel Pégourié-Gonnard | 306827e | 2013-08-02 18:05:14 +0200 | [diff] [blame] | 485 | /* Remember the client asked us to send a new ticket */ |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 486 | ssl->handshake->new_session_ticket = 1; |
| 487 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 488 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len)); |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 489 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 490 | if (len == 0) { |
| 491 | return 0; |
| 492 | } |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 493 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 494 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 495 | if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { |
| 496 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating")); |
| 497 | return 0; |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 498 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 499 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 500 | |
| 501 | /* |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 502 | * Failures are ok: just ignore the ticket and proceed. |
| 503 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 504 | if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session, |
| 505 | buf, len)) != 0) { |
| 506 | mbedtls_ssl_session_free(&session); |
| Manuel Pégourié-Gonnard | d59675d | 2015-05-19 15:28:00 +0200 | [diff] [blame] | 507 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 508 | if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) { |
| 509 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic")); |
| 510 | } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) { |
| 511 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired")); |
| 512 | } else { |
| 513 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret); |
| 514 | } |
| Manuel Pégourié-Gonnard | d59675d | 2015-05-19 15:28:00 +0200 | [diff] [blame] | 515 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 516 | return 0; |
| Manuel Pégourié-Gonnard | 990c51a | 2013-08-03 15:37:58 +0200 | [diff] [blame] | 517 | } |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 518 | |
| Manuel Pégourié-Gonnard | 69f1728 | 2015-05-18 14:35:08 +0200 | [diff] [blame] | 519 | /* |
| 520 | * Keep the session ID sent by the client, since we MUST send it back to |
| 521 | * inform them we're accepting the ticket (RFC 5077 section 3.4) |
| 522 | */ |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 523 | session.id_len = ssl->session_negotiate->id_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 524 | memcpy(&session.id, ssl->session_negotiate->id, session.id_len); |
| Manuel Pégourié-Gonnard | 69f1728 | 2015-05-18 14:35:08 +0200 | [diff] [blame] | 525 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 526 | mbedtls_ssl_session_free(ssl->session_negotiate); |
| 527 | memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session)); |
| Manuel Pégourié-Gonnard | 69f1728 | 2015-05-18 14:35:08 +0200 | [diff] [blame] | 528 | |
| 529 | /* Zeroize instead of free as we copied the content */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 530 | mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session)); |
| Manuel Pégourié-Gonnard | 69f1728 | 2015-05-18 14:35:08 +0200 | [diff] [blame] | 531 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 532 | MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket")); |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 533 | |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 534 | ssl->handshake->resume = 1; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 535 | |
| Manuel Pégourié-Gonnard | 306827e | 2013-08-02 18:05:14 +0200 | [diff] [blame] | 536 | /* Don't send a new ticket after all, this one is OK */ |
| 537 | ssl->handshake->new_session_ticket = 0; |
| 538 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 539 | return 0; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 540 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 541 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 542 | |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 543 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 544 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 545 | static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl, |
| 546 | const unsigned char *buf, |
| 547 | size_t len) |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 548 | { |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 549 | mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 550 | size_t i, j; |
| Johan Pascal | f6417ec | 2020-09-22 15:15:19 +0200 | [diff] [blame] | 551 | size_t profile_length; |
| 552 | uint16_t mki_length; |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 553 | /*! 2 bytes for profile length and 1 byte for mki len */ |
| 554 | const size_t size_of_lengths = 3; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 555 | |
| 556 | /* If use_srtp is not configured, just ignore the extension */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 557 | if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || |
| 558 | (ssl->conf->dtls_srtp_profile_list == NULL) || |
| 559 | (ssl->conf->dtls_srtp_profile_list_len == 0)) { |
| 560 | return 0; |
| Johan Pascal | 8526957 | 2020-08-25 10:01:54 +0200 | [diff] [blame] | 561 | } |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 562 | |
| 563 | /* RFC5764 section 4.1.1 |
| 564 | * uint8 SRTPProtectionProfile[2]; |
| 565 | * |
| 566 | * struct { |
| 567 | * SRTPProtectionProfiles SRTPProtectionProfiles; |
| 568 | * opaque srtp_mki<0..255>; |
| 569 | * } UseSRTPData; |
| 570 | |
| 571 | * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 572 | */ |
| 573 | |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 574 | /* |
| 575 | * Min length is 5: at least one protection profile(2 bytes) |
| 576 | * and length(2 bytes) + srtp_mki length(1 byte) |
| Johan Pascal | 042d456 | 2020-08-25 12:14:02 +0200 | [diff] [blame] | 577 | * Check here that we have at least 2 bytes of protection profiles length |
| Johan Pascal | 76fdf1d | 2020-10-22 23:31:00 +0200 | [diff] [blame] | 578 | * and one of srtp_mki length |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 579 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 580 | if (len < size_of_lengths) { |
| 581 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 582 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 583 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 584 | } |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 585 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 586 | ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 587 | |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 588 | /* first 2 bytes are protection profile length(in bytes) */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 589 | profile_length = (buf[0] << 8) | buf[1]; |
| Johan Pascal | 042d456 | 2020-08-25 12:14:02 +0200 | [diff] [blame] | 590 | buf += 2; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 591 | |
| Johan Pascal | 76fdf1d | 2020-10-22 23:31:00 +0200 | [diff] [blame] | 592 | /* The profile length cannot be bigger than input buffer size - lengths fields */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 593 | if (profile_length > len - size_of_lengths || |
| 594 | profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */ |
| 595 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 596 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 597 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 598 | } |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 599 | /* |
| 600 | * parse the extension list values are defined in |
| 601 | * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml |
| 602 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 603 | for (j = 0; j < profile_length; j += 2) { |
| Johan Pascal | 76fdf1d | 2020-10-22 23:31:00 +0200 | [diff] [blame] | 604 | uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1]; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 605 | client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 606 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 607 | if (client_protection != MBEDTLS_TLS_SRTP_UNSET) { |
| 608 | MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s", |
| 609 | mbedtls_ssl_get_srtp_profile_as_string( |
| 610 | client_protection))); |
| 611 | } else { |
| Johan Pascal | 8526957 | 2020-08-25 10:01:54 +0200 | [diff] [blame] | 612 | continue; |
| 613 | } |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 614 | /* check if suggested profile is in our list */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 615 | for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) { |
| 616 | if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) { |
| Ron Eldor | 3adb992 | 2017-12-21 10:15:08 +0200 | [diff] [blame] | 617 | ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i]; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 618 | MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s", |
| 619 | mbedtls_ssl_get_srtp_profile_as_string( |
| 620 | client_protection))); |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 621 | break; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 622 | } |
| 623 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 624 | if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) { |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 625 | break; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 626 | } |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 627 | } |
| Johan Pascal | 042d456 | 2020-08-25 12:14:02 +0200 | [diff] [blame] | 628 | buf += profile_length; /* buf points to the mki length */ |
| 629 | mki_length = *buf; |
| 630 | buf++; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 631 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 632 | if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH || |
| 633 | mki_length + profile_length + size_of_lengths != len) { |
| 634 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 635 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 636 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Johan Pascal | 042d456 | 2020-08-25 12:14:02 +0200 | [diff] [blame] | 637 | } |
| 638 | |
| 639 | /* Parse the mki only if present and mki is supported locally */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 640 | if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED && |
| 641 | mki_length > 0) { |
| Johan Pascal | 042d456 | 2020-08-25 12:14:02 +0200 | [diff] [blame] | 642 | ssl->dtls_srtp_info.mki_len = mki_length; |
| 643 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 644 | memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length); |
| Ron Eldor | b465539 | 2018-07-05 18:25:39 +0300 | [diff] [blame] | 645 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 646 | MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value, |
| 647 | ssl->dtls_srtp_info.mki_len); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 648 | } |
| 649 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 650 | return 0; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 651 | } |
| 652 | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
| 653 | |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 654 | /* |
| 655 | * Auxiliary functions for ServerHello parsing and related actions |
| 656 | */ |
| 657 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 658 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 659 | /* |
| Manuel Pégourié-Gonnard | 6458e3b | 2015-01-08 14:16:56 +0100 | [diff] [blame] | 660 | * Return 0 if the given key uses one of the acceptable curves, -1 otherwise |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 661 | */ |
| Valerio Setti | 1fa5c56 | 2023-03-20 13:56:38 +0100 | [diff] [blame] | 662 | #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 663 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 664 | static int ssl_check_key_curve(mbedtls_pk_context *pk, |
| 665 | uint16_t *curves_tls_id) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 666 | { |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 667 | uint16_t *curr_tls_id = curves_tls_id; |
| Valerio Setti | 77a7568 | 2023-05-15 11:18:46 +0200 | [diff] [blame] | 668 | mbedtls_ecp_group_id grp_id = mbedtls_pk_ec_ro(*pk)->grp.id; |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 669 | mbedtls_ecp_group_id curr_grp_id; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 670 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 671 | while (*curr_tls_id != 0) { |
| 672 | curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id); |
| 673 | if (curr_grp_id == grp_id) { |
| 674 | return 0; |
| 675 | } |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 676 | curr_tls_id++; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 677 | } |
| 678 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 679 | return -1; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 680 | } |
| Valerio Setti | 1fa5c56 | 2023-03-20 13:56:38 +0100 | [diff] [blame] | 681 | #endif /* MBEDTLS_PK_CAN_ECDSA_SOME */ |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 682 | |
| 683 | /* |
| 684 | * Try picking a certificate for this ciphersuite, |
| 685 | * return 0 on success and -1 on failure. |
| 686 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 687 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 688 | static int ssl_pick_cert(mbedtls_ssl_context *ssl, |
| 689 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 690 | { |
| Glenn Strauss | 041a376 | 2022-03-15 06:08:29 -0400 | [diff] [blame] | 691 | mbedtls_ssl_key_cert *cur, *list; |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 692 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 693 | psa_algorithm_t pk_alg = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 694 | mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info); |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 695 | psa_key_usage_t pk_usage = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 696 | mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info); |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 697 | #else |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 698 | mbedtls_pk_type_t pk_alg = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 699 | mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info); |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 700 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | e6ef16f | 2015-05-11 19:54:43 +0200 | [diff] [blame] | 701 | uint32_t flags; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 702 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 703 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 704 | if (ssl->handshake->sni_key_cert != NULL) { |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 705 | list = ssl->handshake->sni_key_cert; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 706 | } else |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 707 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 708 | list = ssl->conf->key_cert; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 709 | |
| David Horstmann | 3a334c2 | 2022-10-25 10:53:44 +0100 | [diff] [blame] | 710 | int pk_alg_is_none = 0; |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 711 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 712 | pk_alg_is_none = (pk_alg == PSA_ALG_NONE); |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 713 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 714 | pk_alg_is_none = (pk_alg == MBEDTLS_PK_NONE); |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 715 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 716 | if (pk_alg_is_none) { |
| 717 | return 0; |
| Manuel Pégourié-Gonnard | e540b49 | 2015-07-07 12:44:38 +0200 | [diff] [blame] | 718 | } |
| 719 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 720 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate")); |
| 721 | |
| 722 | if (list == NULL) { |
| 723 | MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate")); |
| 724 | return -1; |
| 725 | } |
| 726 | |
| 727 | for (cur = list; cur != NULL; cur = cur->next) { |
| Andrzej Kurek | 7ed01e8 | 2020-03-18 11:51:59 -0400 | [diff] [blame] | 728 | flags = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 729 | MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate", |
| 730 | cur->cert); |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 731 | |
| David Horstmann | 3a334c2 | 2022-10-25 10:53:44 +0100 | [diff] [blame] | 732 | int key_type_matches = 0; |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 733 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 734 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 735 | key_type_matches = ((ssl->conf->f_async_sign_start != NULL || |
| 736 | ssl->conf->f_async_decrypt_start != NULL || |
| 737 | mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) && |
| 738 | mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage)); |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 739 | #else |
| David Horstmann | 3a334c2 | 2022-10-25 10:53:44 +0100 | [diff] [blame] | 740 | key_type_matches = ( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 741 | mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)); |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 742 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| 743 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 744 | key_type_matches = mbedtls_pk_can_do(&cur->cert->pk, pk_alg); |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 745 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 746 | if (!key_type_matches) { |
| 747 | MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type")); |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 748 | continue; |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 749 | } |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 750 | |
| Manuel Pégourié-Gonnard | 7f2a07d | 2014-04-09 09:50:57 +0200 | [diff] [blame] | 751 | /* |
| 752 | * This avoids sending the client a cert it'll reject based on |
| 753 | * keyUsage or other extensions. |
| 754 | * |
| 755 | * It also allows the user to provision different certificates for |
| 756 | * different uses based on keyUsage, eg if they want to avoid signing |
| 757 | * and decrypting with the same RSA key. |
| 758 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 759 | if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info, |
| 760 | MBEDTLS_SSL_IS_SERVER, &flags) != 0) { |
| 761 | MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: " |
| 762 | "(extended) key usage extension")); |
| Manuel Pégourié-Gonnard | 7f2a07d | 2014-04-09 09:50:57 +0200 | [diff] [blame] | 763 | continue; |
| 764 | } |
| 765 | |
| Valerio Setti | 1fa5c56 | 2023-03-20 13:56:38 +0100 | [diff] [blame] | 766 | #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 767 | if (pk_alg == MBEDTLS_PK_ECDSA && |
| 768 | ssl_check_key_curve(&cur->cert->pk, |
| 769 | ssl->handshake->curves_tls_id) != 0) { |
| 770 | MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve")); |
| Manuel Pégourié-Gonnard | 846ba47 | 2015-01-08 13:54:38 +0100 | [diff] [blame] | 771 | continue; |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 772 | } |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 773 | #endif |
| Manuel Pégourié-Gonnard | 846ba47 | 2015-01-08 13:54:38 +0100 | [diff] [blame] | 774 | |
| 775 | /* If we get there, we got a winner */ |
| 776 | break; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 777 | } |
| 778 | |
| Manuel Pégourié-Gonnard | 8f618a8 | 2015-05-10 21:13:36 +0200 | [diff] [blame] | 779 | /* Do not update ssl->handshake->key_cert unless there is a match */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 780 | if (cur != NULL) { |
| Manuel Pégourié-Gonnard | df331a5 | 2015-01-08 16:43:07 +0100 | [diff] [blame] | 781 | ssl->handshake->key_cert = cur; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 782 | MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate", |
| 783 | ssl->handshake->key_cert->cert); |
| 784 | return 0; |
| Manuel Pégourié-Gonnard | df331a5 | 2015-01-08 16:43:07 +0100 | [diff] [blame] | 785 | } |
| 786 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 787 | return -1; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 788 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 789 | #endif /* MBEDTLS_X509_CRT_PARSE_C */ |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 790 | |
| 791 | /* |
| 792 | * Check if a given ciphersuite is suitable for use with our config/keys/etc |
| 793 | * Sets ciphersuite_info only if the suite matches. |
| 794 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 795 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 796 | static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id, |
| 797 | const mbedtls_ssl_ciphersuite_t **ciphersuite_info) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 798 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 799 | const mbedtls_ssl_ciphersuite_t *suite_info; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 800 | |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 801 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 802 | mbedtls_pk_type_t sig_type; |
| 803 | #endif |
| 804 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 805 | suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id); |
| 806 | if (suite_info == NULL) { |
| 807 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 808 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 809 | } |
| 810 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 811 | MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)", |
| 812 | (unsigned int) suite_id, suite_info->name)); |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 813 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 814 | if (suite_info->min_tls_version > ssl->tls_version || |
| 815 | suite_info->max_tls_version < ssl->tls_version) { |
| 816 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version")); |
| 817 | return 0; |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 818 | } |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 819 | |
| Manuel Pégourié-Gonnard | e511b4e | 2015-09-16 14:11:09 +0200 | [diff] [blame] | 820 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 821 | if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && |
| 822 | (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) { |
| 823 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake " |
| 824 | "not configured or ext missing")); |
| 825 | return 0; |
| Manuel Pégourié-Gonnard | e511b4e | 2015-09-16 14:11:09 +0200 | [diff] [blame] | 826 | } |
| 827 | #endif |
| 828 | |
| 829 | |
| Valerio Setti | 1fa5c56 | 2023-03-20 13:56:38 +0100 | [diff] [blame] | 830 | #if defined(MBEDTLS_PK_CAN_ECDH) || defined(MBEDTLS_PK_CAN_ECDSA_SOME) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 831 | if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) && |
| 832 | (ssl->handshake->curves_tls_id == NULL || |
| 833 | ssl->handshake->curves_tls_id[0] == 0)) { |
| 834 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: " |
| 835 | "no common elliptic curve")); |
| 836 | return 0; |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 837 | } |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 838 | #endif |
| 839 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 840 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 841 | /* If the ciphersuite requires a pre-shared key and we don't |
| 842 | * have one, skip it now rather than failing later */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 843 | if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) && |
| 844 | ssl_conf_has_psk_or_cb(ssl->conf) == 0) { |
| 845 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key")); |
| 846 | return 0; |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 847 | } |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 848 | #endif |
| 849 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 850 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 851 | /* |
| 852 | * Final check: if ciphersuite requires us to have a |
| 853 | * certificate/key of a particular type: |
| 854 | * - select the appropriate certificate if we have one, or |
| 855 | * - try the next ciphersuite if we don't |
| 856 | * This must be done last since we modify the key_cert list. |
| 857 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 858 | if (ssl_pick_cert(ssl, suite_info) != 0) { |
| 859 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: " |
| 860 | "no suitable certificate")); |
| 861 | return 0; |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 862 | } |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 863 | #endif |
| 864 | |
| Neil Armstrong | 9f1176a | 2022-06-24 18:19:19 +0200 | [diff] [blame] | 865 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| 866 | /* If the ciphersuite requires signing, check whether |
| 867 | * a suitable hash algorithm is present. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 868 | sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info); |
| 869 | if (sig_type != MBEDTLS_PK_NONE && |
| Neil Armstrong | 9f1176a | 2022-06-24 18:19:19 +0200 | [diff] [blame] | 870 | mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 871 | ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) { |
| 872 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm " |
| 873 | "for signature algorithm %u", (unsigned) sig_type)); |
| 874 | return 0; |
| Neil Armstrong | 9f1176a | 2022-06-24 18:19:19 +0200 | [diff] [blame] | 875 | } |
| 876 | |
| 877 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
| 878 | |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 879 | *ciphersuite_info = suite_info; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 880 | return 0; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 881 | } |
| 882 | |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 883 | /* This function doesn't alert on errors that happen early during |
| 884 | ClientHello parsing because they might indicate that the client is |
| 885 | not talking SSL/TLS at all and would not understand our alert. */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 886 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 887 | static int ssl_parse_client_hello(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 888 | { |
| Manuel Pégourié-Gonnard | f01768c | 2015-01-08 17:06:16 +0100 | [diff] [blame] | 889 | int ret, got_common_suite; |
| Manuel Pégourié-Gonnard | 9de64f5 | 2015-07-01 15:51:43 +0200 | [diff] [blame] | 890 | size_t i, j; |
| 891 | size_t ciph_offset, comp_offset, ext_offset; |
| 892 | size_t msg_len, ciph_len, sess_len, comp_len, ext_len; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 893 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Manuel Pégourié-Gonnard | 9de64f5 | 2015-07-01 15:51:43 +0200 | [diff] [blame] | 894 | size_t cookie_offset, cookie_len; |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 895 | #endif |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 896 | unsigned char *buf, *p, *ext; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 897 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 898 | int renegotiation_info_seen = 0; |
| Manuel Pégourié-Gonnard | eaecbd3 | 2014-11-06 02:38:02 +0100 | [diff] [blame] | 899 | #endif |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 900 | int handshake_failure = 0; |
| Paul Bakker | 8f4ddae | 2013-04-15 15:09:54 +0200 | [diff] [blame] | 901 | const int *ciphersuites; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 902 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 903 | |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 904 | /* If there is no signature-algorithm extension present, |
| 905 | * we need to fall back to the default values for allowed |
| 906 | * signature-hash pairs. */ |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 907 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 908 | int sig_hash_alg_ext_present = 0; |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 909 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 910 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 911 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 912 | |
| David Horstmann | e0af39a | 2022-10-06 18:19:18 +0100 | [diff] [blame] | 913 | int renegotiating; |
| 914 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 915 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
| Manuel Pégourié-Gonnard | f03c7aa | 2014-09-24 14:54:06 +0200 | [diff] [blame] | 916 | read_record_header: |
| 917 | #endif |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 918 | /* |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 919 | * If renegotiating, then the input was read with mbedtls_ssl_read_record(), |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 920 | * otherwise read it ourselves manually in order to support SSLv2 |
| 921 | * ClientHello, which doesn't use the same record layer format. |
| Ronald Cron | 6291b23 | 2023-03-08 15:51:25 +0100 | [diff] [blame] | 922 | * Otherwise in a scenario of TLS 1.3/TLS 1.2 version negotiation, the |
| 923 | * ClientHello has been already fully fetched by the TLS 1.3 code and the |
| 924 | * flag ssl->keep_current_message is raised. |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 925 | */ |
| David Horstmann | e0af39a | 2022-10-06 18:19:18 +0100 | [diff] [blame] | 926 | renegotiating = 0; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 927 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 928 | renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE); |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 929 | #endif |
| Ronald Cron | 6291b23 | 2023-03-08 15:51:25 +0100 | [diff] [blame] | 930 | if (!renegotiating && !ssl->keep_current_message) { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 931 | if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) { |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 932 | /* No alert on a read error. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 933 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret); |
| 934 | return ret; |
| Manuel Pégourié-Gonnard | 59c6f2e | 2015-01-22 11:06:40 +0000 | [diff] [blame] | 935 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 936 | } |
| 937 | |
| 938 | buf = ssl->in_hdr; |
| 939 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 940 | MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl)); |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 941 | |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 942 | /* |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 943 | * TLS Client Hello |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 944 | * |
| 945 | * Record layer: |
| 946 | * 0 . 0 message type |
| 947 | * 1 . 2 protocol version |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 948 | * 3 . 11 DTLS: epoch + record sequence number |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 949 | * 3 . 4 message length |
| 950 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 951 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message type: %d", |
| 952 | buf[0])); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 953 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 954 | if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) { |
| 955 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 956 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 957 | } |
| 958 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 959 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d", |
| 960 | (ssl->in_len[0] << 8) | ssl->in_len[1])); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 961 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 962 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, protocol version: [%d:%d]", |
| 963 | buf[1], buf[2])); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 964 | |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 965 | /* For DTLS if this is the initial handshake, remember the client sequence |
| 966 | * number to use it in our next message (RFC 6347 4.2.1) */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 967 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 968 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 969 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 970 | && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE |
| Manuel Pégourié-Gonnard | 3a173f4 | 2015-01-22 13:30:33 +0000 | [diff] [blame] | 971 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 972 | ) { |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 973 | /* Epoch should be 0 for initial handshakes */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 974 | if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) { |
| 975 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 976 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 977 | } |
| 978 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 979 | memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2, |
| 980 | sizeof(ssl->cur_out_ctr) - 2); |
| Manuel Pégourié-Gonnard | f03c7aa | 2014-09-24 14:54:06 +0200 | [diff] [blame] | 981 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 982 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 983 | if (mbedtls_ssl_dtls_replay_check(ssl) != 0) { |
| 984 | MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding")); |
| Manuel Pégourié-Gonnard | f03c7aa | 2014-09-24 14:54:06 +0200 | [diff] [blame] | 985 | ssl->next_record_offset = 0; |
| 986 | ssl->in_left = 0; |
| 987 | goto read_record_header; |
| 988 | } |
| 989 | |
| 990 | /* No MAC to check yet, so we can update right now */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 991 | mbedtls_ssl_dtls_replay_update(ssl); |
| Manuel Pégourié-Gonnard | f03c7aa | 2014-09-24 14:54:06 +0200 | [diff] [blame] | 992 | #endif |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 993 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 994 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 995 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 996 | msg_len = (ssl->in_len[0] << 8) | ssl->in_len[1]; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 997 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 998 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 999 | if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1000 | /* Set by mbedtls_ssl_read_record() */ |
| Manuel Pégourié-Gonnard | b89c4f3 | 2015-01-21 13:24:10 +0000 | [diff] [blame] | 1001 | msg_len = ssl->in_hslen; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1002 | } else |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 1003 | #endif |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1004 | { |
| Ronald Cron | 6291b23 | 2023-03-08 15:51:25 +0100 | [diff] [blame] | 1005 | if (ssl->keep_current_message) { |
| 1006 | ssl->keep_current_message = 0; |
| 1007 | } else { |
| 1008 | if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) { |
| 1009 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1010 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| 1011 | } |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1012 | |
| Ronald Cron | 6291b23 | 2023-03-08 15:51:25 +0100 | [diff] [blame] | 1013 | if ((ret = mbedtls_ssl_fetch_input(ssl, |
| 1014 | mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) { |
| 1015 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret); |
| 1016 | return ret; |
| 1017 | } |
| Manuel Pégourié-Gonnard | 30d16eb | 2014-08-19 17:43:50 +0200 | [diff] [blame] | 1018 | |
| Ronald Cron | 6291b23 | 2023-03-08 15:51:25 +0100 | [diff] [blame] | 1019 | /* Done reading this record, get ready for the next one */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1020 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Ronald Cron | 6291b23 | 2023-03-08 15:51:25 +0100 | [diff] [blame] | 1021 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| 1022 | ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl); |
| 1023 | } else |
| Manuel Pégourié-Gonnard | 30d16eb | 2014-08-19 17:43:50 +0200 | [diff] [blame] | 1024 | #endif |
| Ronald Cron | 6291b23 | 2023-03-08 15:51:25 +0100 | [diff] [blame] | 1025 | ssl->in_left = 0; |
| 1026 | } |
| Manuel Pégourié-Gonnard | d6b721c | 2014-03-24 12:13:54 +0100 | [diff] [blame] | 1027 | } |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1028 | |
| 1029 | buf = ssl->in_msg; |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1030 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1031 | MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len); |
| Manuel Pégourié-Gonnard | e89bcf0 | 2014-02-18 18:50:02 +0100 | [diff] [blame] | 1032 | |
| Manuel Pégourié-Gonnard | b8b07aa | 2023-02-06 00:34:21 +0100 | [diff] [blame] | 1033 | ret = ssl->handshake->update_checksum(ssl, buf, msg_len); |
| 1034 | if (0 != ret) { |
| 1035 | MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret); |
| 1036 | return ret; |
| 1037 | } |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1038 | |
| 1039 | /* |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1040 | * Handshake layer: |
| 1041 | * 0 . 0 handshake type |
| 1042 | * 1 . 3 handshake length |
| Shaun Case | 8b0ecbc | 2021-12-20 21:14:10 -0800 | [diff] [blame] | 1043 | * 4 . 5 DTLS only: message sequence number |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1044 | * 6 . 8 DTLS only: fragment offset |
| 1045 | * 9 . 11 DTLS only: fragment length |
| Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 1046 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1047 | if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) { |
| 1048 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1049 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1050 | } |
| 1051 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1052 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0])); |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1053 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1054 | if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) { |
| 1055 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1056 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1057 | } |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1058 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1059 | size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1); |
| 1060 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u", |
| 1061 | (unsigned) handshake_len)); |
| Andrzej Kurek | cbe14ec | 2022-06-15 07:17:28 -0400 | [diff] [blame] | 1062 | |
| 1063 | /* The record layer has a record size limit of 2^14 - 1 and |
| 1064 | * fragmentation is not supported, so buf[1] should be zero. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1065 | if (buf[1] != 0) { |
| 1066 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0", |
| 1067 | (unsigned) buf[1])); |
| 1068 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Andrzej Kurek | cbe14ec | 2022-06-15 07:17:28 -0400 | [diff] [blame] | 1069 | } |
| 1070 | |
| 1071 | /* We don't support fragmentation of ClientHello (yet?) */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1072 | if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) { |
| 1073 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u", |
| 1074 | (unsigned) msg_len, |
| 1075 | (unsigned) mbedtls_ssl_hs_hdr_len(ssl), |
| 1076 | (unsigned) handshake_len)); |
| 1077 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Andrzej Kurek | cbe14ec | 2022-06-15 07:17:28 -0400 | [diff] [blame] | 1078 | } |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1079 | } |
| 1080 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1081 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1082 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 1083 | /* |
| Manuel Pégourié-Gonnard | 69849f8 | 2015-03-10 11:54:02 +0000 | [diff] [blame] | 1084 | * Copy the client's handshake message_seq on initial handshakes, |
| 1085 | * check sequence number on renego. |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 1086 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1087 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1088 | if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { |
| Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 1089 | /* This couldn't be done in ssl_prepare_handshake_record() */ |
| Thomas Daubney | f9f0ba8 | 2023-05-23 17:34:33 +0100 | [diff] [blame] | 1090 | unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1091 | if (cli_msg_seq != ssl->handshake->in_msg_seq) { |
| 1092 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: " |
| 1093 | "%u (expected %u)", cli_msg_seq, |
| 1094 | ssl->handshake->in_msg_seq)); |
| 1095 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 1096 | } |
| 1097 | |
| 1098 | ssl->handshake->in_msg_seq++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1099 | } else |
| Manuel Pégourié-Gonnard | 69849f8 | 2015-03-10 11:54:02 +0000 | [diff] [blame] | 1100 | #endif |
| 1101 | { |
| Thomas Daubney | f9f0ba8 | 2023-05-23 17:34:33 +0100 | [diff] [blame] | 1102 | unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4); |
| Manuel Pégourié-Gonnard | 69849f8 | 2015-03-10 11:54:02 +0000 | [diff] [blame] | 1103 | ssl->handshake->out_msg_seq = cli_msg_seq; |
| 1104 | ssl->handshake->in_msg_seq = cli_msg_seq + 1; |
| 1105 | } |
| Manuel Pégourié-Gonnard | e89bcf0 | 2014-02-18 18:50:02 +0100 | [diff] [blame] | 1106 | { |
| Andrzej Kurek | cbe14ec | 2022-06-15 07:17:28 -0400 | [diff] [blame] | 1107 | /* |
| 1108 | * For now we don't support fragmentation, so make sure |
| 1109 | * fragment_offset == 0 and fragment_length == length |
| 1110 | */ |
| 1111 | size_t fragment_offset, fragment_length, length; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1112 | fragment_offset = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6); |
| 1113 | fragment_length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9); |
| 1114 | length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1); |
| Andrzej Kurek | cbe14ec | 2022-06-15 07:17:28 -0400 | [diff] [blame] | 1115 | MBEDTLS_SSL_DEBUG_MSG( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1116 | 4, ("fragment_offset=%u fragment_length=%u length=%u", |
| 1117 | (unsigned) fragment_offset, (unsigned) fragment_length, |
| 1118 | (unsigned) length)); |
| 1119 | if (fragment_offset != 0 || length != fragment_length) { |
| 1120 | MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported")); |
| 1121 | return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Andrzej Kurek | cbe14ec | 2022-06-15 07:17:28 -0400 | [diff] [blame] | 1122 | } |
| Manuel Pégourié-Gonnard | e89bcf0 | 2014-02-18 18:50:02 +0100 | [diff] [blame] | 1123 | } |
| Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 1124 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1125 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 1126 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1127 | buf += mbedtls_ssl_hs_hdr_len(ssl); |
| 1128 | msg_len -= mbedtls_ssl_hs_hdr_len(ssl); |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1129 | |
| Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 1130 | /* |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1131 | * ClientHello layer: |
| 1132 | * 0 . 1 protocol version |
| 1133 | * 2 . 33 random bytes (starting with 4 bytes of Unix time) |
| 1134 | * 34 . 35 session id length (1 byte) |
| 1135 | * 35 . 34+x session id |
| 1136 | * 35+x . 35+x DTLS only: cookie length (1 byte) |
| 1137 | * 36+x . .. DTLS only: cookie |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1138 | * .. . .. ciphersuite list length (2 bytes) |
| 1139 | * .. . .. ciphersuite list |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1140 | * .. . .. compression alg. list length (1 byte) |
| 1141 | * .. . .. compression alg. list |
| 1142 | * .. . .. extensions length (2 bytes, optional) |
| 1143 | * .. . .. extensions (optional) |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1144 | */ |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1145 | |
| 1146 | /* |
| Antonin Décimo | 36e89b5 | 2019-01-23 15:24:37 +0100 | [diff] [blame] | 1147 | * Minimal length (with everything empty and extensions omitted) is |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1148 | * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can |
| 1149 | * read at least up to session id length without worrying. |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1150 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1151 | if (msg_len < 38) { |
| 1152 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1153 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1154 | } |
| 1155 | |
| 1156 | /* |
| 1157 | * Check and save the protocol version |
| 1158 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1159 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1160 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1161 | ssl->tls_version = mbedtls_ssl_read_version(buf, ssl->conf->transport); |
| Glenn Strauss | 60bfe60 | 2022-03-14 19:04:24 -0400 | [diff] [blame] | 1162 | ssl->session_negotiate->tls_version = ssl->tls_version; |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1163 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1164 | if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) { |
| 1165 | MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2")); |
| 1166 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1167 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION); |
| 1168 | return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; |
| Paul Bakker | 1d29fb5 | 2012-09-28 13:28:45 +0000 | [diff] [blame] | 1169 | } |
| 1170 | |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1171 | /* |
| 1172 | * Save client random (inc. Unix time) |
| 1173 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1174 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1175 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1176 | memcpy(ssl->handshake->randbytes, buf + 2, 32); |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1177 | |
| 1178 | /* |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1179 | * Check the session ID length and save session ID |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1180 | */ |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1181 | sess_len = buf[34]; |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1182 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1183 | if (sess_len > sizeof(ssl->session_negotiate->id) || |
| 1184 | sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */ |
| 1185 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1186 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1187 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1188 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1189 | } |
| 1190 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1191 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1192 | |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 1193 | ssl->session_negotiate->id_len = sess_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1194 | memset(ssl->session_negotiate->id, 0, |
| 1195 | sizeof(ssl->session_negotiate->id)); |
| 1196 | memcpy(ssl->session_negotiate->id, buf + 35, |
| 1197 | ssl->session_negotiate->id_len); |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1198 | |
| 1199 | /* |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1200 | * Check the cookie length and content |
| 1201 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1202 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1203 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1204 | cookie_offset = 35 + sess_len; |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1205 | cookie_len = buf[cookie_offset]; |
| 1206 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1207 | if (cookie_offset + 1 + cookie_len + 2 > msg_len) { |
| 1208 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1209 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1210 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1211 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1212 | } |
| 1213 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1214 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie", |
| 1215 | buf + cookie_offset + 1, cookie_len); |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1216 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1217 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1218 | if (ssl->conf->f_cookie_check != NULL |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1219 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 1220 | && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE |
| Manuel Pégourié-Gonnard | 69849f8 | 2015-03-10 11:54:02 +0000 | [diff] [blame] | 1221 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1222 | ) { |
| 1223 | if (ssl->conf->f_cookie_check(ssl->conf->p_cookie, |
| 1224 | buf + cookie_offset + 1, cookie_len, |
| 1225 | ssl->cli_id, ssl->cli_id_len) != 0) { |
| 1226 | MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed")); |
| Jerry Yu | ac5ca5a | 2022-03-04 12:50:46 +0800 | [diff] [blame] | 1227 | ssl->handshake->cookie_verify_result = 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1228 | } else { |
| 1229 | MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed")); |
| Jerry Yu | ac5ca5a | 2022-03-04 12:50:46 +0800 | [diff] [blame] | 1230 | ssl->handshake->cookie_verify_result = 0; |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 1231 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1232 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1233 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 1234 | { |
| 1235 | /* We know we didn't send a cookie, so it should be empty */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1236 | if (cookie_len != 0) { |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 1237 | /* This may be an attacker's probe, so don't send an alert */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1238 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1239 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 1240 | } |
| 1241 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1242 | MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped")); |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 1243 | } |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1244 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1245 | /* |
| 1246 | * Check the ciphersuitelist length (will be parsed later) |
| 1247 | */ |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1248 | ciph_offset = cookie_offset + 1 + cookie_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1249 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1250 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1251 | ciph_offset = 35 + sess_len; |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1252 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1253 | ciph_len = (buf[ciph_offset + 0] << 8) |
| 1254 | | (buf[ciph_offset + 1]); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1255 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1256 | if (ciph_len < 2 || |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1257 | ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1258 | (ciph_len % 2) != 0) { |
| 1259 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1260 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1261 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1262 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1263 | } |
| 1264 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1265 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist", |
| 1266 | buf + ciph_offset + 2, ciph_len); |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1267 | |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1268 | /* |
| Thomas Daubney | 20f89a9 | 2022-06-20 15:12:19 +0100 | [diff] [blame] | 1269 | * Check the compression algorithm's length. |
| 1270 | * The list contents are ignored because implementing |
| 1271 | * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only |
| 1272 | * option supported by Mbed TLS. |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1273 | */ |
| 1274 | comp_offset = ciph_offset + 2 + ciph_len; |
| 1275 | |
| 1276 | comp_len = buf[comp_offset]; |
| 1277 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1278 | if (comp_len < 1 || |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1279 | comp_len > 16 || |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1280 | comp_len + comp_offset + 1 > msg_len) { |
| 1281 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1282 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1283 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1284 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1285 | } |
| 1286 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1287 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression", |
| 1288 | buf + comp_offset + 1, comp_len); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1289 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1290 | /* |
| 1291 | * Check the extension length |
| 1292 | */ |
| 1293 | ext_offset = comp_offset + 1 + comp_len; |
| 1294 | if (msg_len > ext_offset) { |
| 1295 | if (msg_len < ext_offset + 2) { |
| 1296 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1297 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1298 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1299 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1300 | } |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1301 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1302 | ext_len = (buf[ext_offset + 0] << 8) |
| 1303 | | (buf[ext_offset + 1]); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1304 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1305 | if (msg_len != ext_offset + 2 + ext_len) { |
| 1306 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1307 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1308 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1309 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1310 | } |
| 1311 | } else { |
| 1312 | ext_len = 0; |
| 1313 | } |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1314 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1315 | ext = buf + ext_offset + 2; |
| 1316 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len); |
| 1317 | |
| 1318 | while (ext_len != 0) { |
| 1319 | unsigned int ext_id; |
| 1320 | unsigned int ext_size; |
| 1321 | if (ext_len < 4) { |
| 1322 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1323 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1324 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1325 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1326 | } |
| 1327 | ext_id = ((ext[0] << 8) | (ext[1])); |
| 1328 | ext_size = ((ext[2] << 8) | (ext[3])); |
| 1329 | |
| 1330 | if (ext_size + 4 > ext_len) { |
| 1331 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1332 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1333 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1334 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1335 | } |
| 1336 | switch (ext_id) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1337 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1338 | case MBEDTLS_TLS_EXT_SERVERNAME: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1339 | MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension")); |
| 1340 | ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4, |
| 1341 | ext + 4 + ext_size); |
| 1342 | if (ret != 0) { |
| 1343 | return ret; |
| 1344 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1345 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1346 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ |
| Paul Bakker | 5701cdc | 2012-09-27 21:49:42 +0000 | [diff] [blame] | 1347 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1348 | case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1349 | MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension")); |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1350 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1351 | renegotiation_info_seen = 1; |
| Manuel Pégourié-Gonnard | eaecbd3 | 2014-11-06 02:38:02 +0100 | [diff] [blame] | 1352 | #endif |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1353 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1354 | ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size); |
| 1355 | if (ret != 0) { |
| 1356 | return ret; |
| 1357 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1358 | break; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1359 | |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 1360 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1361 | case MBEDTLS_TLS_EXT_SIG_ALG: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1362 | MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension")); |
| Ron Eldor | 73a3817 | 2017-10-03 15:58:26 +0300 | [diff] [blame] | 1363 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1364 | ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size); |
| 1365 | if (ret != 0) { |
| 1366 | return ret; |
| 1367 | } |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1368 | |
| 1369 | sig_hash_alg_ext_present = 1; |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1370 | break; |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 1371 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1372 | |
| Valerio Setti | 1fa5c56 | 2023-03-20 13:56:38 +0100 | [diff] [blame] | 1373 | #if defined(MBEDTLS_PK_CAN_ECDH) || defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1374 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Jerry Yu | b47d0f8 | 2021-12-20 17:34:40 +0800 | [diff] [blame] | 1375 | case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1376 | MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension")); |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1377 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1378 | ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size); |
| 1379 | if (ret != 0) { |
| 1380 | return ret; |
| 1381 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1382 | break; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1383 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1384 | case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1385 | MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension")); |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1386 | ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1387 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1388 | ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size); |
| 1389 | if (ret != 0) { |
| 1390 | return ret; |
| 1391 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1392 | break; |
| Valerio Setti | 1fa5c56 | 2023-03-20 13:56:38 +0100 | [diff] [blame] | 1393 | #endif /* MBEDTLS_PK_CAN_ECDH || MBEDTLS_PK_CAN_ECDSA_SOME || |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 1394 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1395 | |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 1396 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1397 | case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1398 | MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension")); |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 1399 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1400 | ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size); |
| 1401 | if (ret != 0) { |
| 1402 | return ret; |
| 1403 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1404 | break; |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 1405 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 1406 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1407 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1408 | case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1409 | MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension")); |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 1410 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1411 | ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size); |
| 1412 | if (ret != 0) { |
| 1413 | return ret; |
| 1414 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1415 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1416 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 1417 | |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1418 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 1419 | case MBEDTLS_TLS_EXT_CID: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1420 | MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension")); |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 1421 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1422 | ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size); |
| 1423 | if (ret != 0) { |
| 1424 | return ret; |
| 1425 | } |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 1426 | break; |
| Thomas Daubney | e1c9a40 | 2021-06-15 11:26:43 +0100 | [diff] [blame] | 1427 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 1428 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1429 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1430 | case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1431 | MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension")); |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1432 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1433 | ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size); |
| 1434 | if (ret != 0) { |
| 1435 | return ret; |
| 1436 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1437 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1438 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1439 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1440 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1441 | case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1442 | MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension")); |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1443 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1444 | ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size); |
| 1445 | if (ret != 0) { |
| 1446 | return ret; |
| 1447 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1448 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1449 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1450 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1451 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1452 | case MBEDTLS_TLS_EXT_SESSION_TICKET: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1453 | MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension")); |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 1454 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1455 | ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size); |
| 1456 | if (ret != 0) { |
| 1457 | return ret; |
| 1458 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1459 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1460 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 1461 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1462 | #if defined(MBEDTLS_SSL_ALPN) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1463 | case MBEDTLS_TLS_EXT_ALPN: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1464 | MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension")); |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 1465 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1466 | ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4, |
| 1467 | ext + 4 + ext_size); |
| 1468 | if (ret != 0) { |
| 1469 | return ret; |
| 1470 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1471 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1472 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 1473 | |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1474 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| 1475 | case MBEDTLS_TLS_EXT_USE_SRTP: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1476 | MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension")); |
| Johan Pascal | d576fdb | 2020-09-22 10:39:53 +0200 | [diff] [blame] | 1477 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1478 | ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size); |
| 1479 | if (ret != 0) { |
| 1480 | return ret; |
| 1481 | } |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1482 | break; |
| 1483 | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
| 1484 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1485 | default: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1486 | MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)", |
| 1487 | ext_id)); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1488 | } |
| Janos Follath | c6dab2b | 2016-05-23 14:27:02 +0100 | [diff] [blame] | 1489 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1490 | ext_len -= 4 + ext_size; |
| 1491 | ext += 4 + ext_size; |
| 1492 | } |
| 1493 | |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 1494 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1495 | |
| 1496 | /* |
| 1497 | * Try to fall back to default hash SHA1 if the client |
| 1498 | * hasn't provided any preferred signature-hash combinations. |
| 1499 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1500 | if (!sig_hash_alg_ext_present) { |
| Gabor Mezei | 86acf05 | 2022-05-10 13:29:02 +0200 | [diff] [blame] | 1501 | uint16_t *received_sig_algs = ssl->handshake->received_sig_algs; |
| 1502 | const uint16_t default_sig_algs[] = { |
| Valerio Setti | 1fa5c56 | 2023-03-20 13:56:38 +0100 | [diff] [blame] | 1503 | #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1504 | MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, |
| 1505 | MBEDTLS_SSL_HASH_SHA1), |
| Gabor Mezei | c1051b6 | 2022-05-10 13:13:58 +0200 | [diff] [blame] | 1506 | #endif |
| 1507 | #if defined(MBEDTLS_RSA_C) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1508 | MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, |
| 1509 | MBEDTLS_SSL_HASH_SHA1), |
| Gabor Mezei | c1051b6 | 2022-05-10 13:13:58 +0200 | [diff] [blame] | 1510 | #endif |
| Gabor Mezei | 86acf05 | 2022-05-10 13:29:02 +0200 | [diff] [blame] | 1511 | MBEDTLS_TLS_SIG_NONE |
| Gabor Mezei | 078e803 | 2022-04-27 21:17:56 +0200 | [diff] [blame] | 1512 | }; |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1513 | |
| Tom Cosgrove | 6ef9bb3 | 2023-03-08 14:19:51 +0000 | [diff] [blame] | 1514 | MBEDTLS_STATIC_ASSERT(sizeof(default_sig_algs) / sizeof(default_sig_algs[0]) |
| 1515 | <= MBEDTLS_RECEIVED_SIG_ALGS_SIZE, |
| 1516 | "default_sig_algs is too big"); |
| Gabor Mezei | 078e803 | 2022-04-27 21:17:56 +0200 | [diff] [blame] | 1517 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1518 | memcpy(received_sig_algs, default_sig_algs, sizeof(default_sig_algs)); |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1519 | } |
| 1520 | |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 1521 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1522 | |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1523 | /* |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1524 | * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV |
| 1525 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1526 | for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) { |
| 1527 | if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) { |
| 1528 | MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO ")); |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1529 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1530 | if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { |
| 1531 | MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV " |
| 1532 | "during renegotiation")); |
| 1533 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1534 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 1535 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1536 | } |
| Manuel Pégourié-Gonnard | 69849f8 | 2015-03-10 11:54:02 +0000 | [diff] [blame] | 1537 | #endif |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1538 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1539 | break; |
| 1540 | } |
| 1541 | } |
| 1542 | |
| 1543 | /* |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1544 | * Renegotiation security checks |
| 1545 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1546 | if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION && |
| 1547 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) { |
| 1548 | MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake")); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1549 | handshake_failure = 1; |
| 1550 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1551 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1552 | else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1553 | ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1554 | renegotiation_info_seen == 0) { |
| 1555 | MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)")); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1556 | handshake_failure = 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1557 | } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| 1558 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| 1559 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) { |
| 1560 | MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed")); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1561 | handshake_failure = 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1562 | } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| 1563 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| 1564 | renegotiation_info_seen == 1) { |
| 1565 | MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)")); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1566 | handshake_failure = 1; |
| 1567 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1568 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1569 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1570 | if (handshake_failure == 1) { |
| 1571 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1572 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 1573 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1574 | } |
| Paul Bakker | 380da53 | 2012-04-18 16:10:25 +0000 | [diff] [blame] | 1575 | |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1576 | /* |
| Glenn Strauss | 2ed9527 | 2022-01-21 18:02:17 -0500 | [diff] [blame] | 1577 | * Server certification selection (after processing TLS extensions) |
| 1578 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1579 | if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) { |
| 1580 | MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret); |
| 1581 | return ret; |
| Glenn Strauss | 2ed9527 | 2022-01-21 18:02:17 -0500 | [diff] [blame] | 1582 | } |
| Glenn Strauss | 6989407 | 2022-01-24 12:58:00 -0500 | [diff] [blame] | 1583 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| 1584 | ssl->handshake->sni_name = NULL; |
| 1585 | ssl->handshake->sni_name_len = 0; |
| 1586 | #endif |
| Glenn Strauss | 2ed9527 | 2022-01-21 18:02:17 -0500 | [diff] [blame] | 1587 | |
| 1588 | /* |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1589 | * Search for a matching ciphersuite |
| Manuel Pégourié-Gonnard | 3ebb2cd | 2013-09-23 17:00:18 +0200 | [diff] [blame] | 1590 | * (At the end because we need information from the EC-based extensions |
| Glenn Strauss | 2ed9527 | 2022-01-21 18:02:17 -0500 | [diff] [blame] | 1591 | * and certificate from the SNI callback triggered by the SNI extension |
| 1592 | * or certificate from server certificate selection callback.) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1593 | */ |
| Manuel Pégourié-Gonnard | f01768c | 2015-01-08 17:06:16 +0100 | [diff] [blame] | 1594 | got_common_suite = 0; |
| Hanno Becker | d60b6c6 | 2021-04-29 12:04:11 +0100 | [diff] [blame] | 1595 | ciphersuites = ssl->conf->ciphersuite_list; |
| Manuel Pégourié-Gonnard | 59b81d7 | 2013-11-30 17:46:04 +0100 | [diff] [blame] | 1596 | ciphersuite_info = NULL; |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1597 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1598 | if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) { |
| 1599 | for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) { |
| 1600 | for (i = 0; ciphersuites[i] != 0; i++) { |
| 1601 | if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) { |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1602 | continue; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1603 | } |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1604 | |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1605 | got_common_suite = 1; |
| Manuel Pégourié-Gonnard | f01768c | 2015-01-08 17:06:16 +0100 | [diff] [blame] | 1606 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1607 | if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i], |
| 1608 | &ciphersuite_info)) != 0) { |
| 1609 | return ret; |
| 1610 | } |
| Manuel Pégourié-Gonnard | 011a8db | 2013-11-30 18:11:07 +0100 | [diff] [blame] | 1611 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1612 | if (ciphersuite_info != NULL) { |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1613 | goto have_ciphersuite; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1614 | } |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1615 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1616 | } |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1617 | } else { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1618 | for (i = 0; ciphersuites[i] != 0; i++) { |
| 1619 | for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) { |
| 1620 | if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) { |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1621 | continue; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1622 | } |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1623 | |
| 1624 | got_common_suite = 1; |
| 1625 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1626 | if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i], |
| 1627 | &ciphersuite_info)) != 0) { |
| 1628 | return ret; |
| 1629 | } |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1630 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1631 | if (ciphersuite_info != NULL) { |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1632 | goto have_ciphersuite; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1633 | } |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1634 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1635 | } |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1636 | } |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1637 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1638 | if (got_common_suite) { |
| 1639 | MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, " |
| 1640 | "but none of them usable")); |
| 1641 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1642 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 1643 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 1644 | } else { |
| 1645 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common")); |
| 1646 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1647 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 1648 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Manuel Pégourié-Gonnard | f01768c | 2015-01-08 17:06:16 +0100 | [diff] [blame] | 1649 | } |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1650 | |
| 1651 | have_ciphersuite: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1652 | MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name)); |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1653 | |
| Paul Bakker | 8f4ddae | 2013-04-15 15:09:54 +0200 | [diff] [blame] | 1654 | ssl->session_negotiate->ciphersuite = ciphersuites[i]; |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 1655 | ssl->handshake->ciphersuite_info = ciphersuite_info; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1656 | |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1657 | ssl->state++; |
| 1658 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1659 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1660 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| 1661 | mbedtls_ssl_recv_flight_completed(ssl); |
| 1662 | } |
| Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 1663 | #endif |
| 1664 | |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1665 | /* Debugging-only output for testsuite */ |
| 1666 | #if defined(MBEDTLS_DEBUG_C) && \ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 1667 | defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1668 | mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info); |
| 1669 | if (sig_alg != MBEDTLS_PK_NONE) { |
| Gabor Mezei | a3d016c | 2022-05-10 12:44:09 +0200 | [diff] [blame] | 1670 | unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1671 | ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg)); |
| 1672 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u", |
| 1673 | sig_hash)); |
| 1674 | } else { |
| 1675 | MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm " |
| 1676 | "%u - should not happen", (unsigned) sig_alg)); |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1677 | } |
| 1678 | #endif |
| 1679 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1680 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1681 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1682 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1683 | } |
| 1684 | |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1685 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1686 | static void ssl_write_cid_ext(mbedtls_ssl_context *ssl, |
| 1687 | unsigned char *buf, |
| 1688 | size_t *olen) |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1689 | { |
| 1690 | unsigned char *p = buf; |
| 1691 | size_t ext_len; |
| 1692 | const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| 1693 | |
| 1694 | *olen = 0; |
| 1695 | |
| 1696 | /* Skip writing the extension if we don't want to use it or if |
| 1697 | * the client hasn't offered it. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1698 | if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) { |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1699 | return; |
| 1700 | } |
| 1701 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1702 | /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX |
| 1703 | * which is at most 255, so the increment cannot overflow. */ |
| 1704 | if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) { |
| 1705 | MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); |
| 1706 | return; |
| 1707 | } |
| 1708 | |
| 1709 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension")); |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1710 | |
| 1711 | /* |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1712 | * struct { |
| 1713 | * opaque cid<0..2^8-1>; |
| 1714 | * } ConnectionId; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1715 | */ |
| 1716 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1717 | p += 2; |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1718 | ext_len = (size_t) ssl->own_cid_len + 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1719 | MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1720 | p += 2; |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1721 | |
| 1722 | *p++ = (uint8_t) ssl->own_cid_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1723 | memcpy(p, ssl->own_cid, ssl->own_cid_len); |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1724 | |
| 1725 | *olen = ssl->own_cid_len + 5; |
| 1726 | } |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1727 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1728 | |
| Neil Armstrong | 76b7407 | 2022-04-06 13:43:54 +0200 | [diff] [blame] | 1729 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1730 | static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl, |
| 1731 | unsigned char *buf, |
| 1732 | size_t *olen) |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1733 | { |
| 1734 | unsigned char *p = buf; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1735 | const mbedtls_ssl_ciphersuite_t *suite = NULL; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1736 | |
| Manuel Pégourié-Gonnard | 78e745f | 2014-11-04 15:44:06 +0100 | [diff] [blame] | 1737 | /* |
| 1738 | * RFC 7366: "If a server receives an encrypt-then-MAC request extension |
| 1739 | * from a client and then selects a stream or Authenticated Encryption |
| 1740 | * with Associated Data (AEAD) ciphersuite, it MUST NOT send an |
| 1741 | * encrypt-then-MAC response extension back to the client." |
| 1742 | */ |
| Neil Armstrong | fe635e4 | 2022-04-01 10:36:09 +0200 | [diff] [blame] | 1743 | suite = mbedtls_ssl_ciphersuite_from_id( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1744 | ssl->session_negotiate->ciphersuite); |
| 1745 | if (suite == NULL) { |
| Ronald Cron | 862902d | 2022-03-24 14:15:28 +0100 | [diff] [blame] | 1746 | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1747 | } else { |
| Neil Armstrong | fe635e4 | 2022-04-01 10:36:09 +0200 | [diff] [blame] | 1748 | mbedtls_ssl_mode_t ssl_mode = |
| Neil Armstrong | ab555e0 | 2022-04-04 11:07:59 +0200 | [diff] [blame] | 1749 | mbedtls_ssl_get_mode_from_ciphersuite( |
| Neil Armstrong | fe635e4 | 2022-04-01 10:36:09 +0200 | [diff] [blame] | 1750 | ssl->session_negotiate->encrypt_then_mac, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1751 | suite); |
| Neil Armstrong | fe635e4 | 2022-04-01 10:36:09 +0200 | [diff] [blame] | 1752 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1753 | if (ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM) { |
| Neil Armstrong | fe635e4 | 2022-04-01 10:36:09 +0200 | [diff] [blame] | 1754 | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1755 | } |
| Ronald Cron | 862902d | 2022-03-24 14:15:28 +0100 | [diff] [blame] | 1756 | } |
| 1757 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1758 | if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) { |
| Manuel Pégourié-Gonnard | 78e745f | 2014-11-04 15:44:06 +0100 | [diff] [blame] | 1759 | *olen = 0; |
| 1760 | return; |
| 1761 | } |
| 1762 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1763 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension")); |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1764 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1765 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1766 | p += 2; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1767 | |
| 1768 | *p++ = 0x00; |
| 1769 | *p++ = 0x00; |
| 1770 | |
| 1771 | *olen = 4; |
| 1772 | } |
| Neil Armstrong | 76b7407 | 2022-04-06 13:43:54 +0200 | [diff] [blame] | 1773 | #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1774 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1775 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1776 | static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl, |
| 1777 | unsigned char *buf, |
| 1778 | size_t *olen) |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1779 | { |
| 1780 | unsigned char *p = buf; |
| 1781 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1782 | if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) { |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1783 | *olen = 0; |
| 1784 | return; |
| 1785 | } |
| 1786 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1787 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret " |
| 1788 | "extension")); |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1789 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1790 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1791 | p += 2; |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1792 | |
| 1793 | *p++ = 0x00; |
| 1794 | *p++ = 0x00; |
| 1795 | |
| 1796 | *olen = 4; |
| 1797 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1798 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1799 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1800 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1801 | static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl, |
| 1802 | unsigned char *buf, |
| 1803 | size_t *olen) |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 1804 | { |
| 1805 | unsigned char *p = buf; |
| 1806 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1807 | if (ssl->handshake->new_session_ticket == 0) { |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 1808 | *olen = 0; |
| 1809 | return; |
| 1810 | } |
| 1811 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1812 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension")); |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 1813 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1814 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1815 | p += 2; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 1816 | |
| 1817 | *p++ = 0x00; |
| 1818 | *p++ = 0x00; |
| 1819 | |
| 1820 | *olen = 4; |
| 1821 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1822 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 1823 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1824 | static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl, |
| 1825 | unsigned char *buf, |
| 1826 | size_t *olen) |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 1827 | { |
| 1828 | unsigned char *p = buf; |
| 1829 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1830 | if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) { |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 1831 | *olen = 0; |
| 1832 | return; |
| 1833 | } |
| 1834 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1835 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension")); |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 1836 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1837 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1838 | p += 2; |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 1839 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1840 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1841 | if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 1842 | *p++ = 0x00; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1843 | *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF; |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 1844 | *p++ = ssl->verify_data_len * 2 & 0xFF; |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 1845 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1846 | memcpy(p, ssl->peer_verify_data, ssl->verify_data_len); |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 1847 | p += ssl->verify_data_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1848 | memcpy(p, ssl->own_verify_data, ssl->verify_data_len); |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 1849 | p += ssl->verify_data_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1850 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1851 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 1852 | { |
| 1853 | *p++ = 0x00; |
| 1854 | *p++ = 0x01; |
| 1855 | *p++ = 0x00; |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 1856 | } |
| Manuel Pégourié-Gonnard | 1938975 | 2015-06-23 13:46:44 +0200 | [diff] [blame] | 1857 | |
| 1858 | *olen = p - buf; |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 1859 | } |
| 1860 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1861 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1862 | static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl, |
| 1863 | unsigned char *buf, |
| 1864 | size_t *olen) |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 1865 | { |
| 1866 | unsigned char *p = buf; |
| 1867 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1868 | if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) { |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 1869 | *olen = 0; |
| 1870 | return; |
| 1871 | } |
| 1872 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1873 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension")); |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 1874 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1875 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1876 | p += 2; |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 1877 | |
| 1878 | *p++ = 0x00; |
| 1879 | *p++ = 1; |
| 1880 | |
| Manuel Pégourié-Gonnard | ed4af8b | 2013-07-18 14:07:09 +0200 | [diff] [blame] | 1881 | *p++ = ssl->session_negotiate->mfl_code; |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 1882 | |
| 1883 | *olen = 5; |
| 1884 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1885 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 1886 | |
| Manuel Pégourié-Gonnard | f472179 | 2015-09-15 10:53:51 +0200 | [diff] [blame] | 1887 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| Manuel Pégourié-Gonnard | eef142d | 2015-09-16 10:05:04 +0200 | [diff] [blame] | 1888 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1889 | static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl, |
| 1890 | unsigned char *buf, |
| 1891 | size_t *olen) |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 1892 | { |
| 1893 | unsigned char *p = buf; |
| 1894 | ((void) ssl); |
| 1895 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1896 | if ((ssl->handshake->cli_exts & |
| 1897 | MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) { |
| Paul Bakker | 677377f | 2013-10-28 12:54:26 +0100 | [diff] [blame] | 1898 | *olen = 0; |
| 1899 | return; |
| 1900 | } |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 1901 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1902 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension")); |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 1903 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1904 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1905 | p += 2; |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 1906 | |
| 1907 | *p++ = 0x00; |
| 1908 | *p++ = 2; |
| 1909 | |
| 1910 | *p++ = 1; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1911 | *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 1912 | |
| 1913 | *olen = 6; |
| 1914 | } |
| Manuel Pégourié-Gonnard | eef142d | 2015-09-16 10:05:04 +0200 | [diff] [blame] | 1915 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 1916 | |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 1917 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1918 | static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl, |
| 1919 | unsigned char *buf, |
| 1920 | size_t *olen) |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 1921 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 1922 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 1923 | unsigned char *p = buf; |
| Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 1924 | const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 1925 | size_t kkpp_len; |
| 1926 | |
| 1927 | *olen = 0; |
| 1928 | |
| 1929 | /* Skip costly computation if not needed */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1930 | if (ssl->handshake->ciphersuite_info->key_exchange != |
| 1931 | MBEDTLS_KEY_EXCHANGE_ECJPAKE) { |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 1932 | return; |
| 1933 | } |
| 1934 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1935 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension")); |
| 1936 | |
| 1937 | if (end - p < 4) { |
| 1938 | MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); |
| 1939 | return; |
| 1940 | } |
| 1941 | |
| 1942 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1943 | p += 2; |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 1944 | |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 1945 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1946 | ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, |
| 1947 | p + 2, end - p - 2, &kkpp_len, |
| 1948 | MBEDTLS_ECJPAKE_ROUND_ONE); |
| 1949 | if (ret != 0) { |
| 1950 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 1951 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| 1952 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret); |
| Valerio Setti | a988364 | 2022-11-17 15:34:59 +0100 | [diff] [blame] | 1953 | return; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 1954 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 1955 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1956 | ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx, |
| 1957 | p + 2, end - p - 2, &kkpp_len, |
| 1958 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 1959 | if (ret != 0) { |
| 1960 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret); |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 1961 | return; |
| 1962 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 1963 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 1964 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1965 | MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1966 | p += 2; |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 1967 | |
| 1968 | *olen = kkpp_len + 4; |
| 1969 | } |
| 1970 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 1971 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1972 | #if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS) |
| 1973 | static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl, |
| 1974 | unsigned char *buf, |
| 1975 | size_t *olen) |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1976 | { |
| Ron Eldor | 75870ec | 2018-12-06 17:31:55 +0200 | [diff] [blame] | 1977 | size_t mki_len = 0, ext_len = 0; |
| Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 1978 | uint16_t profile_value = 0; |
| Johan Pascal | 8f70fba | 2020-09-02 10:32:06 +0200 | [diff] [blame] | 1979 | const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| 1980 | |
| 1981 | *olen = 0; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 1982 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1983 | if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || |
| 1984 | (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) { |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1985 | return; |
| 1986 | } |
| 1987 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1988 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension")); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1989 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1990 | if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) { |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 1991 | mki_len = ssl->dtls_srtp_info.mki_len; |
| 1992 | } |
| 1993 | |
| Johan Pascal | 9bc97ca | 2020-09-21 23:44:45 +0200 | [diff] [blame] | 1994 | /* The extension total size is 9 bytes : |
| 1995 | * - 2 bytes for the extension tag |
| 1996 | * - 2 bytes for the total size |
| 1997 | * - 2 bytes for the protection profile length |
| 1998 | * - 2 bytes for the protection profile |
| 1999 | * - 1 byte for the mki length |
| 2000 | * + the actual mki length |
| 2001 | * Check we have enough room in the output buffer */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2002 | if ((size_t) (end - buf) < mki_len + 9) { |
| 2003 | MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); |
| Johan Pascal | 8f70fba | 2020-09-02 10:32:06 +0200 | [diff] [blame] | 2004 | return; |
| 2005 | } |
| 2006 | |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2007 | /* extension */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2008 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0); |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 2009 | /* |
| 2010 | * total length 5 and mki value: only one profile(2 bytes) |
| 2011 | * and length(2 bytes) and srtp_mki ) |
| 2012 | */ |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 2013 | ext_len = 5 + mki_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2014 | MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2015 | |
| 2016 | /* protection profile length: 2 */ |
| 2017 | buf[4] = 0x00; |
| 2018 | buf[5] = 0x02; |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 2019 | profile_value = mbedtls_ssl_check_srtp_profile_value( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2020 | ssl->dtls_srtp_info.chosen_dtls_srtp_profile); |
| 2021 | if (profile_value != MBEDTLS_TLS_SRTP_UNSET) { |
| 2022 | MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6); |
| 2023 | } else { |
| 2024 | MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile")); |
| Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 2025 | return; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2026 | } |
| 2027 | |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 2028 | buf[8] = mki_len & 0xFF; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2029 | memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2030 | |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 2031 | *olen = 9 + mki_len; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2032 | } |
| 2033 | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
| 2034 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2035 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2036 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2037 | static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl) |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2038 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2039 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2040 | unsigned char *p = ssl->out_msg + 4; |
| Manuel Pégourié-Gonnard | d7f9bc5 | 2014-07-23 11:09:27 +0200 | [diff] [blame] | 2041 | unsigned char *cookie_len_byte; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2042 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2043 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request")); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2044 | |
| 2045 | /* |
| 2046 | * struct { |
| 2047 | * ProtocolVersion server_version; |
| 2048 | * opaque cookie<0..2^8-1>; |
| 2049 | * } HelloVerifyRequest; |
| 2050 | */ |
| 2051 | |
| Manuel Pégourié-Gonnard | b35fe56 | 2014-08-09 17:00:46 +0200 | [diff] [blame] | 2052 | /* The RFC is not clear on this point, but sending the actual negotiated |
| 2053 | * version looks like the most interoperable thing to do. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2054 | mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version); |
| 2055 | MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2056 | p += 2; |
| 2057 | |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 2058 | /* If we get here, f_cookie_check is not null */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2059 | if (ssl->conf->f_cookie_write == NULL) { |
| 2060 | MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks")); |
| 2061 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 2062 | } |
| 2063 | |
| Manuel Pégourié-Gonnard | d7f9bc5 | 2014-07-23 11:09:27 +0200 | [diff] [blame] | 2064 | /* Skip length byte until we know the length */ |
| 2065 | cookie_len_byte = p++; |
| 2066 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2067 | if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie, |
| 2068 | &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN, |
| 2069 | ssl->cli_id, ssl->cli_id_len)) != 0) { |
| 2070 | MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret); |
| 2071 | return ret; |
| Manuel Pégourié-Gonnard | d7f9bc5 | 2014-07-23 11:09:27 +0200 | [diff] [blame] | 2072 | } |
| 2073 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2074 | *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1)); |
| Manuel Pégourié-Gonnard | d7f9bc5 | 2014-07-23 11:09:27 +0200 | [diff] [blame] | 2075 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2076 | MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2077 | |
| 2078 | ssl->out_msglen = p - ssl->out_msg; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2079 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 2080 | ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2081 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2082 | ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2083 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2084 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
| 2085 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
| 2086 | return ret; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2087 | } |
| 2088 | |
| Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2089 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2090 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 2091 | (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { |
| 2092 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret); |
| 2093 | return ret; |
| Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2094 | } |
| Hanno Becker | bc2498a | 2018-08-28 10:13:29 +0100 | [diff] [blame] | 2095 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2096 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2097 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request")); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2098 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2099 | return 0; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2100 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2101 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2102 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2103 | static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl) |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2104 | { |
| 2105 | int ret; |
| Hanno Becker | a5b1a39 | 2021-04-15 16:48:01 +0100 | [diff] [blame] | 2106 | mbedtls_ssl_session session_tmp; |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2107 | mbedtls_ssl_session * const session = ssl->session_negotiate; |
| 2108 | |
| 2109 | /* Resume is 0 by default, see ssl_handshake_init(). |
| 2110 | * It may be already set to 1 by ssl_parse_session_ticket_ext(). */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2111 | if (ssl->handshake->resume == 1) { |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2112 | return; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2113 | } |
| 2114 | if (session->id_len == 0) { |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2115 | return; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2116 | } |
| 2117 | if (ssl->conf->f_get_cache == NULL) { |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2118 | return; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2119 | } |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2120 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2121 | if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2122 | return; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2123 | } |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2124 | #endif |
| 2125 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2126 | mbedtls_ssl_session_init(&session_tmp); |
| Hanno Becker | a5b1a39 | 2021-04-15 16:48:01 +0100 | [diff] [blame] | 2127 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2128 | ret = ssl->conf->f_get_cache(ssl->conf->p_cache, |
| 2129 | session->id, |
| 2130 | session->id_len, |
| 2131 | &session_tmp); |
| 2132 | if (ret != 0) { |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2133 | goto exit; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2134 | } |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2135 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2136 | if (session->ciphersuite != session_tmp.ciphersuite) { |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2137 | /* Mismatch between cached and negotiated session */ |
| 2138 | goto exit; |
| 2139 | } |
| 2140 | |
| 2141 | /* Move semantics */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2142 | mbedtls_ssl_session_free(session); |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2143 | *session = session_tmp; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2144 | memset(&session_tmp, 0, sizeof(session_tmp)); |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2145 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2146 | MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache")); |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2147 | ssl->handshake->resume = 1; |
| 2148 | |
| 2149 | exit: |
| 2150 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2151 | mbedtls_ssl_session_free(&session_tmp); |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2152 | } |
| 2153 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2154 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2155 | static int ssl_write_server_hello(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2156 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2157 | #if defined(MBEDTLS_HAVE_TIME) |
| SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 2158 | mbedtls_time_t t; |
| Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 2159 | #endif |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2160 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Paul Bakker | b9cfaa0 | 2013-10-11 18:58:55 +0200 | [diff] [blame] | 2161 | size_t olen, ext_len = 0, n; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2162 | unsigned char *buf, *p; |
| 2163 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2164 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2165 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2166 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2167 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 2168 | ssl->handshake->cookie_verify_result != 0) { |
| 2169 | MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated")); |
| 2170 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello")); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2171 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2172 | return ssl_write_hello_verify_request(ssl); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2173 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2174 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2175 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2176 | if (ssl->conf->f_rng == NULL) { |
| 2177 | MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided")); |
| 2178 | return MBEDTLS_ERR_SSL_NO_RNG; |
| Paul Bakker | a9a028e | 2013-11-21 17:31:06 +0100 | [diff] [blame] | 2179 | } |
| 2180 | |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2181 | /* |
| 2182 | * 0 . 0 handshake type |
| 2183 | * 1 . 3 handshake length |
| 2184 | * 4 . 5 protocol version |
| 2185 | * 6 . 9 UNIX time() |
| 2186 | * 10 . 37 random bytes |
| 2187 | */ |
| 2188 | buf = ssl->out_msg; |
| 2189 | p = buf + 4; |
| 2190 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2191 | mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version); |
| Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 2192 | p += 2; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2193 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2194 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]", |
| 2195 | buf[4], buf[5])); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2196 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2197 | #if defined(MBEDTLS_HAVE_TIME) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2198 | t = mbedtls_time(NULL); |
| 2199 | MBEDTLS_PUT_UINT32_BE(t, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 2200 | p += 4; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2201 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2202 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG, |
| 2203 | (long long) t)); |
| Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 2204 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2205 | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) { |
| 2206 | return ret; |
| 2207 | } |
| Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 2208 | |
| 2209 | p += 4; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2210 | #endif /* MBEDTLS_HAVE_TIME */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2211 | |
| Ronald Cron | c564938 | 2023-04-04 15:33:42 +0200 | [diff] [blame] | 2212 | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2213 | return ret; |
| 2214 | } |
| Ronald Cron | c564938 | 2023-04-04 15:33:42 +0200 | [diff] [blame] | 2215 | p += 20; |
| Paul Bakker | a3d195c | 2011-11-27 21:07:34 +0000 | [diff] [blame] | 2216 | |
| Ronald Cron | c564938 | 2023-04-04 15:33:42 +0200 | [diff] [blame] | 2217 | #if defined(MBEDTLS_SSL_PROTO_TLS1_3) |
| 2218 | /* |
| 2219 | * RFC 8446 |
| 2220 | * TLS 1.3 has a downgrade protection mechanism embedded in the server's |
| 2221 | * random value. TLS 1.3 servers which negotiate TLS 1.2 or below in |
| 2222 | * response to a ClientHello MUST set the last 8 bytes of their Random |
| 2223 | * value specially in their ServerHello. |
| 2224 | */ |
| 2225 | if (mbedtls_ssl_conf_is_tls13_enabled(ssl->conf)) { |
| 2226 | static const unsigned char magic_tls12_downgrade_string[] = |
| 2227 | { 'D', 'O', 'W', 'N', 'G', 'R', 'D', 1 }; |
| 2228 | |
| 2229 | MBEDTLS_STATIC_ASSERT( |
| 2230 | sizeof(magic_tls12_downgrade_string) == 8, |
| 2231 | "magic_tls12_downgrade_string does not have the expected size"); |
| 2232 | |
| Ronald Cron | fe01ec2 | 2023-04-06 09:56:53 +0200 | [diff] [blame] | 2233 | memcpy(p, magic_tls12_downgrade_string, |
| 2234 | sizeof(magic_tls12_downgrade_string)); |
| Ronald Cron | c564938 | 2023-04-04 15:33:42 +0200 | [diff] [blame] | 2235 | } else |
| 2236 | #endif |
| 2237 | { |
| 2238 | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) { |
| 2239 | return ret; |
| 2240 | } |
| 2241 | } |
| 2242 | p += 8; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2243 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2244 | memcpy(ssl->handshake->randbytes + 32, buf + 6, 32); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2245 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2246 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2247 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2248 | ssl_handle_id_based_session_resumption(ssl); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2249 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2250 | if (ssl->handshake->resume == 0) { |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2251 | /* |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 2252 | * New session, create a new session id, |
| 2253 | * unless we're about to issue a session ticket |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2254 | */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2255 | ssl->state++; |
| 2256 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2257 | #if defined(MBEDTLS_HAVE_TIME) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2258 | ssl->session_negotiate->start = mbedtls_time(NULL); |
| Manuel Pégourié-Gonnard | 164d894 | 2013-09-23 22:01:39 +0200 | [diff] [blame] | 2259 | #endif |
| 2260 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2261 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2262 | if (ssl->handshake->new_session_ticket != 0) { |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 2263 | ssl->session_negotiate->id_len = n = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2264 | memset(ssl->session_negotiate->id, 0, 32); |
| 2265 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2266 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 2267 | { |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 2268 | ssl->session_negotiate->id_len = n = 32; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2269 | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id, |
| 2270 | n)) != 0) { |
| 2271 | return ret; |
| 2272 | } |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 2273 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2274 | } else { |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2275 | /* |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 2276 | * Resuming a session |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2277 | */ |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 2278 | n = ssl->session_negotiate->id_len; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2279 | ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; |
| Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2280 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2281 | if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { |
| 2282 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); |
| 2283 | return ret; |
| Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2284 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2285 | } |
| 2286 | |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 2287 | /* |
| 2288 | * 38 . 38 session id length |
| 2289 | * 39 . 38+n session id |
| 2290 | * 39+n . 40+n chosen ciphersuite |
| 2291 | * 41+n . 41+n chosen compression alg. |
| 2292 | * 42+n . 43+n extensions length |
| 2293 | * 44+n . 43+n+m extensions |
| 2294 | */ |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 2295 | *p++ = (unsigned char) ssl->session_negotiate->id_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2296 | memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len); |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 2297 | p += ssl->session_negotiate->id_len; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2298 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2299 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n)); |
| 2300 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n); |
| 2301 | MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed", |
| 2302 | ssl->handshake->resume ? "a" : "no")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2303 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2304 | MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 2305 | p += 2; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2306 | *p++ = MBEDTLS_BYTE_0(MBEDTLS_SSL_COMPRESS_NULL); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2307 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2308 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s", |
| 2309 | mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite))); |
| 2310 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X", |
| 2311 | (unsigned int) MBEDTLS_SSL_COMPRESS_NULL)); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 2312 | |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 2313 | /* |
| 2314 | * First write extensions, then the total length |
| 2315 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2316 | ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen); |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 2317 | ext_len += olen; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 2318 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2319 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2320 | ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen); |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 2321 | ext_len += olen; |
| Paul Bakker | 05decb2 | 2013-08-15 13:33:48 +0200 | [diff] [blame] | 2322 | #endif |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 2323 | |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 2324 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2325 | ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen); |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 2326 | ext_len += olen; |
| 2327 | #endif |
| 2328 | |
| Neil Armstrong | 76b7407 | 2022-04-06 13:43:54 +0200 | [diff] [blame] | 2329 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2330 | ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen); |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 2331 | ext_len += olen; |
| 2332 | #endif |
| 2333 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2334 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2335 | ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen); |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 2336 | ext_len += olen; |
| 2337 | #endif |
| 2338 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2339 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2340 | ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen); |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 2341 | ext_len += olen; |
| Paul Bakker | a503a63 | 2013-08-14 13:48:06 +0200 | [diff] [blame] | 2342 | #endif |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 2343 | |
| Manuel Pégourié-Gonnard | f472179 | 2015-09-15 10:53:51 +0200 | [diff] [blame] | 2344 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 2345 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Leonid Rozenboim | 2875270 | 2022-04-21 18:00:52 -0700 | [diff] [blame] | 2346 | const mbedtls_ssl_ciphersuite_t *suite = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2347 | mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite); |
| 2348 | if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) { |
| 2349 | ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen); |
| Ron Eldor | 755bb6a | 2018-02-14 19:30:48 +0200 | [diff] [blame] | 2350 | ext_len += olen; |
| 2351 | } |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 2352 | #endif |
| 2353 | |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 2354 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2355 | ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen); |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 2356 | ext_len += olen; |
| 2357 | #endif |
| 2358 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2359 | #if defined(MBEDTLS_SSL_ALPN) |
| XiaokangQian | acb3992 | 2022-06-17 10:18:48 +0000 | [diff] [blame] | 2360 | unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2361 | if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen)) |
| 2362 | != 0) { |
| Paul Elliott | f518f81 | 2022-07-11 12:36:20 +0100 | [diff] [blame] | 2363 | return ret; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2364 | } |
| Paul Elliott | f518f81 | 2022-07-11 12:36:20 +0100 | [diff] [blame] | 2365 | |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 2366 | ext_len += olen; |
| 2367 | #endif |
| 2368 | |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2369 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2370 | ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen); |
| Johan Pascal | c3ccd98 | 2020-10-28 17:18:18 +0100 | [diff] [blame] | 2371 | ext_len += olen; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2372 | #endif |
| 2373 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2374 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET, |
| 2375 | ext_len)); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 2376 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2377 | if (ext_len > 0) { |
| 2378 | MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); |
| Joe Subbiani | 94180e7 | 2021-08-20 16:20:44 +0100 | [diff] [blame] | 2379 | p += 2 + ext_len; |
| Paul Bakker | a703663 | 2014-04-30 10:15:38 +0200 | [diff] [blame] | 2380 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2381 | |
| 2382 | ssl->out_msglen = p - buf; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2383 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 2384 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2385 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2386 | ret = mbedtls_ssl_write_handshake_msg(ssl); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2387 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2388 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2389 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2390 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2391 | } |
| 2392 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2393 | #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2394 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2395 | static int ssl_write_certificate_request(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2396 | { |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 2397 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 2398 | ssl->handshake->ciphersuite_info; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2399 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2400 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request")); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2401 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2402 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
| 2403 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request")); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2404 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2405 | return 0; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2406 | } |
| 2407 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2408 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 2409 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2410 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2411 | #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2412 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2413 | static int ssl_write_certificate_request(mbedtls_ssl_context *ssl) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2414 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2415 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 2416 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 2417 | ssl->handshake->ciphersuite_info; |
| irwir | c9bc300 | 2020-04-01 13:46:36 +0300 | [diff] [blame] | 2418 | uint16_t dn_size, total_dn_size; /* excluding length bytes */ |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2419 | size_t ct_len, sa_len; /* including length bytes */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2420 | unsigned char *buf, *p; |
| Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 2421 | const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2422 | const mbedtls_x509_crt *crt; |
| Manuel Pégourié-Gonnard | cdc26ae | 2015-06-19 12:16:31 +0200 | [diff] [blame] | 2423 | int authmode; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2424 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2425 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2426 | |
| 2427 | ssl->state++; |
| 2428 | |
| Manuel Pégourié-Gonnard | cdc26ae | 2015-06-19 12:16:31 +0200 | [diff] [blame] | 2429 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2430 | if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) { |
| Manuel Pégourié-Gonnard | cdc26ae | 2015-06-19 12:16:31 +0200 | [diff] [blame] | 2431 | authmode = ssl->handshake->sni_authmode; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2432 | } else |
| Manuel Pégourié-Gonnard | cdc26ae | 2015-06-19 12:16:31 +0200 | [diff] [blame] | 2433 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2434 | authmode = ssl->conf->authmode; |
| Manuel Pégourié-Gonnard | cdc26ae | 2015-06-19 12:16:31 +0200 | [diff] [blame] | 2435 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2436 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) || |
| 2437 | authmode == MBEDTLS_SSL_VERIFY_NONE) { |
| 2438 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request")); |
| 2439 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2440 | } |
| 2441 | |
| 2442 | /* |
| 2443 | * 0 . 0 handshake type |
| 2444 | * 1 . 3 handshake length |
| 2445 | * 4 . 4 cert type count |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2446 | * 5 .. m-1 cert types |
| 2447 | * m .. m+1 sig alg length (TLS 1.2 only) |
| Paul Bakker | 9af723c | 2014-05-01 13:03:14 +0200 | [diff] [blame] | 2448 | * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2449 | * n .. n+1 length of all DNs |
| 2450 | * n+2 .. n+3 length of DN 1 |
| 2451 | * n+4 .. ... Distinguished Name #1 |
| 2452 | * ... .. ... length of DN 2, etc. |
| 2453 | */ |
| 2454 | buf = ssl->out_msg; |
| 2455 | p = buf + 4; |
| 2456 | |
| 2457 | /* |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2458 | * Supported certificate types |
| 2459 | * |
| 2460 | * ClientCertificateType certificate_types<1..2^8-1>; |
| 2461 | * enum { (255) } ClientCertificateType; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2462 | */ |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2463 | ct_len = 0; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2464 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2465 | #if defined(MBEDTLS_RSA_C) |
| 2466 | p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN; |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2467 | #endif |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2468 | #if defined(MBEDTLS_ECDSA_C) |
| 2469 | p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN; |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2470 | #endif |
| 2471 | |
| Paul Bakker | b9cfaa0 | 2013-10-11 18:58:55 +0200 | [diff] [blame] | 2472 | p[0] = (unsigned char) ct_len++; |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2473 | p += ct_len; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2474 | |
| Paul Bakker | 577e006 | 2013-08-28 11:57:20 +0200 | [diff] [blame] | 2475 | sa_len = 0; |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 2476 | |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2477 | /* |
| 2478 | * Add signature_algorithms for verify (TLS 1.2) |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2479 | * |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2480 | * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>; |
| 2481 | * |
| 2482 | * struct { |
| 2483 | * HashAlgorithm hash; |
| 2484 | * SignatureAlgorithm signature; |
| 2485 | * } SignatureAndHashAlgorithm; |
| 2486 | * |
| 2487 | * enum { (255) } HashAlgorithm; |
| 2488 | * enum { (255) } SignatureAlgorithm; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2489 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2490 | const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl); |
| 2491 | if (sig_alg == NULL) { |
| 2492 | return MBEDTLS_ERR_SSL_BAD_CONFIG; |
| 2493 | } |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 2494 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2495 | for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) { |
| 2496 | unsigned char hash = MBEDTLS_BYTE_1(*sig_alg); |
| Jerry Yu | 6106fdc | 2022-01-12 16:36:14 +0800 | [diff] [blame] | 2497 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2498 | if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) { |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 2499 | continue; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2500 | } |
| 2501 | if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) { |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 2502 | continue; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2503 | } |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 2504 | |
| Paul Elliott | 96a0fd9 | 2022-11-08 17:09:56 +0000 | [diff] [blame] | 2505 | /* Write elements at offsets starting from 1 (offset 0 is for the |
| 2506 | * length). Thus the offset of each element is the length of the |
| 2507 | * partial list including that element. */ |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2508 | sa_len += 2; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2509 | MBEDTLS_PUT_UINT16_BE(*sig_alg, p, sa_len); |
| Paul Elliott | 96a0fd9 | 2022-11-08 17:09:56 +0000 | [diff] [blame] | 2510 | |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2511 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2512 | |
| Paul Elliott | 96a0fd9 | 2022-11-08 17:09:56 +0000 | [diff] [blame] | 2513 | /* Fill in list length. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2514 | MBEDTLS_PUT_UINT16_BE(sa_len, p, 0); |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 2515 | sa_len += 2; |
| 2516 | p += sa_len; |
| 2517 | |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2518 | /* |
| 2519 | * DistinguishedName certificate_authorities<0..2^16-1>; |
| 2520 | * opaque DistinguishedName<1..2^16-1>; |
| 2521 | */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2522 | p += 2; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2523 | |
| Paul Bakker | bc3d984 | 2012-11-26 16:12:02 +0100 | [diff] [blame] | 2524 | total_dn_size = 0; |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2525 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2526 | if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) { |
| Hanno Becker | 8bf74f3 | 2019-03-27 11:01:30 +0000 | [diff] [blame] | 2527 | /* NOTE: If trusted certificates are provisioned |
| 2528 | * via a CA callback (configured through |
| 2529 | * `mbedtls_ssl_conf_ca_cb()`, then the |
| 2530 | * CertificateRequest is currently left empty. */ |
| 2531 | |
| Glenn Strauss | 999ef70 | 2022-03-11 01:37:23 -0500 | [diff] [blame] | 2532 | #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
| 2533 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2534 | if (ssl->handshake->dn_hints != NULL) { |
| Glenn Strauss | 999ef70 | 2022-03-11 01:37:23 -0500 | [diff] [blame] | 2535 | crt = ssl->handshake->dn_hints; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2536 | } else |
| Glenn Strauss | 999ef70 | 2022-03-11 01:37:23 -0500 | [diff] [blame] | 2537 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2538 | if (ssl->conf->dn_hints != NULL) { |
| Glenn Strauss | 999ef70 | 2022-03-11 01:37:23 -0500 | [diff] [blame] | 2539 | crt = ssl->conf->dn_hints; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2540 | } else |
| Glenn Strauss | 999ef70 | 2022-03-11 01:37:23 -0500 | [diff] [blame] | 2541 | #endif |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2542 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2543 | if (ssl->handshake->sni_ca_chain != NULL) { |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2544 | crt = ssl->handshake->sni_ca_chain; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2545 | } else |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2546 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2547 | crt = ssl->conf->ca_chain; |
| Manuel Pégourié-Gonnard | bc1babb | 2015-10-02 11:16:47 +0200 | [diff] [blame] | 2548 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2549 | while (crt != NULL && crt->version != 0) { |
| irwir | c9bc300 | 2020-04-01 13:46:36 +0300 | [diff] [blame] | 2550 | /* It follows from RFC 5280 A.1 that this length |
| 2551 | * can be represented in at most 11 bits. */ |
| 2552 | dn_size = (uint16_t) crt->subject_raw.len; |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2553 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2554 | if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) { |
| 2555 | MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short")); |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2556 | break; |
| 2557 | } |
| 2558 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2559 | MBEDTLS_PUT_UINT16_BE(dn_size, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 2560 | p += 2; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2561 | memcpy(p, crt->subject_raw.p, dn_size); |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2562 | p += dn_size; |
| 2563 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2564 | MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size); |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2565 | |
| 2566 | total_dn_size += 2 + dn_size; |
| 2567 | crt = crt->next; |
| Manuel Pégourié-Gonnard | bc1babb | 2015-10-02 11:16:47 +0200 | [diff] [blame] | 2568 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2569 | } |
| 2570 | |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2571 | ssl->out_msglen = p - buf; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2572 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 2573 | ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2574 | MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2575 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2576 | ret = mbedtls_ssl_write_handshake_msg(ssl); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2577 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2578 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2579 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2580 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2581 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2582 | #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2583 | |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2584 | #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2585 | (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| 2586 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2587 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2588 | static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2589 | { |
| 2590 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 2591 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2592 | mbedtls_pk_context *pk; |
| 2593 | mbedtls_pk_type_t pk_type; |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2594 | psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2595 | #if !defined(MBEDTLS_PK_USE_PSA_EC_DATA) |
| Valerio Setti | 2b5d3de | 2023-01-09 11:04:52 +0100 | [diff] [blame] | 2596 | uint16_t tls_id = 0; |
| 2597 | psa_ecc_family_t ecc_family; |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2598 | size_t key_len; |
| Valerio Setti | 9720778 | 2023-05-18 18:59:06 +0200 | [diff] [blame] | 2599 | mbedtls_ecp_group_id grp_id; |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2600 | unsigned char buf[ |
| 2601 | PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; |
| 2602 | mbedtls_ecp_keypair *key; |
| 2603 | #endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */ |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2604 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2605 | pk = mbedtls_ssl_own_key(ssl); |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2606 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2607 | if (pk == NULL) { |
| 2608 | return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; |
| 2609 | } |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2610 | |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2611 | pk_type = mbedtls_pk_get_type(pk); |
| Valerio Setti | d040509 | 2023-05-24 13:16:40 +0200 | [diff] [blame] | 2612 | |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2613 | switch (pk_type) { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2614 | case MBEDTLS_PK_OPAQUE: |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2615 | #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) |
| 2616 | case MBEDTLS_PK_ECKEY: |
| 2617 | case MBEDTLS_PK_ECKEY_DH: |
| 2618 | case MBEDTLS_PK_ECDSA: |
| 2619 | #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2620 | if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) { |
| 2621 | return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
| 2622 | } |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2623 | |
| Valerio Setti | 4f387ef | 2023-05-02 14:15:59 +0200 | [diff] [blame] | 2624 | ssl->handshake->ecdh_psa_privkey = pk->priv_id; |
| Valerio Setti | b46217d | 2023-06-16 13:18:52 +0200 | [diff] [blame^] | 2625 | /* Key should not be destroyed in the TLS library */ |
| 2626 | ssl->handshake->ecdh_psa_privkey_is_external = 1; |
| Neil Armstrong | e88d190 | 2022-04-04 11:25:23 +0200 | [diff] [blame] | 2627 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2628 | status = psa_get_key_attributes(ssl->handshake->ecdh_psa_privkey, |
| 2629 | &key_attributes); |
| 2630 | if (status != PSA_SUCCESS) { |
| 2631 | ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 2632 | return PSA_TO_MBEDTLS_ERR(status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2633 | } |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2634 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2635 | ssl->handshake->ecdh_psa_type = psa_get_key_type(&key_attributes); |
| 2636 | ssl->handshake->ecdh_bits = psa_get_key_bits(&key_attributes); |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2637 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2638 | psa_reset_key_attributes(&key_attributes); |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2639 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2640 | ret = 0; |
| 2641 | break; |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2642 | #if !defined(MBEDTLS_PK_USE_PSA_EC_DATA) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2643 | case MBEDTLS_PK_ECKEY: |
| 2644 | case MBEDTLS_PK_ECKEY_DH: |
| 2645 | case MBEDTLS_PK_ECDSA: |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2646 | key = mbedtls_pk_ec_rw(*pk); |
| Valerio Setti | d040509 | 2023-05-24 13:16:40 +0200 | [diff] [blame] | 2647 | grp_id = mbedtls_pk_get_group_id(pk); |
| 2648 | if (grp_id == MBEDTLS_ECP_DP_NONE) { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2649 | return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; |
| 2650 | } |
| Valerio Setti | 9720778 | 2023-05-18 18:59:06 +0200 | [diff] [blame] | 2651 | tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2652 | if (tls_id == 0) { |
| 2653 | /* This elliptic curve is not supported */ |
| 2654 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 2655 | } |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2656 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2657 | /* If the above conversion to TLS ID was fine, then also this one will |
| 2658 | be, so there is no need to check the return value here */ |
| 2659 | mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &ecc_family, |
| 2660 | &ssl->handshake->ecdh_bits); |
| Valerio Setti | 2b5d3de | 2023-01-09 11:04:52 +0100 | [diff] [blame] | 2661 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2662 | ssl->handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ecc_family); |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2663 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2664 | key_attributes = psa_key_attributes_init(); |
| 2665 | psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); |
| 2666 | psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); |
| 2667 | psa_set_key_type(&key_attributes, |
| 2668 | PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->ecdh_psa_type)); |
| 2669 | psa_set_key_bits(&key_attributes, ssl->handshake->ecdh_bits); |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2670 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2671 | key_len = PSA_BITS_TO_BYTES(key->grp.pbits); |
| 2672 | ret = mbedtls_ecp_write_key(key, buf, key_len); |
| 2673 | if (ret != 0) { |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2674 | mbedtls_platform_zeroize(buf, sizeof(buf)); |
| 2675 | break; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2676 | } |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2677 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2678 | status = psa_import_key(&key_attributes, buf, key_len, |
| 2679 | &ssl->handshake->ecdh_psa_privkey); |
| 2680 | if (status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 2681 | ret = PSA_TO_MBEDTLS_ERR(status); |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2682 | mbedtls_platform_zeroize(buf, sizeof(buf)); |
| 2683 | break; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2684 | } |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2685 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2686 | ret = 0; |
| 2687 | break; |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2688 | #endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2689 | default: |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2690 | ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2691 | } |
| 2692 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2693 | return ret; |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2694 | } |
| 2695 | #elif defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2696 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2697 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2698 | static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2699 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2700 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2701 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2702 | const mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl); |
| 2703 | if (private_key == NULL) { |
| 2704 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no server private key")); |
| 2705 | return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; |
| Leonid Rozenboim | 2875270 | 2022-04-21 18:00:52 -0700 | [diff] [blame] | 2706 | } |
| 2707 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2708 | if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_ECKEY)) { |
| 2709 | MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable")); |
| 2710 | return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2711 | } |
| 2712 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2713 | if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, |
| Valerio Setti | 77a7568 | 2023-05-15 11:18:46 +0200 | [diff] [blame] | 2714 | mbedtls_pk_ec_ro(*mbedtls_ssl_own_key(ssl)), |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2715 | MBEDTLS_ECDH_OURS)) != 0) { |
| 2716 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret); |
| 2717 | return ret; |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2718 | } |
| 2719 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2720 | return 0; |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2721 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2722 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || |
| 2723 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2724 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2725 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \ |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 2726 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2727 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2728 | static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl, |
| 2729 | size_t *signature_len) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2730 | { |
| Gilles Peskine | 0fd90dd | 2018-04-26 07:41:09 +0200 | [diff] [blame] | 2731 | /* Append the signature to ssl->out_msg, leaving 2 bytes for the |
| 2732 | * signature length which will be added in ssl_write_server_key_exchange |
| 2733 | * after the call to ssl_prepare_server_key_exchange. |
| 2734 | * ssl_write_server_key_exchange also takes care of incrementing |
| 2735 | * ssl->out_msglen. */ |
| 2736 | unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2737 | size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN |
| 2738 | - sig_start); |
| 2739 | int ret = ssl->conf->f_async_resume(ssl, |
| 2740 | sig_start, signature_len, sig_max_len); |
| 2741 | if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { |
| Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 2742 | ssl->handshake->async_in_progress = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2743 | mbedtls_ssl_set_async_operation_data(ssl, NULL); |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 2744 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2745 | MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret); |
| 2746 | return ret; |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 2747 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2748 | #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 2749 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) */ |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 2750 | |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 2751 | /* Prepare the ServerKeyExchange message, up to and including |
| Gilles Peskine | 168dae8 | 2018-04-25 23:35:42 +0200 | [diff] [blame] | 2752 | * calculating the signature if any, but excluding formatting the |
| 2753 | * signature and sending the message. */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2754 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2755 | static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl, |
| 2756 | size_t *signature_len) |
| Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 2757 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2758 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 2759 | ssl->handshake->ciphersuite_info; |
| 2760 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2761 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED) |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 2762 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | 3ce9b90 | 2018-01-06 01:34:21 +0100 | [diff] [blame] | 2763 | unsigned char *dig_signed = NULL; |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 2764 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2765 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2766 | |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 2767 | (void) ciphersuite_info; /* unused in some configurations */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2768 | #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | 22e695f | 2018-04-26 00:22:50 +0200 | [diff] [blame] | 2769 | (void) signature_len; |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2770 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2771 | |
| Gilles Peskine | 16fe8fc | 2021-06-22 09:45:56 +0200 | [diff] [blame] | 2772 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | f00f152 | 2021-06-22 00:09:00 +0200 | [diff] [blame] | 2773 | #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2774 | size_t out_buf_len = ssl->out_buf_len - (ssl->out_msg - ssl->out_buf); |
| Gilles Peskine | f00f152 | 2021-06-22 00:09:00 +0200 | [diff] [blame] | 2775 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2776 | size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (ssl->out_msg - ssl->out_buf); |
| Gilles Peskine | f00f152 | 2021-06-22 00:09:00 +0200 | [diff] [blame] | 2777 | #endif |
| Gilles Peskine | 16fe8fc | 2021-06-22 09:45:56 +0200 | [diff] [blame] | 2778 | #endif |
| Gilles Peskine | f00f152 | 2021-06-22 00:09:00 +0200 | [diff] [blame] | 2779 | |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 2780 | ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2781 | |
| Hanno Becker | cf7ae7e | 2017-05-11 14:07:25 +0100 | [diff] [blame] | 2782 | /* |
| 2783 | * |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 2784 | * Part 1: Provide key exchange parameters for chosen ciphersuite. |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 2785 | * |
| 2786 | */ |
| 2787 | |
| 2788 | /* |
| 2789 | * - ECJPAKE key exchanges |
| 2790 | */ |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 2791 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2792 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2793 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2794 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 2795 | unsigned char *out_p = ssl->out_msg + ssl->out_msglen; |
| 2796 | unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - |
| 2797 | ssl->out_msglen; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2798 | size_t output_offset = 0; |
| Valerio Setti | 02c25b5 | 2022-11-15 14:08:42 +0100 | [diff] [blame] | 2799 | size_t output_len = 0; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2800 | |
| Valerio Setti | 6f1b574 | 2022-11-16 10:00:32 +0100 | [diff] [blame] | 2801 | /* |
| 2802 | * The first 3 bytes are: |
| 2803 | * [0] MBEDTLS_ECP_TLS_NAMED_CURVE |
| 2804 | * [1, 2] elliptic curve's TLS ID |
| 2805 | * |
| 2806 | * However since we only support secp256r1 for now, we hardcode its |
| 2807 | * TLS ID here |
| 2808 | */ |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 2809 | uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2810 | MBEDTLS_ECP_DP_SECP256R1); |
| 2811 | if (tls_id == 0) { |
| 2812 | return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Valerio Setti | 6f1b574 | 2022-11-16 10:00:32 +0100 | [diff] [blame] | 2813 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2814 | *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2815 | MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1); |
| Valerio Setti | 819de86 | 2022-11-17 18:05:19 +0100 | [diff] [blame] | 2816 | output_offset += 3; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2817 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2818 | ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, |
| 2819 | out_p + output_offset, |
| 2820 | end_p - out_p - output_offset, &output_len, |
| 2821 | MBEDTLS_ECJPAKE_ROUND_TWO); |
| 2822 | if (ret != 0) { |
| 2823 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 2824 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| 2825 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret); |
| 2826 | return ret; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2827 | } |
| 2828 | |
| Valerio Setti | 02c25b5 | 2022-11-15 14:08:42 +0100 | [diff] [blame] | 2829 | output_offset += output_len; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2830 | ssl->out_msglen += output_offset; |
| 2831 | #else |
| Simon Butcher | 600c5e6 | 2018-06-14 08:58:59 +0100 | [diff] [blame] | 2832 | size_t len = 0; |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 2833 | |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 2834 | ret = mbedtls_ecjpake_write_round_two( |
| 2835 | &ssl->handshake->ecjpake_ctx, |
| 2836 | ssl->out_msg + ssl->out_msglen, |
| Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 2837 | MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2838 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 2839 | if (ret != 0) { |
| 2840 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret); |
| 2841 | return ret; |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 2842 | } |
| 2843 | |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 2844 | ssl->out_msglen += len; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2845 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 2846 | } |
| 2847 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 2848 | |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 2849 | /* |
| 2850 | * For (EC)DHE key exchanges with PSK, parameters are prefixed by support |
| 2851 | * identity hint (RFC 4279, Sec. 3). Until someone needs this feature, |
| 2852 | * we use empty support identity hints here. |
| 2853 | **/ |
| 2854 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2855 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2856 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || |
| 2857 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 2858 | ssl->out_msg[ssl->out_msglen++] = 0x00; |
| 2859 | ssl->out_msg[ssl->out_msglen++] = 0x00; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2860 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2861 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || |
| 2862 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2863 | |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 2864 | /* |
| Hanno Becker | cf7ae7e | 2017-05-11 14:07:25 +0100 | [diff] [blame] | 2865 | * - DHE key exchanges |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 2866 | */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2867 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2868 | if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2869 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Simon Butcher | 600c5e6 | 2018-06-14 08:58:59 +0100 | [diff] [blame] | 2870 | size_t len = 0; |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 2871 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2872 | if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) { |
| 2873 | MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set")); |
| 2874 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| Manuel Pégourié-Gonnard | 1028b74 | 2015-05-06 17:33:07 +0100 | [diff] [blame] | 2875 | } |
| 2876 | |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2877 | /* |
| 2878 | * Ephemeral DH parameters: |
| 2879 | * |
| 2880 | * struct { |
| 2881 | * opaque dh_p<1..2^16-1>; |
| 2882 | * opaque dh_g<1..2^16-1>; |
| 2883 | * opaque dh_Ys<1..2^16-1>; |
| 2884 | * } ServerDHParams; |
| 2885 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2886 | if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx, |
| 2887 | &ssl->conf->dhm_P, |
| 2888 | &ssl->conf->dhm_G)) != 0) { |
| 2889 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret); |
| 2890 | return ret; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2891 | } |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 2892 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2893 | if ((ret = mbedtls_dhm_make_params( |
| 2894 | &ssl->handshake->dhm_ctx, |
| 2895 | (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx), |
| 2896 | ssl->out_msg + ssl->out_msglen, &len, |
| 2897 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 2898 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret); |
| 2899 | return ret; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2900 | } |
| 2901 | |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 2902 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 2903 | dig_signed = ssl->out_msg + ssl->out_msglen; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 2904 | #endif |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2905 | |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 2906 | ssl->out_msglen += len; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2907 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2908 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X); |
| 2909 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P); |
| 2910 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G); |
| 2911 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX); |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2912 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2913 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2914 | |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 2915 | /* |
| Hanno Becker | cf7ae7e | 2017-05-11 14:07:25 +0100 | [diff] [blame] | 2916 | * - ECDHE key exchanges |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 2917 | */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2918 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2919 | if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) { |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2920 | /* |
| 2921 | * Ephemeral ECDH parameters: |
| 2922 | * |
| 2923 | * struct { |
| 2924 | * ECParameters curve_params; |
| 2925 | * ECPoint public; |
| 2926 | * } ServerECDHParams; |
| 2927 | */ |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 2928 | uint16_t *curr_tls_id = ssl->handshake->curves_tls_id; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2929 | const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2930 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Simon Butcher | 600c5e6 | 2018-06-14 08:58:59 +0100 | [diff] [blame] | 2931 | size_t len = 0; |
| Gergely Budai | 987bfb5 | 2014-01-19 21:48:42 +0100 | [diff] [blame] | 2932 | |
| Manuel Pégourié-Gonnard | c3f6b62c | 2014-02-06 10:13:09 +0100 | [diff] [blame] | 2933 | /* Match our preference list against the offered curves */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2934 | if ((group_list == NULL) || (curr_tls_id == NULL)) { |
| 2935 | return MBEDTLS_ERR_SSL_BAD_CONFIG; |
| 2936 | } |
| 2937 | for (; *group_list != 0; group_list++) { |
| 2938 | for (curr_tls_id = ssl->handshake->curves_tls_id; |
| 2939 | *curr_tls_id != 0; curr_tls_id++) { |
| 2940 | if (*curr_tls_id == *group_list) { |
| Manuel Pégourié-Gonnard | c3f6b62c | 2014-02-06 10:13:09 +0100 | [diff] [blame] | 2941 | goto curve_matching_done; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2942 | } |
| 2943 | } |
| Gergely Budai | 987bfb5 | 2014-01-19 21:48:42 +0100 | [diff] [blame] | 2944 | } |
| Manuel Pégourié-Gonnard | de05390 | 2014-02-04 13:58:39 +0100 | [diff] [blame] | 2945 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2946 | curve_matching_done: |
| 2947 | if (*curr_tls_id == 0) { |
| 2948 | MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE")); |
| 2949 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 2950 | } |
| 2951 | |
| 2952 | MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s", |
| 2953 | mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id))); |
| Gergely Budai | 987bfb5 | 2014-01-19 21:48:42 +0100 | [diff] [blame] | 2954 | |
| Przemek Stekiel | b6ce0b6 | 2022-03-09 15:38:24 +0100 | [diff] [blame] | 2955 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 2956 | psa_status_t status = PSA_ERROR_GENERIC_ERROR; |
| 2957 | psa_key_attributes_t key_attributes; |
| 2958 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 2959 | uint8_t *p = ssl->out_msg + ssl->out_msglen; |
| 2960 | const size_t header_size = 4; // curve_type(1), namedcurve(2), |
| 2961 | // data length(1) |
| 2962 | const size_t data_length_size = 1; |
| Valerio Setti | 40d9ca9 | 2023-01-04 16:08:04 +0100 | [diff] [blame] | 2963 | psa_ecc_family_t ec_psa_family = 0; |
| 2964 | size_t ec_bits = 0; |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 2965 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2966 | MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation.")); |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 2967 | |
| Valerio Setti | 40d9ca9 | 2023-01-04 16:08:04 +0100 | [diff] [blame] | 2968 | /* Convert EC's TLS ID to PSA key type. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2969 | if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id, |
| 2970 | &ec_psa_family, |
| 2971 | &ec_bits) == PSA_ERROR_NOT_SUPPORTED) { |
| 2972 | MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse.")); |
| 2973 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Przemek Stekiel | b6ce0b6 | 2022-03-09 15:38:24 +0100 | [diff] [blame] | 2974 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2975 | handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ec_psa_family); |
| Valerio Setti | 40d9ca9 | 2023-01-04 16:08:04 +0100 | [diff] [blame] | 2976 | handshake->ecdh_bits = ec_bits; |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 2977 | |
| 2978 | key_attributes = psa_key_attributes_init(); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2979 | psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); |
| 2980 | psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); |
| 2981 | psa_set_key_type(&key_attributes, handshake->ecdh_psa_type); |
| 2982 | psa_set_key_bits(&key_attributes, handshake->ecdh_bits); |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 2983 | |
| 2984 | /* |
| 2985 | * ECParameters curve_params |
| 2986 | * |
| 2987 | * First byte is curve_type, always named_curve |
| 2988 | */ |
| 2989 | *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE; |
| 2990 | |
| 2991 | /* |
| 2992 | * Next two bytes are the namedcurve value |
| 2993 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2994 | MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0); |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 2995 | p += 2; |
| 2996 | |
| 2997 | /* Generate ECDH private key. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2998 | status = psa_generate_key(&key_attributes, |
| 2999 | &handshake->ecdh_psa_privkey); |
| 3000 | if (status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 3001 | ret = PSA_TO_MBEDTLS_ERR(status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3002 | MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret); |
| 3003 | return ret; |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3004 | } |
| 3005 | |
| 3006 | /* |
| 3007 | * ECPoint public |
| 3008 | * |
| 3009 | * First byte is data length. |
| 3010 | * It will be filled later. p holds now the data length location. |
| 3011 | */ |
| 3012 | |
| 3013 | /* Export the public part of the ECDH private key from PSA. |
| 3014 | * Make one byte space for the length. |
| 3015 | */ |
| 3016 | unsigned char *own_pubkey = p + data_length_size; |
| 3017 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3018 | size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN |
| 3019 | - (own_pubkey - ssl->out_msg)); |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3020 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3021 | status = psa_export_public_key(handshake->ecdh_psa_privkey, |
| 3022 | own_pubkey, own_pubkey_max_len, |
| 3023 | &len); |
| 3024 | if (status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 3025 | ret = PSA_TO_MBEDTLS_ERR(status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3026 | MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret); |
| 3027 | (void) psa_destroy_key(handshake->ecdh_psa_privkey); |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3028 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3029 | return ret; |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3030 | } |
| 3031 | |
| 3032 | /* Store the length of the exported public key. */ |
| 3033 | *p = (uint8_t) len; |
| 3034 | |
| 3035 | /* Determine full message length. */ |
| 3036 | len += header_size; |
| 3037 | #else |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 3038 | mbedtls_ecp_group_id curr_grp_id = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3039 | mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id); |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 3040 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3041 | if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx, |
| 3042 | curr_grp_id)) != 0) { |
| 3043 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret); |
| 3044 | return ret; |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3045 | } |
| 3046 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3047 | if ((ret = mbedtls_ecdh_make_params( |
| 3048 | &ssl->handshake->ecdh_ctx, &len, |
| 3049 | ssl->out_msg + ssl->out_msglen, |
| 3050 | MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, |
| 3051 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 3052 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret); |
| 3053 | return ret; |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3054 | } |
| 3055 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3056 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 3057 | MBEDTLS_DEBUG_ECDH_Q); |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3058 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 3059 | |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 3060 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 3061 | dig_signed = ssl->out_msg + ssl->out_msglen; |
| Hanno Becker | cf7ae7e | 2017-05-11 14:07:25 +0100 | [diff] [blame] | 3062 | #endif |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3063 | |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 3064 | ssl->out_msglen += len; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 3065 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3066 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3067 | |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 3068 | /* |
| Hanno Becker | cf7ae7e | 2017-05-11 14:07:25 +0100 | [diff] [blame] | 3069 | * |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3070 | * Part 2: For key exchanges involving the server signing the |
| Hanno Becker | cf7ae7e | 2017-05-11 14:07:25 +0100 | [diff] [blame] | 3071 | * exchange parameters, compute and add the signature here. |
| 3072 | * |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 3073 | */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3074 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3075 | if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) { |
| 3076 | if (dig_signed == NULL) { |
| 3077 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 3078 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Elliott | 1142038 | 2022-05-13 17:43:47 +0100 | [diff] [blame] | 3079 | } |
| 3080 | |
| Gilles Peskine | 1004c19 | 2018-01-08 16:59:14 +0100 | [diff] [blame] | 3081 | size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed; |
| Gilles Peskine | ca1d742 | 2018-04-24 11:53:22 +0200 | [diff] [blame] | 3082 | size_t hashlen = 0; |
| Manuel Pégourié-Gonnard | 8857984 | 2023-03-28 11:20:23 +0200 | [diff] [blame] | 3083 | unsigned char hash[MBEDTLS_MD_MAX_SIZE]; |
| Przemek Stekiel | 5166954 | 2022-09-13 12:57:05 +0200 | [diff] [blame] | 3084 | |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3085 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 3086 | |
| Manuel Pégourié-Gonnard | abae74c | 2013-08-20 13:53:44 +0200 | [diff] [blame] | 3087 | /* |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3088 | * 2.1: Choose hash algorithm: |
| TRodziewicz | 4ca18aa | 2021-05-20 14:46:20 +0200 | [diff] [blame] | 3089 | * For TLS 1.2, obey signature-hash-algorithm extension |
| 3090 | * to choose appropriate hash. |
| Manuel Pégourié-Gonnard | 4bd1284 | 2013-08-27 13:31:28 +0200 | [diff] [blame] | 3091 | */ |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 3092 | |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 3093 | mbedtls_pk_type_t sig_alg = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3094 | mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info); |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 3095 | |
| Gabor Mezei | a3d016c | 2022-05-10 12:44:09 +0200 | [diff] [blame] | 3096 | unsigned int sig_hash = |
| 3097 | mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3098 | ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg)); |
| Gabor Mezei | a3d016c | 2022-05-10 12:44:09 +0200 | [diff] [blame] | 3099 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3100 | mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash); |
| Gabor Mezei | a3d016c | 2022-05-10 12:44:09 +0200 | [diff] [blame] | 3101 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 3102 | /* For TLS 1.2, obey signature-hash-algorithm extension |
| 3103 | * (RFC 5246, Sec. 7.4.1.4.1). */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3104 | if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) { |
| 3105 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 3106 | /* (... because we choose a cipher suite |
| 3107 | * only if there is a matching hash.) */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3108 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Manuel Pégourié-Gonnard | 4bd1284 | 2013-08-27 13:31:28 +0200 | [diff] [blame] | 3109 | } |
| 3110 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3111 | MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg)); |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 3112 | |
| Manuel Pégourié-Gonnard | 4bd1284 | 2013-08-27 13:31:28 +0200 | [diff] [blame] | 3113 | /* |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3114 | * 2.2: Compute the hash to be signed |
| Manuel Pégourié-Gonnard | abae74c | 2013-08-20 13:53:44 +0200 | [diff] [blame] | 3115 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3116 | if (md_alg != MBEDTLS_MD_NONE) { |
| 3117 | ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen, |
| 3118 | dig_signed, |
| 3119 | dig_signed_len, |
| 3120 | md_alg); |
| 3121 | if (ret != 0) { |
| 3122 | return ret; |
| 3123 | } |
| 3124 | } else { |
| 3125 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 3126 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | 577e006 | 2013-08-28 11:57:20 +0200 | [diff] [blame] | 3127 | } |
| Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3128 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3129 | MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3130 | |
| Manuel Pégourié-Gonnard | abae74c | 2013-08-20 13:53:44 +0200 | [diff] [blame] | 3131 | /* |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3132 | * 2.3: Compute and add the signature |
| Manuel Pégourié-Gonnard | abae74c | 2013-08-20 13:53:44 +0200 | [diff] [blame] | 3133 | */ |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 3134 | /* |
| 3135 | * We need to specify signature and hash algorithm explicitly through |
| 3136 | * a prefix to the signature. |
| 3137 | * |
| 3138 | * struct { |
| 3139 | * HashAlgorithm hash; |
| 3140 | * SignatureAlgorithm signature; |
| 3141 | * } SignatureAndHashAlgorithm; |
| 3142 | * |
| 3143 | * struct { |
| 3144 | * SignatureAndHashAlgorithm algorithm; |
| 3145 | * opaque signature<0..2^16-1>; |
| 3146 | * } DigitallySigned; |
| 3147 | * |
| 3148 | */ |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 3149 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3150 | ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg); |
| 3151 | ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3152 | |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3153 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3154 | if (ssl->conf->f_async_sign_start != NULL) { |
| 3155 | ret = ssl->conf->f_async_sign_start(ssl, |
| 3156 | mbedtls_ssl_own_cert(ssl), |
| 3157 | md_alg, hash, hashlen); |
| 3158 | switch (ret) { |
| 3159 | case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: |
| 3160 | /* act as if f_async_sign was null */ |
| 3161 | break; |
| 3162 | case 0: |
| 3163 | ssl->handshake->async_in_progress = 1; |
| 3164 | return ssl_resume_server_key_exchange(ssl, signature_len); |
| 3165 | case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: |
| 3166 | ssl->handshake->async_in_progress = 1; |
| 3167 | return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; |
| 3168 | default: |
| 3169 | MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret); |
| 3170 | return ret; |
| Gilles Peskine | 4bf9a28 | 2018-01-05 21:20:50 +0100 | [diff] [blame] | 3171 | } |
| 3172 | } |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3173 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| Gilles Peskine | 4bf9a28 | 2018-01-05 21:20:50 +0100 | [diff] [blame] | 3174 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3175 | if (mbedtls_ssl_own_key(ssl) == NULL) { |
| 3176 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key")); |
| 3177 | return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; |
| Gilles Peskine | 4bf9a28 | 2018-01-05 21:20:50 +0100 | [diff] [blame] | 3178 | } |
| 3179 | |
| Gilles Peskine | 0fd90dd | 2018-04-26 07:41:09 +0200 | [diff] [blame] | 3180 | /* Append the signature to ssl->out_msg, leaving 2 bytes for the |
| 3181 | * signature length which will be added in ssl_write_server_key_exchange |
| 3182 | * after the call to ssl_prepare_server_key_exchange. |
| 3183 | * ssl_write_server_key_exchange also takes care of incrementing |
| 3184 | * ssl->out_msglen. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3185 | if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl), |
| 3186 | md_alg, hash, hashlen, |
| 3187 | ssl->out_msg + ssl->out_msglen + 2, |
| 3188 | out_buf_len - ssl->out_msglen - 2, |
| 3189 | signature_len, |
| 3190 | ssl->conf->f_rng, |
| 3191 | ssl->conf->p_rng)) != 0) { |
| 3192 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret); |
| 3193 | return ret; |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 3194 | } |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 3195 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3196 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 3197 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3198 | return 0; |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3199 | } |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 3200 | |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 3201 | /* Prepare the ServerKeyExchange message and send it. For ciphersuites |
| Gilles Peskine | 168dae8 | 2018-04-25 23:35:42 +0200 | [diff] [blame] | 3202 | * that do not include a ServerKeyExchange message, do nothing. Either |
| 3203 | * way, if successful, move on to the next step in the SSL state |
| 3204 | * machine. */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3205 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3206 | static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl) |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3207 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3208 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Gilles Peskine | 7ab013a | 2018-01-08 17:04:16 +0100 | [diff] [blame] | 3209 | size_t signature_len = 0; |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3210 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED) |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3211 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3212 | ssl->handshake->ciphersuite_info; |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3213 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */ |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3214 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3215 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange")); |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 3216 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3217 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED) |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 3218 | /* Extract static ECDH parameters and abort if ServerKeyExchange |
| 3219 | * is not needed. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3220 | if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) { |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3221 | /* For suites involving ECDH, extract DH parameters |
| 3222 | * from certificate at this point. */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3223 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3224 | if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) { |
| 3225 | ret = ssl_get_ecdh_params_from_cert(ssl); |
| 3226 | if (ret != 0) { |
| 3227 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret); |
| 3228 | return ret; |
| Manuel Pégourié-Gonnard | b64fb62 | 2022-06-10 09:34:20 +0200 | [diff] [blame] | 3229 | } |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3230 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3231 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */ |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3232 | |
| 3233 | /* Key exchanges not involving ephemeral keys don't use |
| 3234 | * ServerKeyExchange, so end here. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3235 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange")); |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3236 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3237 | return 0; |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3238 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3239 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */ |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3240 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3241 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \ |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3242 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 3243 | /* If we have already prepared the message and there is an ongoing |
| Gilles Peskine | 168dae8 | 2018-04-25 23:35:42 +0200 | [diff] [blame] | 3244 | * signature operation, resume signing. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3245 | if (ssl->handshake->async_in_progress != 0) { |
| 3246 | MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation")); |
| 3247 | ret = ssl_resume_server_key_exchange(ssl, &signature_len); |
| 3248 | } else |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3249 | #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3250 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) */ |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 3251 | { |
| 3252 | /* ServerKeyExchange is needed. Prepare the message. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3253 | ret = ssl_prepare_server_key_exchange(ssl, &signature_len); |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 3254 | } |
| 3255 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3256 | if (ret != 0) { |
| Gilles Peskine | ad28bf0 | 2018-04-26 00:19:16 +0200 | [diff] [blame] | 3257 | /* If we're starting to write a new message, set ssl->out_msglen |
| 3258 | * to 0. But if we're resuming after an asynchronous message, |
| 3259 | * out_msglen is the amount of data written so far and mst be |
| 3260 | * preserved. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3261 | if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { |
| 3262 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)")); |
| 3263 | } else { |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 3264 | ssl->out_msglen = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3265 | } |
| 3266 | return ret; |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 3267 | } |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3268 | |
| Gilles Peskine | 7ab013a | 2018-01-08 17:04:16 +0100 | [diff] [blame] | 3269 | /* If there is a signature, write its length. |
| Gilles Peskine | 168dae8 | 2018-04-25 23:35:42 +0200 | [diff] [blame] | 3270 | * ssl_prepare_server_key_exchange already wrote the signature |
| 3271 | * itself at its proper place in the output buffer. */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3272 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3273 | if (signature_len != 0) { |
| 3274 | ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len); |
| 3275 | ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len); |
| Gilles Peskine | 7ab013a | 2018-01-08 17:04:16 +0100 | [diff] [blame] | 3276 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3277 | MBEDTLS_SSL_DEBUG_BUF(3, "my signature", |
| 3278 | ssl->out_msg + ssl->out_msglen, |
| 3279 | signature_len); |
| Gilles Peskine | 7ab013a | 2018-01-08 17:04:16 +0100 | [diff] [blame] | 3280 | |
| 3281 | /* Skip over the already-written signature */ |
| 3282 | ssl->out_msglen += signature_len; |
| 3283 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3284 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
| Gilles Peskine | 7ab013a | 2018-01-08 17:04:16 +0100 | [diff] [blame] | 3285 | |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3286 | /* Add header and send. */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3287 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 3288 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3289 | |
| 3290 | ssl->state++; |
| 3291 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3292 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
| 3293 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
| 3294 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3295 | } |
| 3296 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3297 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange")); |
| 3298 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3299 | } |
| 3300 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3301 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3302 | static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3303 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3304 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3305 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3306 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3307 | |
| 3308 | ssl->out_msglen = 4; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3309 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 3310 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3311 | |
| 3312 | ssl->state++; |
| 3313 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3314 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3315 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| 3316 | mbedtls_ssl_send_flight_completed(ssl); |
| 3317 | } |
| Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 3318 | #endif |
| 3319 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3320 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
| 3321 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
| 3322 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3323 | } |
| 3324 | |
| Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 3325 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3326 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 3327 | (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { |
| 3328 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret); |
| 3329 | return ret; |
| Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 3330 | } |
| Hanno Becker | bc2498a | 2018-08-28 10:13:29 +0100 | [diff] [blame] | 3331 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 3332 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3333 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3334 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3335 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3336 | } |
| 3337 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3338 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
| 3339 | defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3340 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3341 | static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p, |
| 3342 | const unsigned char *end) |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3343 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3344 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3345 | size_t n; |
| 3346 | |
| 3347 | /* |
| 3348 | * Receive G^Y mod P, premaster = (G^Y)^X mod P |
| 3349 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3350 | if (*p + 2 > end) { |
| 3351 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3352 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3353 | } |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3354 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3355 | n = ((*p)[0] << 8) | (*p)[1]; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3356 | *p += 2; |
| 3357 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3358 | if (*p + n > end) { |
| 3359 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3360 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3361 | } |
| 3362 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3363 | if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) { |
| 3364 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret); |
| 3365 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3366 | } |
| 3367 | |
| Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 3368 | *p += n; |
| 3369 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3370 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY); |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3371 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3372 | return ret; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3373 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3374 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || |
| 3375 | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3376 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3377 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ |
| 3378 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3379 | |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3380 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3381 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3382 | static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl, |
| 3383 | unsigned char *peer_pms, |
| 3384 | size_t *peer_pmslen, |
| 3385 | size_t peer_pmssize) |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3386 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3387 | int ret = ssl->conf->f_async_resume(ssl, |
| 3388 | peer_pms, peer_pmslen, peer_pmssize); |
| 3389 | if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { |
| Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 3390 | ssl->handshake->async_in_progress = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3391 | mbedtls_ssl_set_async_operation_data(ssl, NULL); |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3392 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3393 | MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret); |
| 3394 | return ret; |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3395 | } |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3396 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3397 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3398 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3399 | static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl, |
| 3400 | const unsigned char *p, |
| 3401 | const unsigned char *end, |
| 3402 | unsigned char *peer_pms, |
| 3403 | size_t *peer_pmslen, |
| 3404 | size_t peer_pmssize) |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3405 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3406 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Leonid Rozenboim | 70dfd4c | 2022-08-08 15:43:44 -0700 | [diff] [blame] | 3407 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3408 | mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl); |
| 3409 | if (own_cert == NULL) { |
| 3410 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate")); |
| 3411 | return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE; |
| Leonid Rozenboim | 70dfd4c | 2022-08-08 15:43:44 -0700 | [diff] [blame] | 3412 | } |
| 3413 | mbedtls_pk_context *public_key = &own_cert->pk; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3414 | mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl); |
| 3415 | size_t len = mbedtls_pk_get_len(public_key); |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3416 | |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3417 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3418 | /* If we have already started decoding the message and there is an ongoing |
| Gilles Peskine | 168dae8 | 2018-04-25 23:35:42 +0200 | [diff] [blame] | 3419 | * decryption operation, resume signing. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3420 | if (ssl->handshake->async_in_progress != 0) { |
| 3421 | MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation")); |
| 3422 | return ssl_resume_decrypt_pms(ssl, |
| 3423 | peer_pms, peer_pmslen, peer_pmssize); |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3424 | } |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3425 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3426 | |
| 3427 | /* |
| Gilles Peskine | 422ccab | 2018-01-11 18:29:01 +0100 | [diff] [blame] | 3428 | * Prepare to decrypt the premaster using own private RSA key |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3429 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3430 | if (p + 2 > end) { |
| 3431 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3432 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 3433 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3434 | if (*p++ != MBEDTLS_BYTE_1(len) || |
| 3435 | *p++ != MBEDTLS_BYTE_0(len)) { |
| 3436 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3437 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3438 | } |
| 3439 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3440 | if (p + len != end) { |
| 3441 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3442 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3443 | } |
| 3444 | |
| Gilles Peskine | 422ccab | 2018-01-11 18:29:01 +0100 | [diff] [blame] | 3445 | /* |
| 3446 | * Decrypt the premaster secret |
| 3447 | */ |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3448 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3449 | if (ssl->conf->f_async_decrypt_start != NULL) { |
| 3450 | ret = ssl->conf->f_async_decrypt_start(ssl, |
| 3451 | mbedtls_ssl_own_cert(ssl), |
| 3452 | p, len); |
| 3453 | switch (ret) { |
| 3454 | case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: |
| 3455 | /* act as if f_async_decrypt_start was null */ |
| 3456 | break; |
| 3457 | case 0: |
| 3458 | ssl->handshake->async_in_progress = 1; |
| 3459 | return ssl_resume_decrypt_pms(ssl, |
| 3460 | peer_pms, |
| 3461 | peer_pmslen, |
| 3462 | peer_pmssize); |
| 3463 | case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: |
| 3464 | ssl->handshake->async_in_progress = 1; |
| 3465 | return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; |
| 3466 | default: |
| 3467 | MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret); |
| 3468 | return ret; |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3469 | } |
| 3470 | } |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3471 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3472 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3473 | if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) { |
| 3474 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key")); |
| 3475 | return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; |
| Gilles Peskine | 422ccab | 2018-01-11 18:29:01 +0100 | [diff] [blame] | 3476 | } |
| 3477 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3478 | ret = mbedtls_pk_decrypt(private_key, p, len, |
| 3479 | peer_pms, peer_pmslen, peer_pmssize, |
| 3480 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 3481 | return ret; |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3482 | } |
| 3483 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3484 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3485 | static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl, |
| 3486 | const unsigned char *p, |
| 3487 | const unsigned char *end, |
| 3488 | size_t pms_offset) |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3489 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3490 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3491 | unsigned char *pms = ssl->handshake->premaster + pms_offset; |
| 3492 | unsigned char ver[2]; |
| 3493 | unsigned char fake_pms[48], peer_pms[48]; |
| 3494 | unsigned char mask; |
| 3495 | size_t i, peer_pmslen; |
| 3496 | unsigned int diff; |
| 3497 | |
| Gilles Peskine | 0a8352b | 2018-06-13 18:16:41 +0200 | [diff] [blame] | 3498 | /* In case of a failure in decryption, the decryption may write less than |
| 3499 | * 2 bytes of output, but we always read the first two bytes. It doesn't |
| 3500 | * matter in the end because diff will be nonzero in that case due to |
| André Maroneze | 7953329 | 2020-11-12 09:37:42 +0100 | [diff] [blame] | 3501 | * ret being nonzero, and we only care whether diff is 0. |
| 3502 | * But do initialize peer_pms and peer_pmslen for robustness anyway. This |
| 3503 | * also makes memory analyzers happy (don't access uninitialized memory, |
| 3504 | * even if it's an unsigned char). */ |
| Gilles Peskine | 0a8352b | 2018-06-13 18:16:41 +0200 | [diff] [blame] | 3505 | peer_pms[0] = peer_pms[1] = ~0; |
| André Maroneze | 7953329 | 2020-11-12 09:37:42 +0100 | [diff] [blame] | 3506 | peer_pmslen = 0; |
| Gilles Peskine | 0a8352b | 2018-06-13 18:16:41 +0200 | [diff] [blame] | 3507 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3508 | ret = ssl_decrypt_encrypted_pms(ssl, p, end, |
| 3509 | peer_pms, |
| 3510 | &peer_pmslen, |
| 3511 | sizeof(peer_pms)); |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3512 | |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3513 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3514 | if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { |
| 3515 | return ret; |
| 3516 | } |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3517 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3518 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3519 | mbedtls_ssl_write_version(ver, ssl->conf->transport, |
| 3520 | ssl->session_negotiate->tls_version); |
| Gilles Peskine | 2e33337 | 2018-04-24 13:22:10 +0200 | [diff] [blame] | 3521 | |
| 3522 | /* Avoid data-dependent branches while checking for invalid |
| 3523 | * padding, to protect against timing-based Bleichenbacher-type |
| 3524 | * attacks. */ |
| 3525 | diff = (unsigned int) ret; |
| 3526 | diff |= peer_pmslen ^ 48; |
| 3527 | diff |= peer_pms[0] ^ ver[0]; |
| 3528 | diff |= peer_pms[1] ^ ver[1]; |
| 3529 | |
| 3530 | /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3531 | mask = mbedtls_ct_uint_mask(diff); |
| Manuel Pégourié-Gonnard | b9c93d0 | 2015-06-23 13:53:15 +0200 | [diff] [blame] | 3532 | |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3533 | /* |
| 3534 | * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding |
| 3535 | * must not cause the connection to end immediately; instead, send a |
| 3536 | * bad_record_mac later in the handshake. |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3537 | * To protect against timing-based variants of the attack, we must |
| 3538 | * not have any branch that depends on whether the decryption was |
| 3539 | * successful. In particular, always generate the fake premaster secret, |
| 3540 | * regardless of whether it will ultimately influence the output or not. |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3541 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3542 | ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms)); |
| 3543 | if (ret != 0) { |
| Gilles Peskine | e141638 | 2018-04-26 10:23:21 +0200 | [diff] [blame] | 3544 | /* It's ok to abort on an RNG failure, since this does not reveal |
| 3545 | * anything about the RSA decryption. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3546 | return ret; |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3547 | } |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3548 | |
| Manuel Pégourié-Gonnard | 331ba57 | 2015-04-20 12:33:57 +0100 | [diff] [blame] | 3549 | #if defined(MBEDTLS_SSL_DEBUG_ALL) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3550 | if (diff != 0) { |
| 3551 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3552 | } |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3553 | #endif |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3554 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3555 | if (sizeof(ssl->handshake->premaster) < pms_offset || |
| 3556 | sizeof(ssl->handshake->premaster) - pms_offset < 48) { |
| 3557 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 3558 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3559 | } |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3560 | ssl->handshake->pmslen = 48; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3561 | |
| Gilles Peskine | 422ccab | 2018-01-11 18:29:01 +0100 | [diff] [blame] | 3562 | /* Set pms to either the true or the fake PMS, without |
| 3563 | * data-dependent branches. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3564 | for (i = 0; i < ssl->handshake->pmslen; i++) { |
| 3565 | pms[i] = (mask & fake_pms[i]) | ((~mask) & peer_pms[i]); |
| 3566 | } |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3567 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3568 | return 0; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3569 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3570 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || |
| 3571 | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3572 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3573 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3574 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3575 | static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p, |
| 3576 | const unsigned char *end) |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3577 | { |
| Paul Bakker | 6db455e | 2013-09-18 17:29:31 +0200 | [diff] [blame] | 3578 | int ret = 0; |
| irwir | 6527bd6 | 2019-09-21 18:51:25 +0300 | [diff] [blame] | 3579 | uint16_t n; |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3580 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3581 | if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) { |
| 3582 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key")); |
| 3583 | return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3584 | } |
| 3585 | |
| 3586 | /* |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3587 | * Receive client pre-shared key identity name |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3588 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3589 | if (end - *p < 2) { |
| 3590 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3591 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3592 | } |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3593 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3594 | n = ((*p)[0] << 8) | (*p)[1]; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3595 | *p += 2; |
| 3596 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3597 | if (n == 0 || n > end - *p) { |
| 3598 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3599 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3600 | } |
| 3601 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3602 | if (ssl->conf->f_psk != NULL) { |
| 3603 | if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3604 | ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3605 | } |
| 3606 | } else { |
| Manuel Pégourié-Gonnard | 31ff1d2 | 2013-10-28 13:46:11 +0100 | [diff] [blame] | 3607 | /* Identity is not a big secret since clients send it in the clear, |
| 3608 | * but treat it carefully anyway, just in case */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3609 | if (n != ssl->conf->psk_identity_len || |
| 3610 | mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3611 | ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; |
| Paul Bakker | 6db455e | 2013-09-18 17:29:31 +0200 | [diff] [blame] | 3612 | } |
| 3613 | } |
| 3614 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3615 | if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) { |
| 3616 | MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n); |
| 3617 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 3618 | MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY); |
| 3619 | return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3620 | } |
| 3621 | |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3622 | *p += n; |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3623 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3624 | return 0; |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3625 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3626 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3627 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3628 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3629 | static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3630 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3631 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3632 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
| Manuel Pégourié-Gonnard | 2114d72 | 2014-09-10 13:59:41 +0000 | [diff] [blame] | 3633 | unsigned char *p, *end; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3634 | |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 3635 | ciphersuite_info = ssl->handshake->ciphersuite_info; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3636 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3637 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3638 | |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3639 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3640 | (defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ |
| 3641 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)) |
| 3642 | if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || |
| 3643 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) && |
| 3644 | (ssl->handshake->async_in_progress != 0)) { |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3645 | /* We've already read a record and there is an asynchronous |
| 3646 | * operation in progress to decrypt it. So skip reading the |
| Gilles Peskine | 168dae8 | 2018-04-25 23:35:42 +0200 | [diff] [blame] | 3647 | * record. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3648 | MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record")); |
| 3649 | } else |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3650 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3651 | if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { |
| 3652 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
| 3653 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3654 | } |
| 3655 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3656 | p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); |
| Manuel Pégourié-Gonnard | 2114d72 | 2014-09-10 13:59:41 +0000 | [diff] [blame] | 3657 | end = ssl->in_msg + ssl->in_hslen; |
| Manuel Pégourié-Gonnard | f899583 | 2014-09-10 08:25:12 +0000 | [diff] [blame] | 3658 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3659 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
| 3660 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3661 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3662 | } |
| 3663 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3664 | if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) { |
| 3665 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3666 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3667 | } |
| 3668 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3669 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3670 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) { |
| 3671 | if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) { |
| 3672 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret); |
| 3673 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3674 | } |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3675 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3676 | if (p != end) { |
| 3677 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange")); |
| 3678 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 3679 | } |
| 3680 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3681 | if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, |
| 3682 | ssl->handshake->premaster, |
| 3683 | MBEDTLS_PREMASTER_SIZE, |
| 3684 | &ssl->handshake->pmslen, |
| 3685 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 3686 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); |
| 3687 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3688 | } |
| 3689 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3690 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); |
| 3691 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3692 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3693 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| 3694 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
| 3695 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| 3696 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3697 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 3698 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || |
| 3699 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3700 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { |
| Neil Armstrong | 913b364 | 2022-04-13 14:59:48 +0200 | [diff] [blame] | 3701 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3702 | size_t data_len = (size_t) (*p++); |
| 3703 | size_t buf_len = (size_t) (end - p); |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3704 | psa_status_t status = PSA_ERROR_GENERIC_ERROR; |
| 3705 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| 3706 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3707 | MBEDTLS_SSL_DEBUG_MSG(1, ("Read the peer's public key.")); |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3708 | |
| 3709 | /* |
| Przemek Stekiel | 338b61d | 2022-03-15 08:03:43 +0100 | [diff] [blame] | 3710 | * We must have at least two bytes (1 for length, at least 1 for data) |
| 3711 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3712 | if (buf_len < 2) { |
| 3713 | MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length")); |
| 3714 | return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3715 | } |
| 3716 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3717 | if (data_len < 1 || data_len > buf_len) { |
| 3718 | MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length")); |
| 3719 | return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3720 | } |
| 3721 | |
| 3722 | /* Store peer's ECDH public key. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3723 | memcpy(handshake->ecdh_psa_peerkey, p, data_len); |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3724 | handshake->ecdh_psa_peerkey_len = data_len; |
| 3725 | |
| 3726 | /* Compute ECDH shared secret. */ |
| 3727 | status = psa_raw_key_agreement( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3728 | PSA_ALG_ECDH, handshake->ecdh_psa_privkey, |
| 3729 | handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len, |
| 3730 | handshake->premaster, sizeof(handshake->premaster), |
| 3731 | &handshake->pmslen); |
| 3732 | if (status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 3733 | ret = PSA_TO_MBEDTLS_ERR(status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3734 | MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret); |
| 3735 | if (handshake->ecdh_psa_privkey_is_external == 0) { |
| 3736 | (void) psa_destroy_key(handshake->ecdh_psa_privkey); |
| 3737 | } |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3738 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3739 | return ret; |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3740 | } |
| 3741 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3742 | if (handshake->ecdh_psa_privkey_is_external == 0) { |
| 3743 | status = psa_destroy_key(handshake->ecdh_psa_privkey); |
| Neil Armstrong | 8113d25 | 2022-03-23 10:57:04 +0100 | [diff] [blame] | 3744 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3745 | if (status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 3746 | ret = PSA_TO_MBEDTLS_ERR(status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3747 | MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret); |
| 3748 | return ret; |
| Neil Armstrong | 8113d25 | 2022-03-23 10:57:04 +0100 | [diff] [blame] | 3749 | } |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3750 | } |
| 3751 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3752 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3753 | if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx, |
| 3754 | p, end - p)) != 0) { |
| 3755 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret); |
| 3756 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | b59d699 | 2013-10-14 12:00:45 +0200 | [diff] [blame] | 3757 | } |
| 3758 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3759 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 3760 | MBEDTLS_DEBUG_ECDH_QP); |
| Manuel Pégourié-Gonnard | b59d699 | 2013-10-14 12:00:45 +0200 | [diff] [blame] | 3761 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3762 | if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, |
| 3763 | &ssl->handshake->pmslen, |
| 3764 | ssl->handshake->premaster, |
| 3765 | MBEDTLS_MPI_MAX_SIZE, |
| 3766 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 3767 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret); |
| 3768 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3769 | } |
| 3770 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3771 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 3772 | MBEDTLS_DEBUG_ECDH_Z); |
| Neil Armstrong | 913b364 | 2022-04-13 14:59:48 +0200 | [diff] [blame] | 3773 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3774 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3775 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
| 3776 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || |
| 3777 | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
| 3778 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| 3779 | #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3780 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) { |
| 3781 | if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { |
| 3782 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); |
| 3783 | return ret; |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3784 | } |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3785 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3786 | if (p != end) { |
| 3787 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange")); |
| 3788 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 3789 | } |
| 3790 | |
| Neil Armstrong | cd05f0b | 2022-05-03 10:28:37 +0200 | [diff] [blame] | 3791 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3792 | if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, |
| 3793 | ciphersuite_info->key_exchange)) != 0) { |
| 3794 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); |
| 3795 | return ret; |
| Manuel Pégourié-Gonnard | bd1ae24 | 2013-10-14 13:09:25 +0200 | [diff] [blame] | 3796 | } |
| Neil Armstrong | cd05f0b | 2022-05-03 10:28:37 +0200 | [diff] [blame] | 3797 | #endif /* !MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3798 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3799 | #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ |
| 3800 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3801 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3802 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3803 | if (ssl->handshake->async_in_progress != 0) { |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3804 | /* There is an asynchronous operation in progress to |
| 3805 | * decrypt the encrypted premaster secret, so skip |
| 3806 | * directly to resuming this operation. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3807 | MBEDTLS_SSL_DEBUG_MSG(3, ("PSK identity already parsed")); |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3808 | /* Update p to skip the PSK identity. ssl_parse_encrypted_pms |
| 3809 | * won't actually use it, but maintain p anyway for robustness. */ |
| 3810 | p += ssl->conf->psk_identity_len + 2; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3811 | } else |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3812 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3813 | if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { |
| 3814 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); |
| 3815 | return ret; |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 3816 | } |
| 3817 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3818 | if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) { |
| 3819 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_encrypted_pms"), ret); |
| 3820 | return ret; |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 3821 | } |
| 3822 | |
| Neil Armstrong | cd05f0b | 2022-05-03 10:28:37 +0200 | [diff] [blame] | 3823 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3824 | if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, |
| 3825 | ciphersuite_info->key_exchange)) != 0) { |
| 3826 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); |
| 3827 | return ret; |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 3828 | } |
| Neil Armstrong | cd05f0b | 2022-05-03 10:28:37 +0200 | [diff] [blame] | 3829 | #endif /* !MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3830 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3831 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
| 3832 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3833 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { |
| 3834 | if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { |
| 3835 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); |
| 3836 | return ret; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3837 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3838 | if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) { |
| 3839 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret); |
| 3840 | return ret; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3841 | } |
| 3842 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3843 | if (p != end) { |
| 3844 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange")); |
| 3845 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 3846 | } |
| 3847 | |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3848 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 3849 | unsigned char *pms = ssl->handshake->premaster; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3850 | unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster); |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3851 | size_t pms_len; |
| 3852 | |
| 3853 | /* Write length only when we know the actual value */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3854 | if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, |
| 3855 | pms + 2, pms_end - (pms + 2), &pms_len, |
| 3856 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 3857 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); |
| 3858 | return ret; |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3859 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3860 | MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0); |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3861 | pms += 2 + pms_len; |
| 3862 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3863 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3864 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3865 | if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, |
| 3866 | ciphersuite_info->key_exchange)) != 0) { |
| 3867 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); |
| 3868 | return ret; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3869 | } |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3870 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3871 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3872 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3873 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3874 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { |
| Neil Armstrong | 913b364 | 2022-04-13 14:59:48 +0200 | [diff] [blame] | 3875 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3876 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| 3877 | psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; |
| 3878 | uint8_t ecpoint_len; |
| 3879 | |
| 3880 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| 3881 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3882 | if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { |
| 3883 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); |
| 3884 | psa_destroy_key(handshake->ecdh_psa_privkey); |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3885 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3886 | return ret; |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3887 | } |
| 3888 | |
| 3889 | /* Keep a copy of the peer's public key */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3890 | if (p >= end) { |
| 3891 | psa_destroy_key(handshake->ecdh_psa_privkey); |
| Neil Armstrong | 3cae167 | 2022-04-05 10:01:15 +0200 | [diff] [blame] | 3892 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3893 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Neil Armstrong | 3cae167 | 2022-04-05 10:01:15 +0200 | [diff] [blame] | 3894 | } |
| 3895 | |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3896 | ecpoint_len = *(p++); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3897 | if ((size_t) (end - p) < ecpoint_len) { |
| 3898 | psa_destroy_key(handshake->ecdh_psa_privkey); |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3899 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3900 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3901 | } |
| 3902 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3903 | if (ecpoint_len > sizeof(handshake->ecdh_psa_peerkey)) { |
| 3904 | psa_destroy_key(handshake->ecdh_psa_privkey); |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3905 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3906 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3907 | } |
| 3908 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3909 | memcpy(handshake->ecdh_psa_peerkey, p, ecpoint_len); |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3910 | handshake->ecdh_psa_peerkey_len = ecpoint_len; |
| 3911 | p += ecpoint_len; |
| 3912 | |
| Neil Armstrong | 3bcef08 | 2022-03-23 18:16:54 +0100 | [diff] [blame] | 3913 | /* As RFC 5489 section 2, the premaster secret is formed as follows: |
| Neil Armstrong | fdf20cb | 2022-03-24 09:43:02 +0100 | [diff] [blame] | 3914 | * - a uint16 containing the length (in octets) of the ECDH computation |
| 3915 | * - the octet string produced by the ECDH computation |
| 3916 | * - a uint16 containing the length (in octets) of the PSK |
| 3917 | * - the PSK itself |
| 3918 | */ |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3919 | unsigned char *psm = ssl->handshake->premaster; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3920 | const unsigned char * const psm_end = |
| 3921 | psm + sizeof(ssl->handshake->premaster); |
| Neil Armstrong | 2d63da9 | 2022-03-23 18:17:31 +0100 | [diff] [blame] | 3922 | /* uint16 to store length (in octets) of the ECDH computation */ |
| 3923 | const size_t zlen_size = 2; |
| Neil Armstrong | 549a3e4 | 2022-03-23 18:16:24 +0100 | [diff] [blame] | 3924 | size_t zlen = 0; |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3925 | |
| 3926 | /* Compute ECDH shared secret. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3927 | status = psa_raw_key_agreement(PSA_ALG_ECDH, |
| 3928 | handshake->ecdh_psa_privkey, |
| 3929 | handshake->ecdh_psa_peerkey, |
| 3930 | handshake->ecdh_psa_peerkey_len, |
| 3931 | psm + zlen_size, |
| 3932 | psm_end - (psm + zlen_size), |
| 3933 | &zlen); |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3934 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3935 | destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey); |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3936 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 3937 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3938 | if (status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 3939 | return PSA_TO_MBEDTLS_ERR(status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3940 | } else if (destruction_status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 3941 | return PSA_TO_MBEDTLS_ERR(destruction_status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3942 | } |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3943 | |
| Neil Armstrong | 3bcef08 | 2022-03-23 18:16:54 +0100 | [diff] [blame] | 3944 | /* Write the ECDH computation length before the ECDH computation */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3945 | MBEDTLS_PUT_UINT16_BE(zlen, psm, 0); |
| Neil Armstrong | 2d63da9 | 2022-03-23 18:17:31 +0100 | [diff] [blame] | 3946 | psm += zlen_size + zlen; |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3947 | |
| Przemek Stekiel | 14d11b0 | 2022-04-14 08:33:29 +0200 | [diff] [blame] | 3948 | #else /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3949 | if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { |
| 3950 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); |
| 3951 | return ret; |
| Manuel Pégourié-Gonnard | 3ce3bbd | 2013-10-11 16:53:50 +0200 | [diff] [blame] | 3952 | } |
| Manuel Pégourié-Gonnard | b59d699 | 2013-10-14 12:00:45 +0200 | [diff] [blame] | 3953 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3954 | if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx, |
| 3955 | p, end - p)) != 0) { |
| 3956 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret); |
| 3957 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 3ce3bbd | 2013-10-11 16:53:50 +0200 | [diff] [blame] | 3958 | } |
| 3959 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3960 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 3961 | MBEDTLS_DEBUG_ECDH_QP); |
| Manuel Pégourié-Gonnard | b59d699 | 2013-10-14 12:00:45 +0200 | [diff] [blame] | 3962 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3963 | if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, |
| 3964 | ciphersuite_info->key_exchange)) != 0) { |
| 3965 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); |
| 3966 | return ret; |
| Manuel Pégourié-Gonnard | 3ce3bbd | 2013-10-11 16:53:50 +0200 | [diff] [blame] | 3967 | } |
| Neil Armstrong | 913b364 | 2022-04-13 14:59:48 +0200 | [diff] [blame] | 3968 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3969 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3970 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
| 3971 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3972 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) { |
| 3973 | if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) { |
| 3974 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret); |
| 3975 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3976 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3977 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3978 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 3979 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3980 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 3981 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3982 | if ((ret = mbedtls_psa_ecjpake_read_round( |
| 3983 | &ssl->handshake->psa_pake_ctx, p, end - p, |
| 3984 | MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) { |
| 3985 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 3986 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 3987 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3988 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret); |
| 3989 | return ret; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 3990 | } |
| 3991 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3992 | ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx, |
| 3993 | p, end - p); |
| 3994 | if (ret != 0) { |
| 3995 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret); |
| 3996 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 3997 | } |
| 3998 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3999 | ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx, |
| 4000 | ssl->handshake->premaster, 32, &ssl->handshake->pmslen, |
| 4001 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 4002 | if (ret != 0) { |
| 4003 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret); |
| 4004 | return ret; |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 4005 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 4006 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4007 | } else |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 4008 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4009 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4010 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 4011 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4012 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4013 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4014 | if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { |
| 4015 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); |
| 4016 | return ret; |
| Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 4017 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4018 | |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4019 | ssl->state++; |
| 4020 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4021 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4022 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4023 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4024 | } |
| 4025 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 4026 | #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 4027 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4028 | static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4029 | { |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 4030 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 4031 | ssl->handshake->ciphersuite_info; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4032 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4033 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4034 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4035 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
| 4036 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); |
| Paul Bakker | ed27a04 | 2013-04-18 22:46:23 +0200 | [diff] [blame] | 4037 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4038 | return 0; |
| Paul Bakker | ed27a04 | 2013-04-18 22:46:23 +0200 | [diff] [blame] | 4039 | } |
| 4040 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4041 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 4042 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4043 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 4044 | #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 4045 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4046 | static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4047 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4048 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Manuel Pégourié-Gonnard | 4528f3f | 2014-09-10 14:17:23 +0000 | [diff] [blame] | 4049 | size_t i, sig_len; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4050 | unsigned char hash[48]; |
| Manuel Pégourié-Gonnard | 4bd1284 | 2013-08-27 13:31:28 +0200 | [diff] [blame] | 4051 | unsigned char *hash_start = hash; |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 4052 | size_t hashlen; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4053 | mbedtls_pk_type_t pk_alg; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4054 | mbedtls_md_type_t md_alg; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 4055 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 4056 | ssl->handshake->ciphersuite_info; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4057 | mbedtls_pk_context *peer_pk; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4058 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4059 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify")); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4060 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4061 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
| 4062 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4063 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4064 | return 0; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4065 | } |
| 4066 | |
| Hanno Becker | 2a831a4 | 2019-02-07 13:17:25 +0000 | [diff] [blame] | 4067 | #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4068 | if (ssl->session_negotiate->peer_cert == NULL) { |
| 4069 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); |
| Hanno Becker | 2a831a4 | 2019-02-07 13:17:25 +0000 | [diff] [blame] | 4070 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4071 | return 0; |
| Hanno Becker | 2a831a4 | 2019-02-07 13:17:25 +0000 | [diff] [blame] | 4072 | } |
| 4073 | #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4074 | if (ssl->session_negotiate->peer_cert_digest == NULL) { |
| 4075 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); |
| Hanno Becker | 2a831a4 | 2019-02-07 13:17:25 +0000 | [diff] [blame] | 4076 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4077 | return 0; |
| Hanno Becker | 2a831a4 | 2019-02-07 13:17:25 +0000 | [diff] [blame] | 4078 | } |
| 4079 | #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 4080 | |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4081 | /* Read the message without adding it to the checksum */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4082 | ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */); |
| 4083 | if (0 != ret) { |
| 4084 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret); |
| 4085 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4086 | } |
| 4087 | |
| 4088 | ssl->state++; |
| 4089 | |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4090 | /* Process the message contents */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4091 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || |
| 4092 | ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) { |
| 4093 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); |
| 4094 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4095 | } |
| 4096 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4097 | i = mbedtls_ssl_hs_hdr_len(ssl); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4098 | |
| Hanno Becker | a1ab9be | 2019-02-06 18:31:04 +0000 | [diff] [blame] | 4099 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 4100 | peer_pk = &ssl->handshake->peer_pubkey; |
| 4101 | #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4102 | if (ssl->session_negotiate->peer_cert == NULL) { |
| Hanno Becker | a1ab9be | 2019-02-06 18:31:04 +0000 | [diff] [blame] | 4103 | /* Should never happen */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4104 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Hanno Becker | a1ab9be | 2019-02-06 18:31:04 +0000 | [diff] [blame] | 4105 | } |
| 4106 | peer_pk = &ssl->session_negotiate->peer_cert->pk; |
| 4107 | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 4108 | |
| Manuel Pégourié-Gonnard | 4528f3f | 2014-09-10 14:17:23 +0000 | [diff] [blame] | 4109 | /* |
| 4110 | * struct { |
| 4111 | * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only |
| 4112 | * opaque signature<0..2^16-1>; |
| 4113 | * } DigitallySigned; |
| 4114 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4115 | if (i + 2 > ssl->in_hslen) { |
| 4116 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); |
| 4117 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4118 | } |
| Manuel Pégourié-Gonnard | 5ee9654 | 2014-09-10 14:27:21 +0000 | [diff] [blame] | 4119 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4120 | /* |
| 4121 | * Hash |
| 4122 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4123 | md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]); |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4124 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4125 | if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) { |
| 4126 | MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg" |
| 4127 | " for verify message")); |
| 4128 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4129 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4130 | |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4131 | #if !defined(MBEDTLS_MD_SHA1) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4132 | if (MBEDTLS_MD_SHA1 == md_alg) { |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4133 | hash_start += 16; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4134 | } |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4135 | #endif |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 4136 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4137 | /* Info from md_alg will be used instead */ |
| 4138 | hashlen = 0; |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 4139 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4140 | i++; |
| Manuel Pégourié-Gonnard | 4528f3f | 2014-09-10 14:17:23 +0000 | [diff] [blame] | 4141 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4142 | /* |
| 4143 | * Signature |
| 4144 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4145 | if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i])) |
| 4146 | == MBEDTLS_PK_NONE) { |
| 4147 | MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg" |
| 4148 | " for verify message")); |
| 4149 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Manuel Pégourié-Gonnard | b3d9187 | 2013-08-14 15:56:19 +0200 | [diff] [blame] | 4150 | } |
| Manuel Pégourié-Gonnard | ff56da3 | 2013-07-11 10:46:21 +0200 | [diff] [blame] | 4151 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4152 | /* |
| 4153 | * Check the certificate's key type matches the signature alg |
| 4154 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4155 | if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { |
| 4156 | MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key")); |
| 4157 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4158 | } |
| 4159 | |
| 4160 | i++; |
| 4161 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4162 | if (i + 2 > ssl->in_hslen) { |
| 4163 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); |
| 4164 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 5ee9654 | 2014-09-10 14:27:21 +0000 | [diff] [blame] | 4165 | } |
| 4166 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4167 | sig_len = (ssl->in_msg[i] << 8) | ssl->in_msg[i+1]; |
| Manuel Pégourié-Gonnard | 4528f3f | 2014-09-10 14:17:23 +0000 | [diff] [blame] | 4168 | i += 2; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 4169 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4170 | if (i + sig_len != ssl->in_hslen) { |
| 4171 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); |
| 4172 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4173 | } |
| 4174 | |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4175 | /* Calculate hash and verify signature */ |
| Manuel Pégourié-Gonnard | de718b9 | 2019-05-03 11:43:28 +0200 | [diff] [blame] | 4176 | { |
| 4177 | size_t dummy_hlen; |
| Manuel Pégourié-Gonnard | b8b07aa | 2023-02-06 00:34:21 +0100 | [diff] [blame] | 4178 | ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen); |
| 4179 | if (0 != ret) { |
| 4180 | MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret); |
| 4181 | return ret; |
| 4182 | } |
| Manuel Pégourié-Gonnard | de718b9 | 2019-05-03 11:43:28 +0200 | [diff] [blame] | 4183 | } |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4184 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4185 | if ((ret = mbedtls_pk_verify(peer_pk, |
| 4186 | md_alg, hash_start, hashlen, |
| 4187 | ssl->in_msg + i, sig_len)) != 0) { |
| 4188 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret); |
| 4189 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4190 | } |
| 4191 | |
| Manuel Pégourié-Gonnard | b8b07aa | 2023-02-06 00:34:21 +0100 | [diff] [blame] | 4192 | ret = mbedtls_ssl_update_handshake_status(ssl); |
| 4193 | if (0 != ret) { |
| 4194 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret); |
| 4195 | return ret; |
| 4196 | } |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4197 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4198 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4199 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4200 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4201 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 4202 | #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4203 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4204 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 4205 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4206 | static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl) |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4207 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 4208 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 4209 | size_t tlen; |
| Manuel Pégourié-Gonnard | b0394be | 2015-05-19 11:40:30 +0200 | [diff] [blame] | 4210 | uint32_t lifetime; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4211 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4212 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket")); |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4213 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4214 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 4215 | ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4216 | |
| 4217 | /* |
| 4218 | * struct { |
| 4219 | * uint32 ticket_lifetime_hint; |
| 4220 | * opaque ticket<0..2^16-1>; |
| 4221 | * } NewSessionTicket; |
| 4222 | * |
| 4223 | * 4 . 7 ticket_lifetime_hint (0 = unspecified) |
| 4224 | * 8 . 9 ticket_len (n) |
| 4225 | * 10 . 9+n ticket content |
| 4226 | */ |
| Manuel Pégourié-Gonnard | 164d894 | 2013-09-23 22:01:39 +0200 | [diff] [blame] | 4227 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4228 | if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket, |
| 4229 | ssl->session_negotiate, |
| 4230 | ssl->out_msg + 10, |
| 4231 | ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN, |
| 4232 | &tlen, &lifetime)) != 0) { |
| 4233 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret); |
| Manuel Pégourié-Gonnard | 990c51a | 2013-08-03 15:37:58 +0200 | [diff] [blame] | 4234 | tlen = 0; |
| 4235 | } |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4236 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4237 | MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4); |
| 4238 | MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8); |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 4239 | ssl->out_msglen = 10 + tlen; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4240 | |
| Manuel Pégourié-Gonnard | 145dfcb | 2014-02-26 14:23:33 +0100 | [diff] [blame] | 4241 | /* |
| 4242 | * Morally equivalent to updating ssl->state, but NewSessionTicket and |
| 4243 | * ChangeCipherSpec share the same state. |
| 4244 | */ |
| 4245 | ssl->handshake->new_session_ticket = 0; |
| 4246 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4247 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
| 4248 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
| 4249 | return ret; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4250 | } |
| 4251 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4252 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket")); |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4253 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4254 | return 0; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4255 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4256 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4257 | |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4258 | /* |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4259 | * SSL handshake -- server side -- single step |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4260 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4261 | int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4262 | { |
| 4263 | int ret = 0; |
| 4264 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4265 | MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state)); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4266 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4267 | switch (ssl->state) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4268 | case MBEDTLS_SSL_HELLO_REQUEST: |
| 4269 | ssl->state = MBEDTLS_SSL_CLIENT_HELLO; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4270 | break; |
| 4271 | |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4272 | /* |
| 4273 | * <== ClientHello |
| 4274 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4275 | case MBEDTLS_SSL_CLIENT_HELLO: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4276 | ret = ssl_parse_client_hello(ssl); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4277 | break; |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4278 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4279 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 4280 | case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4281 | return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED; |
| Manuel Pégourié-Gonnard | 579950c | 2014-09-29 17:47:33 +0200 | [diff] [blame] | 4282 | #endif |
| 4283 | |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4284 | /* |
| 4285 | * ==> ServerHello |
| 4286 | * Certificate |
| 4287 | * ( ServerKeyExchange ) |
| 4288 | * ( CertificateRequest ) |
| 4289 | * ServerHelloDone |
| 4290 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4291 | case MBEDTLS_SSL_SERVER_HELLO: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4292 | ret = ssl_write_server_hello(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4293 | break; |
| 4294 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4295 | case MBEDTLS_SSL_SERVER_CERTIFICATE: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4296 | ret = mbedtls_ssl_write_certificate(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4297 | break; |
| 4298 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4299 | case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4300 | ret = ssl_write_server_key_exchange(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4301 | break; |
| 4302 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4303 | case MBEDTLS_SSL_CERTIFICATE_REQUEST: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4304 | ret = ssl_write_certificate_request(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4305 | break; |
| 4306 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4307 | case MBEDTLS_SSL_SERVER_HELLO_DONE: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4308 | ret = ssl_write_server_hello_done(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4309 | break; |
| 4310 | |
| 4311 | /* |
| 4312 | * <== ( Certificate/Alert ) |
| 4313 | * ClientKeyExchange |
| 4314 | * ( CertificateVerify ) |
| 4315 | * ChangeCipherSpec |
| 4316 | * Finished |
| 4317 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4318 | case MBEDTLS_SSL_CLIENT_CERTIFICATE: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4319 | ret = mbedtls_ssl_parse_certificate(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4320 | break; |
| 4321 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4322 | case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4323 | ret = ssl_parse_client_key_exchange(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4324 | break; |
| 4325 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4326 | case MBEDTLS_SSL_CERTIFICATE_VERIFY: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4327 | ret = ssl_parse_certificate_verify(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4328 | break; |
| 4329 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4330 | case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4331 | ret = mbedtls_ssl_parse_change_cipher_spec(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4332 | break; |
| 4333 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4334 | case MBEDTLS_SSL_CLIENT_FINISHED: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4335 | ret = mbedtls_ssl_parse_finished(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4336 | break; |
| 4337 | |
| 4338 | /* |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4339 | * ==> ( NewSessionTicket ) |
| 4340 | * ChangeCipherSpec |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4341 | * Finished |
| 4342 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4343 | case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: |
| 4344 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4345 | if (ssl->handshake->new_session_ticket != 0) { |
| 4346 | ret = ssl_write_new_session_ticket(ssl); |
| 4347 | } else |
| Paul Bakker | a503a63 | 2013-08-14 13:48:06 +0200 | [diff] [blame] | 4348 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4349 | ret = mbedtls_ssl_write_change_cipher_spec(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4350 | break; |
| 4351 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4352 | case MBEDTLS_SSL_SERVER_FINISHED: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4353 | ret = mbedtls_ssl_write_finished(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4354 | break; |
| 4355 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4356 | case MBEDTLS_SSL_FLUSH_BUFFERS: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4357 | MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done")); |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4358 | ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4359 | break; |
| 4360 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4361 | case MBEDTLS_SSL_HANDSHAKE_WRAPUP: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4362 | mbedtls_ssl_handshake_wrapup(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4363 | break; |
| 4364 | |
| 4365 | default: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4366 | MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state)); |
| 4367 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4368 | } |
| 4369 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4370 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4371 | } |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 4372 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4373 | void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order) |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 4374 | { |
| TRodziewicz | 3946f79 | 2021-06-14 12:11:18 +0200 | [diff] [blame] | 4375 | conf->respect_cli_pref = order; |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 4376 | } |
| 4377 | |
| Jerry Yu | fb4b647 | 2022-01-27 15:03:26 +0800 | [diff] [blame] | 4378 | #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */ |