TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 8f1c36df00f6cdca0ba0bb04a497057c37248017 / . / library / ssl_tls12_server.c
blob: 923b093af9e79015a933e8122baca436edee2378 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]2 * TLS server-side functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6 */
7
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]8#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]10#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]11
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]12#include "mbedtls/platform.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]13
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]14#include "mbedtls/ssl.h"
Chris Jones84a773f2021-03-05 18:38:47 +0000[diff] [blame]15#include "ssl_misc.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]16#include "mbedtls/debug.h"
17#include "mbedtls/error.h"
Andres Amaya Garcia84914062018-04-24 08:40:46 -0500[diff] [blame]18#include "mbedtls/platform_util.h"
Gabor Mezei22c9a6f2021-10-20 12:09:35 +0200[diff] [blame]19#include "constant_time_internal.h"
Gabor Mezei765862c2021-10-19 12:22:25 +0200[diff] [blame]20#include "mbedtls/constant_time.h"
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]21
22#include <string.h>
23
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]24#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]25/* Define a local translating function to save code size by not using too many
26 * arguments in each translating place. */
Andrzej Kurek1c7a9982023-05-30 09:21:20 -0400[diff] [blame]27#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \
28 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]29static int local_err_translation(psa_status_t status)
30{
31 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -0400[diff] [blame]32 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]33 psa_generic_status_to_mbedtls);
34}
35#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]36#endif
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]37#endif
38
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]39#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]40#include "mbedtls/ecp.h"
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]41#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]43#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]44#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]45#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]47#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]48int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
49 const unsigned char *info,
50 size_t ilen)
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]51{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]52 if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) {
53 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
54 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]55
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]56 mbedtls_free(ssl->cli_id);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]57
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]58 if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) {
59 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
60 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]61
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]62 memcpy(ssl->cli_id, info, ilen);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]63 ssl->cli_id_len = ilen;
64
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]65 return 0;
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]66}
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]67
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]68void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf,
69 mbedtls_ssl_cookie_write_t *f_cookie_write,
70 mbedtls_ssl_cookie_check_t *f_cookie_check,
71 void *p_cookie)
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]72{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]73 conf->f_cookie_write = f_cookie_write;
74 conf->f_cookie_check = f_cookie_check;
75 conf->p_cookie = p_cookie;
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]76}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]77#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]78
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]79#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]80MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]81static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf)
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]82{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]83 if (conf->f_psk != NULL) {
84 return 1;
85 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]86
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]87 if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) {
88 return 0;
89 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]90
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]91
92#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]93 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
94 return 1;
95 }
Neil Armstrong8ecd6682022-05-05 11:40:35 +0200[diff] [blame]96#endif /* MBEDTLS_USE_PSA_CRYPTO */
97
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]98 if (conf->psk != NULL && conf->psk_len != 0) {
99 return 1;
100 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]101
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]102 return 0;
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]103}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]104#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]105
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]106MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]107static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
108 const unsigned char *buf,
109 size_t len)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]110{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]111#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]112 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]113 /* Check verify-data in constant-time. The length OTOH is no secret */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]114 if (len != 1 + ssl->verify_data_len ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]115 buf[0] != ssl->verify_data_len ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]116 mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data,
117 ssl->verify_data_len) != 0) {
118 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
119 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
120 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
121 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]122 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]123 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]124#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]125 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]126 if (len != 1 || buf[0] != 0x0) {
127 MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info"));
128 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
129 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
130 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]131 }
132
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]133 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]134 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]135
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]136 return 0;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]137}
138
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]139#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]140 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]141 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]142/*
Jerry Yud491ea42022-01-13 16:15:25 +0800[diff] [blame]143 * Function for parsing a supported groups (TLS 1.3) or supported elliptic
144 * curves (TLS 1.2) extension.
145 *
146 * The "extension_data" field of a supported groups extension contains a
147 * "NamedGroupList" value (TLS 1.3 RFC8446):
148 * enum {
149 * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
150 * x25519(0x001D), x448(0x001E),
151 * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
152 * ffdhe6144(0x0103), ffdhe8192(0x0104),
153 * ffdhe_private_use(0x01FC..0x01FF),
154 * ecdhe_private_use(0xFE00..0xFEFF),
155 * (0xFFFF)
156 * } NamedGroup;
157 * struct {
158 * NamedGroup named_group_list<2..2^16-1>;
159 * } NamedGroupList;
160 *
161 * The "extension_data" field of a supported elliptic curves extension contains
162 * a "NamedCurveList" value (TLS 1.2 RFC 8422):
163 * enum {
164 * deprecated(1..22),
165 * secp256r1 (23), secp384r1 (24), secp521r1 (25),
166 * x25519(29), x448(30),
167 * reserved (0xFE00..0xFEFF),
168 * deprecated(0xFF01..0xFF02),
169 * (0xFFFF)
170 * } NamedCurve;
171 * struct {
172 * NamedCurve named_curve_list<2..2^16-1>
173 * } NamedCurveList;
174 *
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]175 * The TLS 1.3 supported groups extension was defined to be a compatible
176 * generalization of the TLS 1.2 supported elliptic curves extension. They both
177 * share the same extension identifier.
Jerry Yud491ea42022-01-13 16:15:25 +0800[diff] [blame]178 *
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]179 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]180MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]181static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
182 const unsigned char *buf,
183 size_t len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]184{
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]185 size_t list_size, our_size;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]186 const unsigned char *p;
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]187 uint16_t *curves_tls_id;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]188
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]189 if (len < 2) {
190 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
191 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
192 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
193 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]194 }
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]195 list_size = MBEDTLS_GET_UINT16_BE(buf, 0);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]196 if (list_size + 2 != len ||
197 list_size % 2 != 0) {
198 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
199 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
200 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
201 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]202 }
203
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]204 /* Should never happen unless client duplicates the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]205 if (ssl->handshake->curves_tls_id != NULL) {
206 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
207 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
208 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
209 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]210 }
211
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]212 /* Don't allow our peer to make us allocate too much memory,
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]213 * and leave room for a final 0 */
214 our_size = list_size / 2 + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]215 if (our_size > MBEDTLS_ECP_DP_MAX) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]216 our_size = MBEDTLS_ECP_DP_MAX;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]217 }
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]218
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]219 if ((curves_tls_id = mbedtls_calloc(our_size,
220 sizeof(*curves_tls_id))) == NULL) {
221 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
222 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
223 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]224 }
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]225
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]226 ssl->handshake->curves_tls_id = curves_tls_id;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]227
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]228 p = buf + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]229 while (list_size > 0 && our_size > 1) {
230 uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0);
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200[diff] [blame]231
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]232 if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) !=
233 MBEDTLS_ECP_DP_NONE) {
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]234 *curves_tls_id++ = curr_tls_id;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]235 our_size--;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]236 }
237
238 list_size -= 2;
239 p += 2;
240 }
241
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]242 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]243}
244
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]245MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]246static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
247 const unsigned char *buf,
248 size_t len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]249{
250 size_t list_size;
251 const unsigned char *p;
252
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]253 if (len == 0 || (size_t) (buf[0] + 1) != len) {
254 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
255 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
256 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
257 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]258 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]259 list_size = buf[0];
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]260
Manuel Pégourié-Gonnardc1b46d02015-09-16 11:18:32 +0200[diff] [blame]261 p = buf + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]262 while (list_size > 0) {
263 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
264 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]265#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
266 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]267 ssl->handshake->ecdh_ctx.point_format = p[0];
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]268#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]269#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]270 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
271 mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
272 p[0]);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]273#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]274 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
275 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]276 }
277
278 list_size--;
279 p++;
280 }
281
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]282 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]283}
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]284#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]285 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]286 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]287
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]288#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]289MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]290static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
291 const unsigned char *buf,
292 size_t len)
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]293{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]294 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]295
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]296#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]297 if (ssl->handshake->psa_pake_ctx_is_ok != 1)
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]298#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]299 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]300#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]301 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]302 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
303 return 0;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]304 }
305
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]306#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]307 if ((ret = mbedtls_psa_ecjpake_read_round(
308 &ssl->handshake->psa_pake_ctx, buf, len,
309 MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
310 psa_destroy_key(ssl->handshake->psa_pake_password);
311 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]312
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]313 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]314 mbedtls_ssl_send_alert_message(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]315 ssl,
316 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
317 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]318
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]319 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]320 }
321#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]322 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
323 buf, len)) != 0) {
324 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
325 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
326 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
327 return ret;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]328 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]329#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]330
331 /* Only mark the extension as OK when we're sure it is */
332 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
333
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]334 return 0;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]335}
336#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
337
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]338#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]339MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]340static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
341 const unsigned char *buf,
342 size_t len)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]343{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]344 if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) {
345 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
346 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
347 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
348 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]349 }
350
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]351 ssl->session_negotiate->mfl_code = buf[0];
352
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]353 return 0;
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]354}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]355#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]356
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]357#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]358MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]359static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
360 const unsigned char *buf,
361 size_t len)
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]362{
363 size_t peer_cid_len;
364
365 /* CID extension only makes sense in DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]366 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
367 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
368 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
369 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
370 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]371 }
372
373 /*
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]374 * struct {
375 * opaque cid<0..2^8-1>;
376 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]377 */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]378
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]379 if (len < 1) {
380 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
381 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
382 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
383 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]384 }
385
386 peer_cid_len = *buf++;
387 len--;
388
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]389 if (len != peer_cid_len) {
390 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
391 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
392 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
393 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]394 }
395
396 /* Ignore CID if the user has disabled its use. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]397 if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]398 /* Leave ssl->handshake->cid_in_use in its default
399 * value of MBEDTLS_SSL_CID_DISABLED. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]400 MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled"));
401 return 0;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]402 }
403
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]404 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
405 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
406 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
407 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
408 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]409 }
410
Hanno Becker08556bf2019-05-03 12:43:44 +0100[diff] [blame]411 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]412 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]413 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]414
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]415 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
416 MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len);
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]417
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]418 return 0;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]419}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]420#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]421
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]422#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]423MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]424static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
425 const unsigned char *buf,
426 size_t len)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]427{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]428 if (len != 0) {
429 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
430 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
431 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
432 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]433 }
434
435 ((void) buf);
436
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]437 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]438 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]439 }
440
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]441 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]442}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]443#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]444
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]445#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]446MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]447static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
448 const unsigned char *buf,
449 size_t len)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]450{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]451 if (len != 0) {
452 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
453 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
454 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
455 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]456 }
457
458 ((void) buf);
459
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]460 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]461 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]462 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]463
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]464 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]465}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]466#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]467
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]468#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]469MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]470static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
471 unsigned char *buf,
472 size_t len)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]473{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]474 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]475 mbedtls_ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]476
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]477 mbedtls_ssl_session_init(&session);
Manuel Pégourié-Gonnardbae389b2015-06-24 10:45:58 +0200[diff] [blame]478
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]479 if (ssl->conf->f_ticket_parse == NULL ||
480 ssl->conf->f_ticket_write == NULL) {
481 return 0;
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]482 }
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]483
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]484 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]485 ssl->handshake->new_session_ticket = 1;
486
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]487 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len));
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]488
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]489 if (len == 0) {
490 return 0;
491 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]492
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]493#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]494 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
495 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating"));
496 return 0;
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]497 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]498#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]499
500 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]501 * Failures are ok: just ignore the ticket and proceed.
502 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]503 if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session,
504 buf, len)) != 0) {
505 mbedtls_ssl_session_free(&session);
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]506
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]507 if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
508 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
509 } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
510 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
511 } else {
512 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret);
513 }
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]514
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]515 return 0;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]516 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]517
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]518 /*
519 * Keep the session ID sent by the client, since we MUST send it back to
520 * inform them we're accepting the ticket (RFC 5077 section 3.4)
521 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]522 session.id_len = ssl->session_negotiate->id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]523 memcpy(&session.id, ssl->session_negotiate->id, session.id_len);
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]524
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]525 mbedtls_ssl_session_free(ssl->session_negotiate);
526 memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session));
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]527
528 /* Zeroize instead of free as we copied the content */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]529 mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session));
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]530
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]531 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket"));
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]532
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]533 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]534
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]535 /* Don't send a new ticket after all, this one is OK */
536 ssl->handshake->new_session_ticket = 0;
537
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]538 return 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]539}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]540#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]541
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]542#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]543MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]544static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
545 const unsigned char *buf,
546 size_t len)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]547{
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]548 mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]549 size_t i, j;
Johan Pascalf6417ec2020-09-22 15:15:19 +0200[diff] [blame]550 size_t profile_length;
551 uint16_t mki_length;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]552 /*! 2 bytes for profile length and 1 byte for mki len */
553 const size_t size_of_lengths = 3;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]554
555 /* If use_srtp is not configured, just ignore the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]556 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
557 (ssl->conf->dtls_srtp_profile_list == NULL) ||
558 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
559 return 0;
Johan Pascal85269572020-08-25 10:01:54 +0200[diff] [blame]560 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]561
562 /* RFC5764 section 4.1.1
563 * uint8 SRTPProtectionProfile[2];
564 *
565 * struct {
566 * SRTPProtectionProfiles SRTPProtectionProfiles;
567 * opaque srtp_mki<0..255>;
568 * } UseSRTPData;
569
570 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]571 */
572
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]573 /*
574 * Min length is 5: at least one protection profile(2 bytes)
575 * and length(2 bytes) + srtp_mki length(1 byte)
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]576 * Check here that we have at least 2 bytes of protection profiles length
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]577 * and one of srtp_mki length
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]578 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]579 if (len < size_of_lengths) {
580 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
581 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
582 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]583 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]584
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]585 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]586
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]587 /* first 2 bytes are protection profile length(in bytes) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]588 profile_length = (buf[0] << 8) | buf[1];
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]589 buf += 2;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]590
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]591 /* The profile length cannot be bigger than input buffer size - lengths fields */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]592 if (profile_length > len - size_of_lengths ||
593 profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */
594 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
595 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
596 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]597 }
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]598 /*
599 * parse the extension list values are defined in
600 * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
601 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]602 for (j = 0; j < profile_length; j += 2) {
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]603 uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]604 client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]605
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]606 if (client_protection != MBEDTLS_TLS_SRTP_UNSET) {
607 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
608 mbedtls_ssl_get_srtp_profile_as_string(
609 client_protection)));
610 } else {
Johan Pascal85269572020-08-25 10:01:54 +0200[diff] [blame]611 continue;
612 }
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]613 /* check if suggested profile is in our list */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]614 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
615 if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) {
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]616 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]617 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
618 mbedtls_ssl_get_srtp_profile_as_string(
619 client_protection)));
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]620 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]621 }
622 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]623 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]624 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]625 }
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]626 }
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]627 buf += profile_length; /* buf points to the mki length */
628 mki_length = *buf;
629 buf++;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]630
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]631 if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH ||
632 mki_length + profile_length + size_of_lengths != len) {
633 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
634 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
635 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]636 }
637
638 /* Parse the mki only if present and mki is supported locally */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]639 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
640 mki_length > 0) {
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]641 ssl->dtls_srtp_info.mki_len = mki_length;
642
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]643 memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length);
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]644
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]645 MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value,
646 ssl->dtls_srtp_info.mki_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]647 }
648
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]649 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]650}
651#endif /* MBEDTLS_SSL_DTLS_SRTP */
652
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]653/*
654 * Auxiliary functions for ServerHello parsing and related actions
655 */
656
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]657#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]658/*
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100[diff] [blame]659 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]660 */
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]661#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]662MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]663static int ssl_check_key_curve(mbedtls_pk_context *pk,
664 uint16_t *curves_tls_id)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]665{
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]666 uint16_t *curr_tls_id = curves_tls_id;
Valerio Setti74cb4042023-10-16 13:40:50 +0200[diff] [blame]667 mbedtls_ecp_group_id grp_id = mbedtls_pk_get_group_id(pk);
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]668 mbedtls_ecp_group_id curr_grp_id;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]669
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]670 while (*curr_tls_id != 0) {
671 curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
672 if (curr_grp_id == grp_id) {
673 return 0;
674 }
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]675 curr_tls_id++;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]676 }
677
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]678 return -1;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]679}
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]680#endif /* MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]681
682/*
683 * Try picking a certificate for this ciphersuite,
684 * return 0 on success and -1 on failure.
685 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]686MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]687static int ssl_pick_cert(mbedtls_ssl_context *ssl,
688 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]689{
Glenn Strauss041a3762022-03-15 06:08:29 -0400[diff] [blame]690 mbedtls_ssl_key_cert *cur, *list;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]691#if defined(MBEDTLS_USE_PSA_CRYPTO)
692 psa_algorithm_t pk_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]693 mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]694 psa_key_usage_t pk_usage =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]695 mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]696#else
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]697 mbedtls_pk_type_t pk_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]698 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]699#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +0200[diff] [blame]700 uint32_t flags;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]701
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]702#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]703 if (ssl->handshake->sni_key_cert != NULL) {
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]704 list = ssl->handshake->sni_key_cert;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]705 } else
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]706#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]707 list = ssl->conf->key_cert;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]708
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]709 int pk_alg_is_none = 0;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]710#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]711 pk_alg_is_none = (pk_alg == PSA_ALG_NONE);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]712#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]713 pk_alg_is_none = (pk_alg == MBEDTLS_PK_NONE);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]714#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]715 if (pk_alg_is_none) {
716 return 0;
Manuel Pégourié-Gonnarde540b492015-07-07 12:44:38 +0200[diff] [blame]717 }
718
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]719 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate"));
720
721 if (list == NULL) {
722 MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
723 return -1;
724 }
725
726 for (cur = list; cur != NULL; cur = cur->next) {
Andrzej Kurek7ed01e82020-03-18 11:51:59 -0400[diff] [blame]727 flags = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]728 MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate",
729 cur->cert);
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]730
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]731 int key_type_matches = 0;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]732#if defined(MBEDTLS_USE_PSA_CRYPTO)
733#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]734 key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
735 ssl->conf->f_async_decrypt_start != NULL ||
736 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
737 mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]738#else
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]739 key_type_matches = (
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]740 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]741#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
742#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]743 key_type_matches = mbedtls_pk_can_do(&cur->cert->pk, pk_alg);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]744#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]745 if (!key_type_matches) {
746 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]747 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]748 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]749
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]750 /*
751 * This avoids sending the client a cert it'll reject based on
752 * keyUsage or other extensions.
753 *
754 * It also allows the user to provision different certificates for
755 * different uses based on keyUsage, eg if they want to avoid signing
756 * and decrypting with the same RSA key.
757 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]758 if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
759 MBEDTLS_SSL_IS_SERVER, &flags) != 0) {
760 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
761 "(extended) key usage extension"));
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]762 continue;
763 }
764
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]765#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]766 if (pk_alg == MBEDTLS_PK_ECDSA &&
767 ssl_check_key_curve(&cur->cert->pk,
768 ssl->handshake->curves_tls_id) != 0) {
769 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve"));
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]770 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]771 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]772#endif
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]773
774 /* If we get there, we got a winner */
775 break;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]776 }
777
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]778 /* Do not update ssl->handshake->key_cert unless there is a match */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]779 if (cur != NULL) {
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]780 ssl->handshake->key_cert = cur;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]781 MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate",
782 ssl->handshake->key_cert->cert);
783 return 0;
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]784 }
785
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]786 return -1;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]787}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]788#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]789
790/*
791 * Check if a given ciphersuite is suitable for use with our config/keys/etc
792 * Sets ciphersuite_info only if the suite matches.
793 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]794MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]795static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
796 const mbedtls_ssl_ciphersuite_t **ciphersuite_info)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]797{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]798 const mbedtls_ssl_ciphersuite_t *suite_info;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]799
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]800#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]801 mbedtls_pk_type_t sig_type;
802#endif
803
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]804 suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
805 if (suite_info == NULL) {
806 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
807 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]808 }
809
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]810 MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)",
811 (unsigned int) suite_id, suite_info->name));
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]812
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]813 if (suite_info->min_tls_version > ssl->tls_version ||
814 suite_info->max_tls_version < ssl->tls_version) {
815 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version"));
816 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]817 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]818
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]819#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]820 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
821 (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) {
822 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake "
823 "not configured or ext missing"));
824 return 0;
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]825 }
826#endif
827
828
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]829#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]830 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]831 if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
832 (ssl->handshake->curves_tls_id == NULL ||
833 ssl->handshake->curves_tls_id[0] == 0)) {
834 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
835 "no common elliptic curve"));
836 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]837 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]838#endif
839
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]840#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]841 /* If the ciphersuite requires a pre-shared key and we don't
842 * have one, skip it now rather than failing later */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]843 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
844 ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
845 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key"));
846 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]847 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]848#endif
849
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]850#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]851 /*
852 * Final check: if ciphersuite requires us to have a
853 * certificate/key of a particular type:
854 * - select the appropriate certificate if we have one, or
855 * - try the next ciphersuite if we don't
856 * This must be done last since we modify the key_cert list.
857 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]858 if (ssl_pick_cert(ssl, suite_info) != 0) {
859 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
860 "no suitable certificate"));
861 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]862 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]863#endif
864
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]865#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
866 /* If the ciphersuite requires signing, check whether
867 * a suitable hash algorithm is present. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]868 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
869 if (sig_type != MBEDTLS_PK_NONE &&
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]870 mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]871 ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) {
872 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm "
873 "for signature algorithm %u", (unsigned) sig_type));
874 return 0;
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]875 }
876
877#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
878
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]879 *ciphersuite_info = suite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]880 return 0;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]881}
882
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]883/* This function doesn't alert on errors that happen early during
884 ClientHello parsing because they might indicate that the client is
885 not talking SSL/TLS at all and would not understand our alert. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]886MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]887static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]888{
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]889 int ret, got_common_suite;
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]890 size_t i, j;
891 size_t ciph_offset, comp_offset, ext_offset;
892 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]893#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]894 size_t cookie_offset, cookie_len;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]895#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]896 unsigned char *buf, *p, *ext;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]897#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]898 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]899#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]900 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]901 const int *ciphersuites;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]902 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]903
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]904 /* If there is no signature-algorithm extension present,
905 * we need to fall back to the default values for allowed
906 * signature-hash pairs. */
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]907#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]908 int sig_hash_alg_ext_present = 0;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]909#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]910
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]911 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]912
David Horstmanne0af39a2022-10-06 18:19:18 +0100[diff] [blame]913 int renegotiating;
914
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]915#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]916read_record_header:
917#endif
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]918 /*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]919 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]920 * otherwise read it ourselves manually in order to support SSLv2
921 * ClientHello, which doesn't use the same record layer format.
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]922 * Otherwise in a scenario of TLS 1.3/TLS 1.2 version negotiation, the
923 * ClientHello has been already fully fetched by the TLS 1.3 code and the
924 * flag ssl->keep_current_message is raised.
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]925 */
David Horstmanne0af39a2022-10-06 18:19:18 +0100[diff] [blame]926 renegotiating = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]927#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]928 renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]929#endif
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]930 if (!renegotiating && !ssl->keep_current_message) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]931 if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]932 /* No alert on a read error. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]933 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
934 return ret;
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]935 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]936 }
937
938 buf = ssl->in_hdr;
939
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]940 MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl));
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]941
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]942 /*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]943 * TLS Client Hello
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]944 *
945 * Record layer:
946 * 0 . 0 message type
947 * 1 . 2 protocol version
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]948 * 3 . 11 DTLS: epoch + record sequence number
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]949 * 3 . 4 message length
950 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]951 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message type: %d",
952 buf[0]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]953
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]954 if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
955 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
956 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]957 }
958
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]959 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d",
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]960 MBEDTLS_GET_UINT16_BE(ssl->in_len, 0)));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]961
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]962 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, protocol version: [%d:%d]",
963 buf[1], buf[2]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]964
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]965 /* For DTLS if this is the initial handshake, remember the client sequence
966 * number to use it in our next message (RFC 6347 4.2.1) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]967#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]968 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]969#if defined(MBEDTLS_SSL_RENEGOTIATION)
970 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
Manuel Pégourié-Gonnard3a173f42015-01-22 13:30:33 +0000[diff] [blame]971#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]972 ) {
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]973 /* Epoch should be 0 for initial handshakes */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]974 if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
975 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
976 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]977 }
978
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]979 memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2,
980 sizeof(ssl->cur_out_ctr) - 2);
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]981
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]982#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]983 if (mbedtls_ssl_dtls_replay_check(ssl) != 0) {
984 MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding"));
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]985 ssl->next_record_offset = 0;
986 ssl->in_left = 0;
987 goto read_record_header;
988 }
989
990 /* No MAC to check yet, so we can update right now */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]991 mbedtls_ssl_dtls_replay_update(ssl);
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]992#endif
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]993 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]994#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]995
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]996 msg_len = MBEDTLS_GET_UINT16_BE(ssl->in_len, 0);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]997
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]998#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]999 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1000 /* Set by mbedtls_ssl_read_record() */
Manuel Pégourié-Gonnardb89c4f32015-01-21 13:24:10 +0000[diff] [blame]1001 msg_len = ssl->in_hslen;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1002 } else
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1003#endif
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1004 {
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1005 if (ssl->keep_current_message) {
1006 ssl->keep_current_message = 0;
1007 } else {
1008 if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
1009 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1010 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1011 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1012
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1013 if ((ret = mbedtls_ssl_fetch_input(ssl,
1014 mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) {
1015 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
1016 return ret;
1017 }
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1018
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1019 /* Done reading this record, get ready for the next one */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1020#if defined(MBEDTLS_SSL_PROTO_DTLS)
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1021 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1022 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl);
1023 } else
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1024#endif
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1025 ssl->in_left = 0;
1026 }
Manuel Pégourié-Gonnardd6b721c2014-03-24 12:13:54 +0100[diff] [blame]1027 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1028
1029 buf = ssl->in_msg;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1030
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1031 MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len);
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1032
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]1033 ret = ssl->handshake->update_checksum(ssl, buf, msg_len);
1034 if (0 != ret) {
1035 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
1036 return ret;
1037 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1038
1039 /*
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1040 * Handshake layer:
1041 * 0 . 0 handshake type
1042 * 1 . 3 handshake length
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1043 * 4 . 5 DTLS only: message sequence number
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1044 * 6 . 8 DTLS only: fragment offset
1045 * 9 . 11 DTLS only: fragment length
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1046 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1047 if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) {
1048 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1049 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1050 }
1051
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1052 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0]));
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1053
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1054 if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
1055 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1056 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1057 }
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1058 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1059 size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1);
1060 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u",
1061 (unsigned) handshake_len));
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1062
1063 /* The record layer has a record size limit of 2^14 - 1 and
1064 * fragmentation is not supported, so buf[1] should be zero. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1065 if (buf[1] != 0) {
1066 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0",
1067 (unsigned) buf[1]));
1068 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1069 }
1070
1071 /* We don't support fragmentation of ClientHello (yet?) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1072 if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) {
1073 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u",
1074 (unsigned) msg_len,
1075 (unsigned) mbedtls_ssl_hs_hdr_len(ssl),
1076 (unsigned) handshake_len));
1077 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1078 }
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1079 }
1080
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1081#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1082 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1083 /*
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1084 * Copy the client's handshake message_seq on initial handshakes,
1085 * check sequence number on renego.
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1086 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1087#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1088 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]1089 /* This couldn't be done in ssl_prepare_handshake_record() */
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +0100[diff] [blame]1090 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1091 if (cli_msg_seq != ssl->handshake->in_msg_seq) {
1092 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
1093 "%u (expected %u)", cli_msg_seq,
1094 ssl->handshake->in_msg_seq));
1095 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]1096 }
1097
1098 ssl->handshake->in_msg_seq++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1099 } else
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1100#endif
1101 {
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +0100[diff] [blame]1102 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1103 ssl->handshake->out_msg_seq = cli_msg_seq;
1104 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
1105 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1106 {
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1107 /*
1108 * For now we don't support fragmentation, so make sure
1109 * fragment_offset == 0 and fragment_length == length
1110 */
1111 size_t fragment_offset, fragment_length, length;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1112 fragment_offset = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6);
1113 fragment_length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9);
1114 length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1);
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1115 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1116 4, ("fragment_offset=%u fragment_length=%u length=%u",
1117 (unsigned) fragment_offset, (unsigned) fragment_length,
1118 (unsigned) length));
1119 if (fragment_offset != 0 || length != fragment_length) {
1120 MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported"));
1121 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1122 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1123 }
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1124 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1125#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1126
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1127 buf += mbedtls_ssl_hs_hdr_len(ssl);
1128 msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1129
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1130 /*
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1131 * ClientHello layer:
1132 * 0 . 1 protocol version
1133 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
1134 * 34 . 35 session id length (1 byte)
1135 * 35 . 34+x session id
1136 * 35+x . 35+x DTLS only: cookie length (1 byte)
1137 * 36+x . .. DTLS only: cookie
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1138 * .. . .. ciphersuite list length (2 bytes)
1139 * .. . .. ciphersuite list
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1140 * .. . .. compression alg. list length (1 byte)
1141 * .. . .. compression alg. list
1142 * .. . .. extensions length (2 bytes, optional)
1143 * .. . .. extensions (optional)
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1144 */
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1145
1146 /*
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]1147 * Minimal length (with everything empty and extensions omitted) is
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1148 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1149 * read at least up to session id length without worrying.
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1150 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1151 if (msg_len < 38) {
1152 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1153 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1154 }
1155
1156 /*
1157 * Check and save the protocol version
1158 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1159 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1160
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]1161 ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
1162 ssl->conf->transport);
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1163 ssl->session_negotiate->tls_version = ssl->tls_version;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1164
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1165 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
1166 MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2"));
1167 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1168 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1169 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1170 }
1171
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1172 /*
1173 * Save client random (inc. Unix time)
1174 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1175 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1176
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1177 memcpy(ssl->handshake->randbytes, buf + 2, 32);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1178
1179 /*
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1180 * Check the session ID length and save session ID
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1181 */
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1182 sess_len = buf[34];
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1183
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1184 if (sess_len > sizeof(ssl->session_negotiate->id) ||
1185 sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */
1186 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1187 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1188 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1189 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1190 }
1191
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1192 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1193
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1194 ssl->session_negotiate->id_len = sess_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1195 memset(ssl->session_negotiate->id, 0,
1196 sizeof(ssl->session_negotiate->id));
1197 memcpy(ssl->session_negotiate->id, buf + 35,
1198 ssl->session_negotiate->id_len);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1199
1200 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1201 * Check the cookie length and content
1202 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1203#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1204 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1205 cookie_offset = 35 + sess_len;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1206 cookie_len = buf[cookie_offset];
1207
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1208 if (cookie_offset + 1 + cookie_len + 2 > msg_len) {
1209 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1210 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1211 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1212 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1213 }
1214
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1215 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
1216 buf + cookie_offset + 1, cookie_len);
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1217
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1218#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1219 if (ssl->conf->f_cookie_check != NULL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1220#if defined(MBEDTLS_SSL_RENEGOTIATION)
1221 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1222#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1223 ) {
1224 if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
1225 buf + cookie_offset + 1, cookie_len,
1226 ssl->cli_id, ssl->cli_id_len) != 0) {
1227 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed"));
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1228 ssl->handshake->cookie_verify_result = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1229 } else {
1230 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed"));
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1231 ssl->handshake->cookie_verify_result = 0;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1232 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1233 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1234#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1235 {
1236 /* We know we didn't send a cookie, so it should be empty */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1237 if (cookie_len != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1238 /* This may be an attacker's probe, so don't send an alert */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1239 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1240 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1241 }
1242
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1243 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped"));
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1244 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1245
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1246 /*
1247 * Check the ciphersuitelist length (will be parsed later)
1248 */
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1249 ciph_offset = cookie_offset + 1 + cookie_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1250 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1251#endif /* MBEDTLS_SSL_PROTO_DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1252 ciph_offset = 35 + sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1253
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]1254 ciph_len = MBEDTLS_GET_UINT16_BE(buf, ciph_offset);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1255
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1256 if (ciph_len < 2 ||
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1257 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1258 (ciph_len % 2) != 0) {
1259 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1260 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1261 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1262 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1263 }
1264
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1265 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
1266 buf + ciph_offset + 2, ciph_len);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1267
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1268 /*
Thomas Daubney20f89a92022-06-20 15:12:19 +0100[diff] [blame]1269 * Check the compression algorithm's length.
1270 * The list contents are ignored because implementing
1271 * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only
1272 * option supported by Mbed TLS.
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1273 */
1274 comp_offset = ciph_offset + 2 + ciph_len;
1275
1276 comp_len = buf[comp_offset];
1277
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1278 if (comp_len < 1 ||
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1279 comp_len > 16 ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1280 comp_len + comp_offset + 1 > msg_len) {
1281 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1282 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1283 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1284 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1285 }
1286
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1287 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression",
1288 buf + comp_offset + 1, comp_len);
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1289
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1290 /*
1291 * Check the extension length
1292 */
1293 ext_offset = comp_offset + 1 + comp_len;
1294 if (msg_len > ext_offset) {
1295 if (msg_len < ext_offset + 2) {
1296 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1297 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1298 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1299 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1300 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1301
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]1302 ext_len = MBEDTLS_GET_UINT16_BE(buf, ext_offset);
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1303
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1304 if (msg_len != ext_offset + 2 + ext_len) {
1305 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1306 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1307 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1308 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1309 }
1310 } else {
1311 ext_len = 0;
1312 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1313
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1314 ext = buf + ext_offset + 2;
1315 MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len);
1316
1317 while (ext_len != 0) {
1318 unsigned int ext_id;
1319 unsigned int ext_size;
1320 if (ext_len < 4) {
1321 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1322 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1323 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1324 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1325 }
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]1326 ext_id = MBEDTLS_GET_UINT16_BE(ext, 0);
1327 ext_size = MBEDTLS_GET_UINT16_BE(ext, 2);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1328
1329 if (ext_size + 4 > ext_len) {
1330 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1331 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1332 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1333 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1334 }
1335 switch (ext_id) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1336#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1337 case MBEDTLS_TLS_EXT_SERVERNAME:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1338 MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1339 ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4,
1340 ext + 4 + ext_size);
1341 if (ret != 0) {
1342 return ret;
1343 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1344 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1345#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]1346
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1347 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1348 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1349#if defined(MBEDTLS_SSL_RENEGOTIATION)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1350 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1351#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1352
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1353 ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size);
1354 if (ret != 0) {
1355 return ret;
1356 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1357 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1358
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1359#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1360 case MBEDTLS_TLS_EXT_SIG_ALG:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1361 MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
Ron Eldor73a38172017-10-03 15:58:26 +0300[diff] [blame]1362
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1363 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size);
1364 if (ret != 0) {
1365 return ret;
1366 }
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1367
1368 sig_hash_alg_ext_present = 1;
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1369 break;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1370#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1371
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]1372#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1373 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1374 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yub47d0f82021-12-20 17:34:40 +0800[diff] [blame]1375 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1376 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1377
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1378 ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size);
1379 if (ret != 0) {
1380 return ret;
1381 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1382 break;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1383
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1384 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1385 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension"));
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1386 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1387
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1388 ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size);
1389 if (ret != 0) {
1390 return ret;
1391 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1392 break;
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]1393#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1394 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]1395 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1396
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1397#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1398 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1399 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension"));
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1400
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1401 ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size);
1402 if (ret != 0) {
1403 return ret;
1404 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1405 break;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1406#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1407
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1408#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1409 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1410 MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension"));
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1411
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1412 ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size);
1413 if (ret != 0) {
1414 return ret;
1415 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1416 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1417#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1418
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1419#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1420 case MBEDTLS_TLS_EXT_CID:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1421 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1422
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1423 ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size);
1424 if (ret != 0) {
1425 return ret;
1426 }
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1427 break;
Thomas Daubneye1c9a402021-06-15 11:26:43 +0100[diff] [blame]1428#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1429
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1430#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1431 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1432 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1433
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1434 ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size);
1435 if (ret != 0) {
1436 return ret;
1437 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1438 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1439#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1440
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1441#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1442 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1443 MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1444
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1445 ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size);
1446 if (ret != 0) {
1447 return ret;
1448 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1449 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1450#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1451
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1452#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1453 case MBEDTLS_TLS_EXT_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1454 MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1455
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1456 ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size);
1457 if (ret != 0) {
1458 return ret;
1459 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1460 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1461#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1462
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1463#if defined(MBEDTLS_SSL_ALPN)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1464 case MBEDTLS_TLS_EXT_ALPN:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1465 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1466
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1467 ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4,
1468 ext + 4 + ext_size);
1469 if (ret != 0) {
1470 return ret;
1471 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1472 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1473#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1474
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1475#if defined(MBEDTLS_SSL_DTLS_SRTP)
1476 case MBEDTLS_TLS_EXT_USE_SRTP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1477 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
Johan Pascald576fdb2020-09-22 10:39:53 +0200[diff] [blame]1478
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1479 ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size);
1480 if (ret != 0) {
1481 return ret;
1482 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1483 break;
1484#endif /* MBEDTLS_SSL_DTLS_SRTP */
1485
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1486 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1487 MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)",
1488 ext_id));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1489 }
Janos Follathc6dab2b2016-05-23 14:27:02 +0100[diff] [blame]1490
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1491 ext_len -= 4 + ext_size;
1492 ext += 4 + ext_size;
1493 }
1494
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1495#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1496
1497 /*
1498 * Try to fall back to default hash SHA1 if the client
1499 * hasn't provided any preferred signature-hash combinations.
1500 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1501 if (!sig_hash_alg_ext_present) {
Gabor Mezei86acf052022-05-10 13:29:02 +0200[diff] [blame]1502 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
1503 const uint16_t default_sig_algs[] = {
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1504#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1505 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA,
1506 MBEDTLS_SSL_HASH_SHA1),
Gabor Mezeic1051b62022-05-10 13:13:58 +0200[diff] [blame]1507#endif
1508#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1509 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA,
1510 MBEDTLS_SSL_HASH_SHA1),
Gabor Mezeic1051b62022-05-10 13:13:58 +0200[diff] [blame]1511#endif
Gabor Mezei86acf052022-05-10 13:29:02 +0200[diff] [blame]1512 MBEDTLS_TLS_SIG_NONE
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1513 };
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1514
Tom Cosgrove6ef9bb32023-03-08 14:19:51 +0000[diff] [blame]1515 MBEDTLS_STATIC_ASSERT(sizeof(default_sig_algs) / sizeof(default_sig_algs[0])
1516 <= MBEDTLS_RECEIVED_SIG_ALGS_SIZE,
1517 "default_sig_algs is too big");
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1518
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1519 memcpy(received_sig_algs, default_sig_algs, sizeof(default_sig_algs));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1520 }
1521
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1522#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1523
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1524 /*
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1525 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1526 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1527 for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
1528 if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
1529 MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1530#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1531 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1532 MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
1533 "during renegotiation"));
1534 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1535 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1536 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1537 }
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1538#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1539 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1540 break;
1541 }
1542 }
1543
1544 /*
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1545 * Renegotiation security checks
1546 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1547 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1548 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1549 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1550 handshake_failure = 1;
1551 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1552#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1553 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1554 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1555 renegotiation_info_seen == 0) {
1556 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1557 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1558 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1559 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1560 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1561 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1562 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1563 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1564 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1565 renegotiation_info_seen == 1) {
1566 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1567 handshake_failure = 1;
1568 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1569#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1570
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1571 if (handshake_failure == 1) {
1572 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1573 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1574 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1575 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1576
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1577 /*
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1578 * Server certification selection (after processing TLS extensions)
1579 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1580 if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
1581 MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
1582 return ret;
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1583 }
Glenn Strauss69894072022-01-24 12:58:00 -0500[diff] [blame]1584#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1585 ssl->handshake->sni_name = NULL;
1586 ssl->handshake->sni_name_len = 0;
1587#endif
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1588
1589 /*
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1590 * Search for a matching ciphersuite
Manuel Pégourié-Gonnard3ebb2cd2013-09-23 17:00:18 +0200[diff] [blame]1591 * (At the end because we need information from the EC-based extensions
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1592 * and certificate from the SNI callback triggered by the SNI extension
1593 * or certificate from server certificate selection callback.)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1594 */
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1595 got_common_suite = 0;
Hanno Beckerd60b6c62021-04-29 12:04:11 +0100[diff] [blame]1596 ciphersuites = ssl->conf->ciphersuite_list;
Manuel Pégourié-Gonnard59b81d72013-11-30 17:46:04 +0100[diff] [blame]1597 ciphersuite_info = NULL;
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1598
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1599 if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) {
1600 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1601 for (i = 0; ciphersuites[i] != 0; i++) {
1602 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1603 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1604 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1605
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1606 got_common_suite = 1;
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1607
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1608 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1609 &ciphersuite_info)) != 0) {
1610 return ret;
1611 }
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +0100[diff] [blame]1612
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1613 if (ciphersuite_info != NULL) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1614 goto have_ciphersuite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1615 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1616 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1617 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1618 } else {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1619 for (i = 0; ciphersuites[i] != 0; i++) {
1620 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1621 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1622 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1623 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1624
1625 got_common_suite = 1;
1626
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1627 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1628 &ciphersuite_info)) != 0) {
1629 return ret;
1630 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1631
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1632 if (ciphersuite_info != NULL) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1633 goto have_ciphersuite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1634 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1635 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1636 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1637 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1638
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1639 if (got_common_suite) {
1640 MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
1641 "but none of them usable"));
1642 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1643 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1644 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1645 } else {
1646 MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
1647 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1648 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1649 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1650 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1651
1652have_ciphersuite:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1653 MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]1654
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1655 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]1656 ssl->handshake->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1657
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1658 ssl->state++;
1659
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1660#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1661 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1662 mbedtls_ssl_recv_flight_completed(ssl);
1663 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1664#endif
1665
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1666 /* Debugging-only output for testsuite */
1667#if defined(MBEDTLS_DEBUG_C) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1668 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1669 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
1670 if (sig_alg != MBEDTLS_PK_NONE) {
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]1671 unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1672 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
1673 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u",
1674 sig_hash));
1675 } else {
1676 MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm "
1677 "%u - should not happen", (unsigned) sig_alg));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1678 }
1679#endif
1680
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1681 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1682
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1683 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1684}
1685
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1686#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1687static void ssl_write_cid_ext(mbedtls_ssl_context *ssl,
1688 unsigned char *buf,
1689 size_t *olen)
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1690{
1691 unsigned char *p = buf;
1692 size_t ext_len;
1693 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1694
1695 *olen = 0;
1696
1697 /* Skip writing the extension if we don't want to use it or if
1698 * the client hasn't offered it. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1699 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) {
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1700 return;
1701 }
1702
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1703 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
1704 * which is at most 255, so the increment cannot overflow. */
1705 if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) {
1706 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1707 return;
1708 }
1709
1710 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension"));
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1711
1712 /*
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1713 * struct {
1714 * opaque cid<0..2^8-1>;
1715 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1716 */
1717 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1718 p += 2;
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1719 ext_len = (size_t) ssl->own_cid_len + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1720 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1721 p += 2;
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1722
1723 *p++ = (uint8_t) ssl->own_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1724 memcpy(p, ssl->own_cid, ssl->own_cid_len);
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1725
1726 *olen = ssl->own_cid_len + 5;
1727}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1728#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1729
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]1730#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1731static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
1732 unsigned char *buf,
1733 size_t *olen)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1734{
1735 unsigned char *p = buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1736 const mbedtls_ssl_ciphersuite_t *suite = NULL;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1737
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1738 /*
1739 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
1740 * from a client and then selects a stream or Authenticated Encryption
1741 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
1742 * encrypt-then-MAC response extension back to the client."
1743 */
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1744 suite = mbedtls_ssl_ciphersuite_from_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1745 ssl->session_negotiate->ciphersuite);
1746 if (suite == NULL) {
Ronald Cron862902d2022-03-24 14:15:28 +0100[diff] [blame]1747 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1748 } else {
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1749 mbedtls_ssl_mode_t ssl_mode =
Neil Armstrongab555e02022-04-04 11:07:59 +0200[diff] [blame]1750 mbedtls_ssl_get_mode_from_ciphersuite(
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1751 ssl->session_negotiate->encrypt_then_mac,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1752 suite);
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1753
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1754 if (ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM) {
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1755 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1756 }
Ronald Cron862902d2022-03-24 14:15:28 +0100[diff] [blame]1757 }
1758
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1759 if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1760 *olen = 0;
1761 return;
1762 }
1763
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1764 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1765
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1766 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1767 p += 2;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1768
1769 *p++ = 0x00;
1770 *p++ = 0x00;
1771
1772 *olen = 4;
1773}
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]1774#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1775
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1776#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1777static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
1778 unsigned char *buf,
1779 size_t *olen)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1780{
1781 unsigned char *p = buf;
1782
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1783 if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1784 *olen = 0;
1785 return;
1786 }
1787
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1788 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret "
1789 "extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1790
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1791 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1792 p += 2;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1793
1794 *p++ = 0x00;
1795 *p++ = 0x00;
1796
1797 *olen = 4;
1798}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1799#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1800
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1801#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1802static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
1803 unsigned char *buf,
1804 size_t *olen)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1805{
1806 unsigned char *p = buf;
1807
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1808 if (ssl->handshake->new_session_ticket == 0) {
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1809 *olen = 0;
1810 return;
1811 }
1812
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1813 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1814
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1815 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1816 p += 2;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1817
1818 *p++ = 0x00;
1819 *p++ = 0x00;
1820
1821 *olen = 4;
1822}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1823#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1824
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1825static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
1826 unsigned char *buf,
1827 size_t *olen)
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1828{
1829 unsigned char *p = buf;
1830
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1831 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) {
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1832 *olen = 0;
1833 return;
1834 }
1835
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1836 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension"));
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1837
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1838 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1839 p += 2;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1840
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1841#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1842 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1843 *p++ = 0x00;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1844 *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1845 *p++ = ssl->verify_data_len * 2 & 0xFF;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1846
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1847 memcpy(p, ssl->peer_verify_data, ssl->verify_data_len);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1848 p += ssl->verify_data_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1849 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1850 p += ssl->verify_data_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1851 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1852#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1853 {
1854 *p++ = 0x00;
1855 *p++ = 0x01;
1856 *p++ = 0x00;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1857 }
Manuel Pégourié-Gonnard19389752015-06-23 13:46:44 +0200[diff] [blame]1858
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]1859 *olen = (size_t) (p - buf);
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1860}
1861
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1862#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1863static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
1864 unsigned char *buf,
1865 size_t *olen)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1866{
1867 unsigned char *p = buf;
1868
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1869 if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1870 *olen = 0;
1871 return;
1872 }
1873
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1874 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension"));
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1875
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1876 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1877 p += 2;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1878
1879 *p++ = 0x00;
1880 *p++ = 1;
1881
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]1882 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1883
1884 *olen = 5;
1885}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1886#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1887
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]1888#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1889 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]1890 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1891static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
1892 unsigned char *buf,
1893 size_t *olen)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1894{
1895 unsigned char *p = buf;
1896 ((void) ssl);
1897
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1898 if ((ssl->handshake->cli_exts &
1899 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) {
Paul Bakker677377f2013-10-28 12:54:26 +0100[diff] [blame]1900 *olen = 0;
1901 return;
1902 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1903
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1904 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension"));
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1905
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1906 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1907 p += 2;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1908
1909 *p++ = 0x00;
1910 *p++ = 2;
1911
1912 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1913 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1914
1915 *olen = 6;
1916}
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]1917#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1918 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]1919 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1920
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1921#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1922static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
1923 unsigned char *buf,
1924 size_t *olen)
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1925{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1926 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1927 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]1928 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1929 size_t kkpp_len;
1930
1931 *olen = 0;
1932
1933 /* Skip costly computation if not needed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1934 if (ssl->handshake->ciphersuite_info->key_exchange !=
1935 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1936 return;
1937 }
1938
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1939 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension"));
1940
1941 if (end - p < 4) {
1942 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1943 return;
1944 }
1945
1946 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1947 p += 2;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1948
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1949#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1950 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]1951 p + 2, (size_t) (end - p - 2), &kkpp_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1952 MBEDTLS_ECJPAKE_ROUND_ONE);
1953 if (ret != 0) {
1954 psa_destroy_key(ssl->handshake->psa_pake_password);
1955 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
1956 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
Valerio Settia9883642022-11-17 15:34:59 +0100[diff] [blame]1957 return;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1958 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1959#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1960 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]1961 p + 2, (size_t) (end - p - 2), &kkpp_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1962 ssl->conf->f_rng, ssl->conf->p_rng);
1963 if (ret != 0) {
1964 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret);
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1965 return;
1966 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1967#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1968
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1969 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1970 p += 2;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1971
1972 *olen = kkpp_len + 4;
1973}
1974#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1975
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1976#if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS)
1977static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
1978 unsigned char *buf,
1979 size_t *olen)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1980{
Ron Eldor75870ec2018-12-06 17:31:55 +0200[diff] [blame]1981 size_t mki_len = 0, ext_len = 0;
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1982 uint16_t profile_value = 0;
Johan Pascal8f70fba2020-09-02 10:32:06 +0200[diff] [blame]1983 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1984
1985 *olen = 0;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1986
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1987 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
1988 (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) {
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1989 return;
1990 }
1991
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1992 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension"));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1993
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1994 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1995 mki_len = ssl->dtls_srtp_info.mki_len;
1996 }
1997
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]1998 /* The extension total size is 9 bytes :
1999 * - 2 bytes for the extension tag
2000 * - 2 bytes for the total size
2001 * - 2 bytes for the protection profile length
2002 * - 2 bytes for the protection profile
2003 * - 1 byte for the mki length
2004 * + the actual mki length
2005 * Check we have enough room in the output buffer */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2006 if ((size_t) (end - buf) < mki_len + 9) {
2007 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
Johan Pascal8f70fba2020-09-02 10:32:06 +0200[diff] [blame]2008 return;
2009 }
2010
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2011 /* extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2012 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0);
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]2013 /*
2014 * total length 5 and mki value: only one profile(2 bytes)
2015 * and length(2 bytes) and srtp_mki )
2016 */
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]2017 ext_len = 5 + mki_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2018 MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2019
2020 /* protection profile length: 2 */
2021 buf[4] = 0x00;
2022 buf[5] = 0x02;
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]2023 profile_value = mbedtls_ssl_check_srtp_profile_value(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2024 ssl->dtls_srtp_info.chosen_dtls_srtp_profile);
2025 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
2026 MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6);
2027 } else {
2028 MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile"));
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]2029 return;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2030 }
2031
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]2032 buf[8] = mki_len & 0xFF;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2033 memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2034
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]2035 *olen = 9 + mki_len;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2036}
2037#endif /* MBEDTLS_SSL_DTLS_SRTP */
2038
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2039#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2040MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2041static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2042{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2043 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2044 unsigned char *p = ssl->out_msg + 4;
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2045 unsigned char *cookie_len_byte;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2046
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2047 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2048
2049 /*
2050 * struct {
2051 * ProtocolVersion server_version;
2052 * opaque cookie<0..2^8-1>;
2053 * } HelloVerifyRequest;
2054 */
2055
Manuel Pégourié-Gonnardb35fe562014-08-09 17:00:46 +0200[diff] [blame]2056 /* The RFC is not clear on this point, but sending the actual negotiated
2057 * version looks like the most interoperable thing to do. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2058 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
2059 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2060 p += 2;
2061
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]2062 /* If we get here, f_cookie_check is not null */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2063 if (ssl->conf->f_cookie_write == NULL) {
2064 MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks"));
2065 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]2066 }
2067
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2068 /* Skip length byte until we know the length */
2069 cookie_len_byte = p++;
2070
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2071 if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie,
2072 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2073 ssl->cli_id, ssl->cli_id_len)) != 0) {
2074 MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret);
2075 return ret;
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2076 }
2077
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2078 *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1));
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2079
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2080 MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2081
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2082 ssl->out_msglen = (size_t) (p - ssl->out_msg);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2083 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2084 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2085
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2086 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2087
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2088 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
2089 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
2090 return ret;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2091 }
2092
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2093#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2094 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2095 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
2096 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
2097 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2098 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]2099#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2100
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2101 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2102
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2103 return 0;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2104}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2105#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2106
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2107static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl)
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2108{
2109 int ret;
Hanno Beckera5b1a392021-04-15 16:48:01 +0100[diff] [blame]2110 mbedtls_ssl_session session_tmp;
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2111 mbedtls_ssl_session * const session = ssl->session_negotiate;
2112
2113 /* Resume is 0 by default, see ssl_handshake_init().
2114 * It may be already set to 1 by ssl_parse_session_ticket_ext(). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2115 if (ssl->handshake->resume == 1) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2116 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2117 }
2118 if (session->id_len == 0) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2119 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2120 }
2121 if (ssl->conf->f_get_cache == NULL) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2122 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2123 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2124#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2125 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2126 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2127 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2128#endif
2129
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2130 mbedtls_ssl_session_init(&session_tmp);
Hanno Beckera5b1a392021-04-15 16:48:01 +0100[diff] [blame]2131
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2132 ret = ssl->conf->f_get_cache(ssl->conf->p_cache,
2133 session->id,
2134 session->id_len,
2135 &session_tmp);
2136 if (ret != 0) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2137 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2138 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2139
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2140 if (session->ciphersuite != session_tmp.ciphersuite) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2141 /* Mismatch between cached and negotiated session */
2142 goto exit;
2143 }
2144
2145 /* Move semantics */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2146 mbedtls_ssl_session_free(session);
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2147 *session = session_tmp;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2148 memset(&session_tmp, 0, sizeof(session_tmp));
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2149
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2150 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache"));
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2151 ssl->handshake->resume = 1;
2152
2153exit:
2154
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2155 mbedtls_ssl_session_free(&session_tmp);
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2156}
2157
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2158MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2159static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2160{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2161#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]2162 mbedtls_time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2163#endif
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2164 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2165 size_t olen, ext_len = 0, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2166 unsigned char *buf, *p;
2167
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2168 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2169
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2170#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2171 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2172 ssl->handshake->cookie_verify_result != 0) {
2173 MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated"));
2174 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2175
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2176 return ssl_write_hello_verify_request(ssl);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2177 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2178#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2179
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2180 if (ssl->conf->f_rng == NULL) {
2181 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
2182 return MBEDTLS_ERR_SSL_NO_RNG;
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]2183 }
2184
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2185 /*
2186 * 0 . 0 handshake type
2187 * 1 . 3 handshake length
2188 * 4 . 5 protocol version
2189 * 6 . 9 UNIX time()
2190 * 10 . 37 random bytes
2191 */
2192 buf = ssl->out_msg;
2193 p = buf + 4;
2194
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2195 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]2196 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2197
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2198 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]",
2199 buf[4], buf[5]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2200
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2201#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2202 t = mbedtls_time(NULL);
2203 MBEDTLS_PUT_UINT32_BE(t, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2204 p += 4;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2205
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2206 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
2207 (long long) t));
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2208#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2209 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) {
2210 return ret;
2211 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2212
2213 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2214#endif /* MBEDTLS_HAVE_TIME */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2215
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2216 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2217 return ret;
2218 }
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2219 p += 20;
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2220
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2221#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2222 /*
2223 * RFC 8446
2224 * TLS 1.3 has a downgrade protection mechanism embedded in the server's
2225 * random value. TLS 1.3 servers which negotiate TLS 1.2 or below in
2226 * response to a ClientHello MUST set the last 8 bytes of their Random
2227 * value specially in their ServerHello.
2228 */
2229 if (mbedtls_ssl_conf_is_tls13_enabled(ssl->conf)) {
2230 static const unsigned char magic_tls12_downgrade_string[] =
2231 { 'D', 'O', 'W', 'N', 'G', 'R', 'D', 1 };
2232
2233 MBEDTLS_STATIC_ASSERT(
2234 sizeof(magic_tls12_downgrade_string) == 8,
2235 "magic_tls12_downgrade_string does not have the expected size");
2236
Ronald Cronfe01ec22023-04-06 09:56:53 +0200[diff] [blame]2237 memcpy(p, magic_tls12_downgrade_string,
2238 sizeof(magic_tls12_downgrade_string));
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2239 } else
2240#endif
2241 {
2242 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) {
2243 return ret;
2244 }
2245 }
2246 p += 8;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2247
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2248 memcpy(ssl->handshake->randbytes + 32, buf + 6, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2249
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2250 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2251
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2252 ssl_handle_id_based_session_resumption(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2253
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2254 if (ssl->handshake->resume == 0) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2255 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2256 * New session, create a new session id,
2257 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2258 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2259 ssl->state++;
2260
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2261#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2262 ssl->session_negotiate->start = mbedtls_time(NULL);
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]2263#endif
2264
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2265#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2266 if (ssl->handshake->new_session_ticket != 0) {
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2267 ssl->session_negotiate->id_len = n = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2268 memset(ssl->session_negotiate->id, 0, 32);
2269 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2270#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2271 {
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2272 ssl->session_negotiate->id_len = n = 32;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2273 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id,
2274 n)) != 0) {
2275 return ret;
2276 }
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2277 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2278 } else {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2279 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2280 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2281 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2282 n = ssl->session_negotiate->id_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2283 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2284
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2285 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
2286 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
2287 return ret;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2288 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2289 }
2290
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2291 /*
2292 * 38 . 38 session id length
2293 * 39 . 38+n session id
2294 * 39+n . 40+n chosen ciphersuite
2295 * 41+n . 41+n chosen compression alg.
2296 * 42+n . 43+n extensions length
2297 * 44+n . 43+n+m extensions
2298 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2299 *p++ = (unsigned char) ssl->session_negotiate->id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2300 memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2301 p += ssl->session_negotiate->id_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2302
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2303 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
2304 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n);
2305 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
2306 ssl->handshake->resume ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2307
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2308 MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2309 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2310 *p++ = MBEDTLS_BYTE_0(MBEDTLS_SSL_COMPRESS_NULL);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2311
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2312 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s",
2313 mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite)));
2314 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X",
2315 (unsigned int) MBEDTLS_SSL_COMPRESS_NULL));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2316
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2317 /*
2318 * First write extensions, then the total length
2319 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2320 ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2321 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2322
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2323#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2324 ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2325 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]2326#endif
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2327
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2328#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2329 ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen);
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]2330 ext_len += olen;
2331#endif
2332
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]2333#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2334 ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2335 ext_len += olen;
2336#endif
2337
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2338#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2339 ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2340 ext_len += olen;
2341#endif
2342
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2343#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2344 ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2345 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2346#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2347
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]2348#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]2349 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]2350 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Leonid Rozenboim28752702022-04-21 18:00:52 -0700[diff] [blame]2351 const mbedtls_ssl_ciphersuite_t *suite =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2352 mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite);
2353 if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) {
2354 ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen);
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]2355 ext_len += olen;
2356 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2357#endif
2358
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]2359#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2360 ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]2361 ext_len += olen;
2362#endif
2363
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2364#if defined(MBEDTLS_SSL_ALPN)
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2365 unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2366 if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen))
2367 != 0) {
Paul Elliottf518f812022-07-11 12:36:20 +0100[diff] [blame]2368 return ret;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2369 }
Paul Elliottf518f812022-07-11 12:36:20 +0100[diff] [blame]2370
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]2371 ext_len += olen;
2372#endif
2373
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2374#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2375 ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen);
Johan Pascalc3ccd982020-10-28 17:18:18 +0100[diff] [blame]2376 ext_len += olen;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2377#endif
2378
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2379 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
2380 ext_len));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2381
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2382 if (ext_len > 0) {
2383 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani94180e72021-08-20 16:20:44 +0100[diff] [blame]2384 p += 2 + ext_len;
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]2385 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2386
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2387 ssl->out_msglen = (size_t) (p - buf);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2388 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2389 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2390
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2391 ret = mbedtls_ssl_write_handshake_msg(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2392
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2393 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2394
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2395 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2396}
2397
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2398#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2399MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2400static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2401{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2402 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2403 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2404
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2405 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2406
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2407 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2408 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2409 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2410 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2411 }
2412
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2413 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2414 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2415}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2416#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2417MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2418static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2419{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2420 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2421 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2422 ssl->handshake->ciphersuite_info;
irwirc9bc3002020-04-01 13:46:36 +0300[diff] [blame]2423 uint16_t dn_size, total_dn_size; /* excluding length bytes */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2424 size_t ct_len, sa_len; /* including length bytes */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2425 unsigned char *buf, *p;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2426 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2427 const mbedtls_x509_crt *crt;
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2428 int authmode;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2429
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2430 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2431
2432 ssl->state++;
2433
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2434#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2435 if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2436 authmode = ssl->handshake->sni_authmode;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2437 } else
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2438#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2439 authmode = ssl->conf->authmode;
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2440
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2441 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) ||
2442 authmode == MBEDTLS_SSL_VERIFY_NONE) {
2443 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2444 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2445 }
2446
2447 /*
2448 * 0 . 0 handshake type
2449 * 1 . 3 handshake length
2450 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2451 * 5 .. m-1 cert types
2452 * m .. m+1 sig alg length (TLS 1.2 only)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]2453 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2454 * n .. n+1 length of all DNs
2455 * n+2 .. n+3 length of DN 1
2456 * n+4 .. ... Distinguished Name #1
2457 * ... .. ... length of DN 2, etc.
2458 */
2459 buf = ssl->out_msg;
2460 p = buf + 4;
2461
2462 /*
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2463 * Supported certificate types
2464 *
2465 * ClientCertificateType certificate_types<1..2^8-1>;
2466 * enum { (255) } ClientCertificateType;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2467 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2468 ct_len = 0;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2469
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2470#if defined(MBEDTLS_RSA_C)
2471 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2472#endif
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]2473#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2474 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2475#endif
2476
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2477 p[0] = (unsigned char) ct_len++;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2478 p += ct_len;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2479
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2480 sa_len = 0;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]2481
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2482 /*
2483 * Add signature_algorithms for verify (TLS 1.2)
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2484 *
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2485 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2486 *
2487 * struct {
2488 * HashAlgorithm hash;
2489 * SignatureAlgorithm signature;
2490 * } SignatureAndHashAlgorithm;
2491 *
2492 * enum { (255) } HashAlgorithm;
2493 * enum { (255) } SignatureAlgorithm;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2494 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2495 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
2496 if (sig_alg == NULL) {
2497 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2498 }
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2499
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2500 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2501 unsigned char hash = MBEDTLS_BYTE_1(*sig_alg);
Jerry Yu6106fdc2022-01-12 16:36:14 +0800[diff] [blame]2502
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2503 if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2504 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2505 }
2506 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2507 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2508 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2509
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2510 /* Write elements at offsets starting from 1 (offset 0 is for the
2511 * length). Thus the offset of each element is the length of the
2512 * partial list including that element. */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2513 sa_len += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2514 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, sa_len);
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2515
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2516 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2517
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2518 /* Fill in list length. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2519 MBEDTLS_PUT_UINT16_BE(sa_len, p, 0);
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2520 sa_len += 2;
2521 p += sa_len;
2522
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2523 /*
2524 * DistinguishedName certificate_authorities<0..2^16-1>;
2525 * opaque DistinguishedName<1..2^16-1>;
2526 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2527 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2528
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]2529 total_dn_size = 0;
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2530
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2531 if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) {
Hanno Becker8bf74f32019-03-27 11:01:30 +0000[diff] [blame]2532 /* NOTE: If trusted certificates are provisioned
2533 * via a CA callback (configured through
2534 * `mbedtls_ssl_conf_ca_cb()`, then the
2535 * CertificateRequest is currently left empty. */
2536
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2537#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2538#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2539 if (ssl->handshake->dn_hints != NULL) {
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2540 crt = ssl->handshake->dn_hints;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2541 } else
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2542#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2543 if (ssl->conf->dn_hints != NULL) {
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2544 crt = ssl->conf->dn_hints;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2545 } else
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2546#endif
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2547#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2548 if (ssl->handshake->sni_ca_chain != NULL) {
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2549 crt = ssl->handshake->sni_ca_chain;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2550 } else
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2551#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2552 crt = ssl->conf->ca_chain;
Manuel Pégourié-Gonnardbc1babb2015-10-02 11:16:47 +0200[diff] [blame]2553
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2554 while (crt != NULL && crt->version != 0) {
irwirc9bc3002020-04-01 13:46:36 +0300[diff] [blame]2555 /* It follows from RFC 5280 A.1 that this length
2556 * can be represented in at most 11 bits. */
2557 dn_size = (uint16_t) crt->subject_raw.len;
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2558
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2559 if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) {
2560 MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short"));
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2561 break;
2562 }
2563
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2564 MBEDTLS_PUT_UINT16_BE(dn_size, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2565 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2566 memcpy(p, crt->subject_raw.p, dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2567 p += dn_size;
2568
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2569 MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2570
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2571 total_dn_size += (unsigned short) (2 + dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2572 crt = crt->next;
Manuel Pégourié-Gonnardbc1babb2015-10-02 11:16:47 +0200[diff] [blame]2573 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2574 }
2575
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2576 ssl->out_msglen = (size_t) (p - buf);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2577 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2578 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2579 MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2580
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2581 ret = mbedtls_ssl_write_handshake_msg(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2582
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2583 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2584
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2585 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2586}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2587#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2588
Valerio Setti4d0e8462023-10-06 13:20:21 +0200[diff] [blame]2589#if (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2590 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED))
Valerio Setti4d0e8462023-10-06 13:20:21 +0200[diff] [blame]2591#if defined(MBEDTLS_USE_PSA_CRYPTO)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2592MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2593static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2594{
2595 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2596 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2597 mbedtls_pk_context *pk;
2598 mbedtls_pk_type_t pk_type;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2599 psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2600 unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
2601 size_t key_len;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2602#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2603 uint16_t tls_id = 0;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2604 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2605 mbedtls_ecp_group_id grp_id;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2606 mbedtls_ecp_keypair *key;
2607#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2608
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2609 pk = mbedtls_ssl_own_key(ssl);
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2610
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2611 if (pk == NULL) {
2612 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2613 }
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2614
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2615 pk_type = mbedtls_pk_get_type(pk);
Valerio Settid0405092023-05-24 13:16:40 +0200[diff] [blame]2616
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2617 switch (pk_type) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2618 case MBEDTLS_PK_OPAQUE:
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2619#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2620 case MBEDTLS_PK_ECKEY:
2621 case MBEDTLS_PK_ECKEY_DH:
2622 case MBEDTLS_PK_ECDSA:
2623#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2624 if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
2625 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2626 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2627
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2628 /* Get the attributes of the key previously parsed by PK module in
2629 * order to extract its type and length (in bits). */
2630 status = psa_get_key_attributes(pk->priv_id, &key_attributes);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2631 if (status != PSA_SUCCESS) {
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2632 ret = PSA_TO_MBEDTLS_ERR(status);
2633 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2634 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2635 ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2636 ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2637
Valerio Setti202bb712023-12-06 17:05:24 +0100[diff] [blame]2638 if (pk_type == MBEDTLS_PK_OPAQUE) {
2639 /* Opaque key is created by the user (externally from Mbed TLS)
2640 * so we assume it already has the right algorithm and flags
2641 * set. Just copy its ID as reference. */
2642 ssl->handshake->xxdh_psa_privkey = pk->priv_id;
2643 ssl->handshake->xxdh_psa_privkey_is_external = 1;
2644 } else {
2645 /* PK_ECKEY[_DH] and PK_ECDSA instead as parsed from the PK
2646 * module and only have ECDSA capabilities. Since we need
2647 * them for ECDH later, we export and then re-import them with
2648 * proper flags and algorithm. Of course We also set key's type
2649 * and bits that we just got above. */
2650 key_attributes = psa_key_attributes_init();
2651 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2652 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2653 psa_set_key_type(&key_attributes,
2654 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
2655 psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2656
Valerio Setti202bb712023-12-06 17:05:24 +0100[diff] [blame]2657 status = psa_export_key(pk->priv_id, buf, sizeof(buf), &key_len);
2658 if (status != PSA_SUCCESS) {
2659 ret = PSA_TO_MBEDTLS_ERR(status);
2660 goto exit;
2661 }
2662 status = psa_import_key(&key_attributes, buf, key_len,
2663 &ssl->handshake->xxdh_psa_privkey);
2664 if (status != PSA_SUCCESS) {
2665 ret = PSA_TO_MBEDTLS_ERR(status);
2666 goto exit;
2667 }
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2668
Valerio Setti202bb712023-12-06 17:05:24 +0100[diff] [blame]2669 /* Set this key as owned by the TLS library: it will be its duty
2670 * to clear it exit. */
2671 ssl->handshake->xxdh_psa_privkey_is_external = 0;
2672 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2673
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2674 ret = 0;
2675 break;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2676#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2677 case MBEDTLS_PK_ECKEY:
2678 case MBEDTLS_PK_ECKEY_DH:
2679 case MBEDTLS_PK_ECDSA:
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2680 key = mbedtls_pk_ec_rw(*pk);
Valerio Settid0405092023-05-24 13:16:40 +0200[diff] [blame]2681 grp_id = mbedtls_pk_get_group_id(pk);
2682 if (grp_id == MBEDTLS_ECP_DP_NONE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2683 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2684 }
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2685 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2686 if (tls_id == 0) {
2687 /* This elliptic curve is not supported */
2688 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2689 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2690
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2691 /* If the above conversion to TLS ID was fine, then also this one will
2692 be, so there is no need to check the return value here */
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2693 mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2694 &ssl->handshake->xxdh_psa_bits);
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2695
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2696 ssl->handshake->xxdh_psa_type = key_type;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2697
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2698 key_attributes = psa_key_attributes_init();
2699 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2700 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2701 psa_set_key_type(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2702 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2703 psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2704
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2705 key_len = PSA_BITS_TO_BYTES(key->grp.pbits);
2706 ret = mbedtls_ecp_write_key(key, buf, key_len);
2707 if (ret != 0) {
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2708 mbedtls_platform_zeroize(buf, sizeof(buf));
2709 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2710 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2711
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2712 status = psa_import_key(&key_attributes, buf, key_len,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2713 &ssl->handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2714 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2715 ret = PSA_TO_MBEDTLS_ERR(status);
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2716 mbedtls_platform_zeroize(buf, sizeof(buf));
2717 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2718 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2719
Valerio Setti6835b4a2023-06-22 09:06:31 +0200[diff] [blame]2720 mbedtls_platform_zeroize(buf, sizeof(buf));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2721 ret = 0;
2722 break;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2723#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2724 default:
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2725 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2726 }
2727
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2728exit:
2729 psa_reset_key_attributes(&key_attributes);
2730 mbedtls_platform_zeroize(buf, sizeof(buf));
2731
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2732 return ret;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2733}
Valerio Setti4d0e8462023-10-06 13:20:21 +0200[diff] [blame]2734#else /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2735MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2736static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2737{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2738 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2739
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2740 const mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
2741 if (private_key == NULL) {
2742 MBEDTLS_SSL_DEBUG_MSG(1, ("got no server private key"));
2743 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Leonid Rozenboim28752702022-04-21 18:00:52 -0700[diff] [blame]2744 }
2745
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2746 if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_ECKEY)) {
2747 MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
2748 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2749 }
2750
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2751 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx,
Valerio Setti77a75682023-05-15 11:18:46 +0200[diff] [blame]2752 mbedtls_pk_ec_ro(*mbedtls_ssl_own_key(ssl)),
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2753 MBEDTLS_ECDH_OURS)) != 0) {
2754 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
2755 return ret;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2756 }
2757
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2758 return 0;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2759}
Valerio Setti4d0e8462023-10-06 13:20:21 +0200[diff] [blame]2760#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2761#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2762 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2763
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2764#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2765 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2766MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2767static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl,
2768 size_t *signature_len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2769{
Gilles Peskine0fd90dd2018-04-26 07:41:09 +0200[diff] [blame]2770 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
2771 * signature length which will be added in ssl_write_server_key_exchange
2772 * after the call to ssl_prepare_server_key_exchange.
2773 * ssl_write_server_key_exchange also takes care of incrementing
2774 * ssl->out_msglen. */
2775 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2776 size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
2777 - sig_start);
2778 int ret = ssl->conf->f_async_resume(ssl,
2779 sig_start, signature_len, sig_max_len);
2780 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]2781 ssl->handshake->async_in_progress = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2782 mbedtls_ssl_set_async_operation_data(ssl, NULL);
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2783 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2784 MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret);
2785 return ret;
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2786}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2787#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2788 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2789
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]2790/* Prepare the ServerKeyExchange message, up to and including
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]2791 * calculating the signature if any, but excluding formatting the
2792 * signature and sending the message. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2793MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2794static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
2795 size_t *signature_len)
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]2796{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2797 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2798 ssl->handshake->ciphersuite_info;
2799
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2800#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2801#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine3ce9b902018-01-06 01:34:21 +0100[diff] [blame]2802 unsigned char *dig_signed = NULL;
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2803#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2804#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2805
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2806 (void) ciphersuite_info; /* unused in some configurations */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2807#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine22e695f2018-04-26 00:22:50 +0200[diff] [blame]2808 (void) signature_len;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2809#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2810
Gilles Peskine16fe8fc2021-06-22 09:45:56 +0200[diff] [blame]2811#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2812#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2813 size_t out_buf_len = ssl->out_buf_len - (size_t) (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2814#else
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2815 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (size_t) (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2816#endif
Gilles Peskine16fe8fc2021-06-22 09:45:56 +0200[diff] [blame]2817#endif
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2818
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2819 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2820
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2821 /*
2822 *
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2823 * Part 1: Provide key exchange parameters for chosen ciphersuite.
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2824 *
2825 */
2826
2827 /*
2828 * - ECJPAKE key exchanges
2829 */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2830#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2831 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2832 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2833#if defined(MBEDTLS_USE_PSA_CRYPTO)
2834 unsigned char *out_p = ssl->out_msg + ssl->out_msglen;
2835 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
2836 ssl->out_msglen;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2837 size_t output_offset = 0;
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]2838 size_t output_len = 0;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2839
Valerio Setti6f1b5742022-11-16 10:00:32 +0100[diff] [blame]2840 /*
2841 * The first 3 bytes are:
2842 * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
2843 * [1, 2] elliptic curve's TLS ID
2844 *
2845 * However since we only support secp256r1 for now, we hardcode its
2846 * TLS ID here
2847 */
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2848 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2849 MBEDTLS_ECP_DP_SECP256R1);
2850 if (tls_id == 0) {
2851 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Valerio Setti6f1b5742022-11-16 10:00:32 +0100[diff] [blame]2852 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2853 *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2854 MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1);
Valerio Setti819de862022-11-17 18:05:19 +0100[diff] [blame]2855 output_offset += 3;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2856
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2857 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
2858 out_p + output_offset,
2859 end_p - out_p - output_offset, &output_len,
2860 MBEDTLS_ECJPAKE_ROUND_TWO);
2861 if (ret != 0) {
2862 psa_destroy_key(ssl->handshake->psa_pake_password);
2863 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2864 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
2865 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2866 }
2867
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]2868 output_offset += output_len;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2869 ssl->out_msglen += output_offset;
2870#else
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2871 size_t len = 0;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2872
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2873 ret = mbedtls_ecjpake_write_round_two(
2874 &ssl->handshake->ecjpake_ctx,
2875 ssl->out_msg + ssl->out_msglen,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2876 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2877 ssl->conf->f_rng, ssl->conf->p_rng);
2878 if (ret != 0) {
2879 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
2880 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2881 }
2882
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2883 ssl->out_msglen += len;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2884#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2885 }
2886#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2887
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2888 /*
2889 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
2890 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
2891 * we use empty support identity hints here.
2892 **/
2893#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2894 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2895 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2896 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2897 ssl->out_msg[ssl->out_msglen++] = 0x00;
2898 ssl->out_msg[ssl->out_msglen++] = 0x00;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2899 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2900#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2901 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2902
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]2903 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2904 * - DHE key exchanges
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2905 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2906#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2907 if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2908 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2909 size_t len = 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2910
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2911 if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) {
2912 MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set"));
2913 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +0100[diff] [blame]2914 }
2915
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2916 /*
2917 * Ephemeral DH parameters:
2918 *
2919 * struct {
2920 * opaque dh_p<1..2^16-1>;
2921 * opaque dh_g<1..2^16-1>;
2922 * opaque dh_Ys<1..2^16-1>;
2923 * } ServerDHParams;
2924 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2925 if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx,
2926 &ssl->conf->dhm_P,
2927 &ssl->conf->dhm_G)) != 0) {
2928 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret);
2929 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2930 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2931
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2932 if ((ret = mbedtls_dhm_make_params(
2933 &ssl->handshake->dhm_ctx,
2934 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
2935 ssl->out_msg + ssl->out_msglen, &len,
2936 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2937 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret);
2938 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2939 }
2940
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2941#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2942 dig_signed = ssl->out_msg + ssl->out_msglen;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2943#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2944
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2945 ssl->out_msglen += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2946
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2947 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
2948 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
2949 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
2950 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2951 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2952#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2953
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2954 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2955 * - ECDHE key exchanges
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2956 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2957#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2958 if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2959 /*
2960 * Ephemeral ECDH parameters:
2961 *
2962 * struct {
2963 * ECParameters curve_params;
2964 * ECPoint public;
2965 * } ServerECDHParams;
2966 */
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2967 uint16_t *curr_tls_id = ssl->handshake->curves_tls_id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2968 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2969 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2970 size_t len = 0;
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2971
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2972 /* Match our preference list against the offered curves */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2973 if ((group_list == NULL) || (curr_tls_id == NULL)) {
2974 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2975 }
2976 for (; *group_list != 0; group_list++) {
2977 for (curr_tls_id = ssl->handshake->curves_tls_id;
2978 *curr_tls_id != 0; curr_tls_id++) {
2979 if (*curr_tls_id == *group_list) {
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2980 goto curve_matching_done;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2981 }
2982 }
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2983 }
Manuel Pégourié-Gonnardde053902014-02-04 13:58:39 +0100[diff] [blame]2984
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2985curve_matching_done:
2986 if (*curr_tls_id == 0) {
2987 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE"));
2988 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2989 }
2990
2991 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s",
2992 mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id)));
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2993
Przemek Stekielb6ce0b62022-03-09 15:38:24 +0100[diff] [blame]2994#if defined(MBEDTLS_USE_PSA_CRYPTO)
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2995 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
2996 psa_key_attributes_t key_attributes;
2997 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2998 uint8_t *p = ssl->out_msg + ssl->out_msglen;
2999 const size_t header_size = 4; // curve_type(1), namedcurve(2),
3000 // data length(1)
3001 const size_t data_length_size = 1;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]3002 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]3003 size_t ec_bits = 0;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3004
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3005 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3006
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]3007 /* Convert EC's TLS ID to PSA key type. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3008 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id,
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]3009 &key_type,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3010 &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
3011 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse."));
3012 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Przemek Stekielb6ce0b62022-03-09 15:38:24 +0100[diff] [blame]3013 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3014 handshake->xxdh_psa_type = key_type;
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]3015 handshake->xxdh_psa_bits = ec_bits;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3016
3017 key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3018 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
3019 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3020 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]3021 psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3022
3023 /*
3024 * ECParameters curve_params
3025 *
3026 * First byte is curve_type, always named_curve
3027 */
3028 *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
3029
3030 /*
3031 * Next two bytes are the namedcurve value
3032 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3033 MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0);
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3034 p += 2;
3035
3036 /* Generate ECDH private key. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3037 status = psa_generate_key(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3038 &handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3039 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3040 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3041 MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
3042 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3043 }
3044
3045 /*
3046 * ECPoint public
3047 *
3048 * First byte is data length.
3049 * It will be filled later. p holds now the data length location.
3050 */
3051
3052 /* Export the public part of the ECDH private key from PSA.
3053 * Make one byte space for the length.
3054 */
3055 unsigned char *own_pubkey = p + data_length_size;
3056
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3057 size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN
3058 - (own_pubkey - ssl->out_msg));
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3059
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3060 status = psa_export_public_key(handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3061 own_pubkey, own_pubkey_max_len,
3062 &len);
3063 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3064 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3065 MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3066 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
3067 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3068 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3069 }
3070
3071 /* Store the length of the exported public key. */
3072 *p = (uint8_t) len;
3073
3074 /* Determine full message length. */
3075 len += header_size;
3076#else
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]3077 mbedtls_ecp_group_id curr_grp_id =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3078 mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]3079
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3080 if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx,
3081 curr_grp_id)) != 0) {
3082 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret);
3083 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3084 }
3085
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3086 if ((ret = mbedtls_ecdh_make_params(
3087 &ssl->handshake->ecdh_ctx, &len,
3088 ssl->out_msg + ssl->out_msglen,
3089 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
3090 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3091 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret);
3092 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3093 }
3094
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3095 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3096 MBEDTLS_DEBUG_ECDH_Q);
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3097#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3098
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]3099#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]3100 dig_signed = ssl->out_msg + ssl->out_msglen;
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]3101#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3102
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]3103 ssl->out_msglen += len;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3104 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3105#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3106
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3107 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]3108 *
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3109 * Part 2: For key exchanges involving the server signing the
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]3110 * exchange parameters, compute and add the signature here.
3111 *
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3112 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3113#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3114 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
3115 if (dig_signed == NULL) {
3116 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3117 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Elliott11420382022-05-13 17:43:47 +0100[diff] [blame]3118 }
3119
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]3120 size_t dig_signed_len = (size_t) (ssl->out_msg + ssl->out_msglen - dig_signed);
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]3121 size_t hashlen = 0;
Manuel Pégourié-Gonnard88579842023-03-28 11:20:23 +0200[diff] [blame]3122 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
Przemek Stekiel51669542022-09-13 12:57:05 +0200[diff] [blame]3123
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3124 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]3125
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3126 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3127 * 2.1: Choose hash algorithm:
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]3128 * For TLS 1.2, obey signature-hash-algorithm extension
3129 * to choose appropriate hash.
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3130 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3131
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3132 mbedtls_pk_type_t sig_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3133 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3134
Dave Rodgmanc37ad442023-11-03 23:36:06 +0000[diff] [blame]3135 unsigned char sig_hash =
3136 (unsigned char) mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3137 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]3138
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3139 mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash);
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]3140
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3141 /* For TLS 1.2, obey signature-hash-algorithm extension
3142 * (RFC 5246, Sec. 7.4.1.4.1). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3143 if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) {
3144 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3145 /* (... because we choose a cipher suite
3146 * only if there is a matching hash.) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3147 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3148 }
3149
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3150 MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3151
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3152 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3153 * 2.2: Compute the hash to be signed
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3154 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3155 if (md_alg != MBEDTLS_MD_NONE) {
3156 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
3157 dig_signed,
3158 dig_signed_len,
3159 md_alg);
3160 if (ret != 0) {
3161 return ret;
3162 }
3163 } else {
3164 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3165 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3166 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3167
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3168 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3169
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3170 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3171 * 2.3: Compute and add the signature
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3172 */
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3173 /*
3174 * We need to specify signature and hash algorithm explicitly through
3175 * a prefix to the signature.
3176 *
3177 * struct {
3178 * HashAlgorithm hash;
3179 * SignatureAlgorithm signature;
3180 * } SignatureAndHashAlgorithm;
3181 *
3182 * struct {
3183 * SignatureAndHashAlgorithm algorithm;
3184 * opaque signature<0..2^16-1>;
3185 * } DigitallySigned;
3186 *
3187 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3188
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3189 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg);
3190 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3191
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3192#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3193 if (ssl->conf->f_async_sign_start != NULL) {
3194 ret = ssl->conf->f_async_sign_start(ssl,
3195 mbedtls_ssl_own_cert(ssl),
3196 md_alg, hash, hashlen);
3197 switch (ret) {
3198 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3199 /* act as if f_async_sign was null */
3200 break;
3201 case 0:
3202 ssl->handshake->async_in_progress = 1;
3203 return ssl_resume_server_key_exchange(ssl, signature_len);
3204 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3205 ssl->handshake->async_in_progress = 1;
3206 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3207 default:
3208 MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret);
3209 return ret;
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3210 }
3211 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3212#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3213
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3214 if (mbedtls_ssl_own_key(ssl) == NULL) {
3215 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key"));
3216 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3217 }
3218
Gilles Peskine0fd90dd2018-04-26 07:41:09 +0200[diff] [blame]3219 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3220 * signature length which will be added in ssl_write_server_key_exchange
3221 * after the call to ssl_prepare_server_key_exchange.
3222 * ssl_write_server_key_exchange also takes care of incrementing
3223 * ssl->out_msglen. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3224 if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl),
3225 md_alg, hash, hashlen,
3226 ssl->out_msg + ssl->out_msglen + 2,
3227 out_buf_len - ssl->out_msglen - 2,
3228 signature_len,
3229 ssl->conf->f_rng,
3230 ssl->conf->p_rng)) != 0) {
3231 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
3232 return ret;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]3233 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3234 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3235#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3236
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3237 return 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3238}
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3239
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3240/* Prepare the ServerKeyExchange message and send it. For ciphersuites
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3241 * that do not include a ServerKeyExchange message, do nothing. Either
3242 * way, if successful, move on to the next step in the SSL state
3243 * machine. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3244MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3245static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3246{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3247 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3248 size_t signature_len = 0;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3249#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3250 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3251 ssl->handshake->ciphersuite_info;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3252#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3253
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3254 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange"));
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3255
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3256#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3257 /* Extract static ECDH parameters and abort if ServerKeyExchange
3258 * is not needed. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3259 if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) {
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3260 /* For suites involving ECDH, extract DH parameters
3261 * from certificate at this point. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3262#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3263 if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) {
3264 ret = ssl_get_ecdh_params_from_cert(ssl);
3265 if (ret != 0) {
3266 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
3267 return ret;
Manuel Pégourié-Gonnardb64fb622022-06-10 09:34:20 +0200[diff] [blame]3268 }
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3269 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3270#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3271
3272 /* Key exchanges not involving ephemeral keys don't use
3273 * ServerKeyExchange, so end here. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3274 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3275 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3276 return 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3277 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3278#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3279
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3280#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3281 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3282 /* If we have already prepared the message and there is an ongoing
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3283 * signature operation, resume signing. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3284 if (ssl->handshake->async_in_progress != 0) {
3285 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation"));
3286 ret = ssl_resume_server_key_exchange(ssl, &signature_len);
3287 } else
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3288#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3289 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]3290 {
3291 /* ServerKeyExchange is needed. Prepare the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3292 ret = ssl_prepare_server_key_exchange(ssl, &signature_len);
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3293 }
3294
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3295 if (ret != 0) {
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]3296 /* If we're starting to write a new message, set ssl->out_msglen
3297 * to 0. But if we're resuming after an asynchronous message,
3298 * out_msglen is the amount of data written so far and mst be
3299 * preserved. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3300 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3301 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)"));
3302 } else {
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3303 ssl->out_msglen = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3304 }
3305 return ret;
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]3306 }
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3307
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3308 /* If there is a signature, write its length.
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3309 * ssl_prepare_server_key_exchange already wrote the signature
3310 * itself at its proper place in the output buffer. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3311#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3312 if (signature_len != 0) {
3313 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len);
3314 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len);
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3315
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3316 MBEDTLS_SSL_DEBUG_BUF(3, "my signature",
3317 ssl->out_msg + ssl->out_msglen,
3318 signature_len);
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3319
3320 /* Skip over the already-written signature */
3321 ssl->out_msglen += signature_len;
3322 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3323#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3324
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3325 /* Add header and send. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3326 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3327 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3328
3329 ssl->state++;
3330
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3331 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3332 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3333 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3334 }
3335
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3336 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange"));
3337 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3338}
3339
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3340MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3341static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3342{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3343 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3344
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3345 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3346
3347 ssl->out_msglen = 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3348 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3349 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3350
3351 ssl->state++;
3352
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3353#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3354 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3355 mbedtls_ssl_send_flight_completed(ssl);
3356 }
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3357#endif
3358
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3359 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3360 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3361 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3362 }
3363
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3364#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3365 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3366 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
3367 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
3368 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3369 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]3370#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3371
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3372 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3373
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3374 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3375}
3376
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3377#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3378 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3379MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3380static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p,
3381 const unsigned char *end)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3382{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3383 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3384 size_t n;
3385
3386 /*
3387 * Receive G^Y mod P, premaster = (G^Y)^X mod P
3388 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3389 if (*p + 2 > end) {
3390 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3391 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3392 }
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3393
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]3394 n = MBEDTLS_GET_UINT16_BE(*p, 0);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3395 *p += 2;
3396
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3397 if (*p + n > end) {
3398 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3399 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3400 }
3401
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3402 if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) {
3403 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret);
3404 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3405 }
3406
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3407 *p += n;
3408
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3409 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3410
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3411 return ret;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3412}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3413#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3414 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3415
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3416#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3417 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3418
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3419#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3420MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3421static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
3422 unsigned char *peer_pms,
3423 size_t *peer_pmslen,
3424 size_t peer_pmssize)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3425{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3426 int ret = ssl->conf->f_async_resume(ssl,
3427 peer_pms, peer_pmslen, peer_pmssize);
3428 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]3429 ssl->handshake->async_in_progress = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3430 mbedtls_ssl_set_async_operation_data(ssl, NULL);
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3431 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3432 MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
3433 return ret;
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3434}
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3435#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3436
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3437MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3438static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
3439 const unsigned char *p,
3440 const unsigned char *end,
3441 unsigned char *peer_pms,
3442 size_t *peer_pmslen,
3443 size_t peer_pmssize)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3444{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3445 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Leonid Rozenboim70dfd4c2022-08-08 15:43:44 -0700[diff] [blame]3446
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3447 mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl);
3448 if (own_cert == NULL) {
3449 MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate"));
3450 return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
Leonid Rozenboim70dfd4c2022-08-08 15:43:44 -0700[diff] [blame]3451 }
3452 mbedtls_pk_context *public_key = &own_cert->pk;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3453 mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
3454 size_t len = mbedtls_pk_get_len(public_key);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3455
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3456#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3457 /* If we have already started decoding the message and there is an ongoing
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3458 * decryption operation, resume signing. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3459 if (ssl->handshake->async_in_progress != 0) {
3460 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
3461 return ssl_resume_decrypt_pms(ssl,
3462 peer_pms, peer_pmslen, peer_pmssize);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3463 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3464#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3465
3466 /*
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3467 * Prepare to decrypt the premaster using own private RSA key
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3468 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3469 if (p + 2 > end) {
3470 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3471 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]3472 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3473 if (*p++ != MBEDTLS_BYTE_1(len) ||
3474 *p++ != MBEDTLS_BYTE_0(len)) {
3475 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3476 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3477 }
3478
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3479 if (p + len != end) {
3480 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3481 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3482 }
3483
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3484 /*
3485 * Decrypt the premaster secret
3486 */
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3487#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3488 if (ssl->conf->f_async_decrypt_start != NULL) {
3489 ret = ssl->conf->f_async_decrypt_start(ssl,
3490 mbedtls_ssl_own_cert(ssl),
3491 p, len);
3492 switch (ret) {
3493 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3494 /* act as if f_async_decrypt_start was null */
3495 break;
3496 case 0:
3497 ssl->handshake->async_in_progress = 1;
3498 return ssl_resume_decrypt_pms(ssl,
3499 peer_pms,
3500 peer_pmslen,
3501 peer_pmssize);
3502 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3503 ssl->handshake->async_in_progress = 1;
3504 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3505 default:
3506 MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
3507 return ret;
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3508 }
3509 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3510#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3511
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3512 if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
3513 MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
3514 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3515 }
3516
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3517 ret = mbedtls_pk_decrypt(private_key, p, len,
3518 peer_pms, peer_pmslen, peer_pmssize,
3519 ssl->conf->f_rng, ssl->conf->p_rng);
3520 return ret;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3521}
3522
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3523MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3524static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
3525 const unsigned char *p,
3526 const unsigned char *end,
3527 size_t pms_offset)
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3528{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3529 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3530 unsigned char *pms = ssl->handshake->premaster + pms_offset;
3531 unsigned char ver[2];
3532 unsigned char fake_pms[48], peer_pms[48];
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3533 size_t peer_pmslen;
3534 mbedtls_ct_condition_t diff;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3535
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3536 /* In case of a failure in decryption, the decryption may write less than
3537 * 2 bytes of output, but we always read the first two bytes. It doesn't
3538 * matter in the end because diff will be nonzero in that case due to
André Maroneze79533292020-11-12 09:37:42 +0100[diff] [blame]3539 * ret being nonzero, and we only care whether diff is 0.
3540 * But do initialize peer_pms and peer_pmslen for robustness anyway. This
3541 * also makes memory analyzers happy (don't access uninitialized memory,
3542 * even if it's an unsigned char). */
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3543 peer_pms[0] = peer_pms[1] = ~0;
André Maroneze79533292020-11-12 09:37:42 +0100[diff] [blame]3544 peer_pmslen = 0;
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3545
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3546 ret = ssl_decrypt_encrypted_pms(ssl, p, end,
3547 peer_pms,
3548 &peer_pmslen,
3549 sizeof(peer_pms));
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3550
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3551#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3552 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3553 return ret;
3554 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3555#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3556
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3557 mbedtls_ssl_write_version(ver, ssl->conf->transport,
3558 ssl->session_negotiate->tls_version);
Gilles Peskine2e333372018-04-24 13:22:10 +0200[diff] [blame]3559
3560 /* Avoid data-dependent branches while checking for invalid
3561 * padding, to protect against timing-based Bleichenbacher-type
3562 * attacks. */
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3563 diff = mbedtls_ct_bool(ret);
Dave Rodgmanb7825ce2023-08-10 11:58:18 +0100[diff] [blame]3564 diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pmslen, 48));
3565 diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[0], ver[0]));
3566 diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[1], ver[1]));
Manuel Pégourié-Gonnardb9c93d02015-06-23 13:53:15 +0200[diff] [blame]3567
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3568 /*
3569 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3570 * must not cause the connection to end immediately; instead, send a
3571 * bad_record_mac later in the handshake.
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3572 * To protect against timing-based variants of the attack, we must
3573 * not have any branch that depends on whether the decryption was
3574 * successful. In particular, always generate the fake premaster secret,
3575 * regardless of whether it will ultimately influence the output or not.
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3576 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3577 ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
3578 if (ret != 0) {
Gilles Peskinee1416382018-04-26 10:23:21 +0200[diff] [blame]3579 /* It's ok to abort on an RNG failure, since this does not reveal
3580 * anything about the RSA decryption. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3581 return ret;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3582 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3583
Manuel Pégourié-Gonnard331ba572015-04-20 12:33:57 +0100[diff] [blame]3584#if defined(MBEDTLS_SSL_DEBUG_ALL)
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3585 if (diff != MBEDTLS_CT_FALSE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3586 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3587 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3588#endif
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3589
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3590 if (sizeof(ssl->handshake->premaster) < pms_offset ||
3591 sizeof(ssl->handshake->premaster) - pms_offset < 48) {
3592 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3593 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3594 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3595 ssl->handshake->pmslen = 48;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3596
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3597 /* Set pms to either the true or the fake PMS, without
3598 * data-dependent branches. */
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3599 mbedtls_ct_memcpy_if(diff, pms, fake_pms, peer_pms, ssl->handshake->pmslen);
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3600
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3601 return 0;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3602}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3603#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
3604 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3605
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3606#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3607MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3608static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
3609 const unsigned char *end)
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3610{
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]3611 int ret = 0;
irwir6527bd62019-09-21 18:51:25 +0300[diff] [blame]3612 uint16_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3613
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3614 if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
3615 MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key"));
3616 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3617 }
3618
3619 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3620 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3621 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3622 if (end - *p < 2) {
3623 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3624 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3625 }
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3626
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]3627 n = MBEDTLS_GET_UINT16_BE(*p, 0);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3628 *p += 2;
3629
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3630 if (n == 0 || n > end - *p) {
3631 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3632 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3633 }
3634
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3635 if (ssl->conf->f_psk != NULL) {
3636 if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3637 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3638 }
3639 } else {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]3640 /* Identity is not a big secret since clients send it in the clear,
3641 * but treat it carefully anyway, just in case */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3642 if (n != ssl->conf->psk_identity_len ||
3643 mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3644 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]3645 }
3646 }
3647
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3648 if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
3649 MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n);
3650 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3651 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY);
3652 return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3653 }
3654
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3655 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3656
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3657 return 0;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3658}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3659#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3660
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3661MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3662static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3663{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3664 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3665 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Manuel Pégourié-Gonnard2114d722014-09-10 13:59:41 +0000[diff] [blame]3666 unsigned char *p, *end;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3667
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3668 ciphersuite_info = ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3669
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3670 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3671
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3672#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3673 (defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3674 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED))
3675 if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3676 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) &&
3677 (ssl->handshake->async_in_progress != 0)) {
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3678 /* We've already read a record and there is an asynchronous
3679 * operation in progress to decrypt it. So skip reading the
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3680 * record. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3681 MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
3682 } else
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3683#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3684 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3685 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3686 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3687 }
3688
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3689 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard2114d722014-09-10 13:59:41 +0000[diff] [blame]3690 end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnardf8995832014-09-10 08:25:12 +0000[diff] [blame]3691
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3692 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3693 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3694 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3695 }
3696
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3697 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) {
3698 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3699 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3700 }
3701
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3702#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3703 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
3704 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3705 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
3706 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3707 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3708
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3709 if (p != end) {
3710 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3711 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3712 }
3713
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3714 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3715 ssl->handshake->premaster,
3716 MBEDTLS_PREMASTER_SIZE,
3717 &ssl->handshake->pmslen,
3718 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3719 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3720 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3721 }
3722
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3723 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3724 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3725#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3726#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3727 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3728 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3729 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3730 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]3731 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3732 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3733 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]3734#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3735 size_t data_len = (size_t) (*p++);
3736 size_t buf_len = (size_t) (end - p);
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3737 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
3738 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3739
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3740 MBEDTLS_SSL_DEBUG_MSG(3, ("Read the peer's public key."));
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3741
3742 /*
Przemek Stekiel338b61d2022-03-15 08:03:43 +0100[diff] [blame]3743 * We must have at least two bytes (1 for length, at least 1 for data)
3744 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3745 if (buf_len < 2) {
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3746 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length: %" MBEDTLS_PRINTF_SIZET,
3747 buf_len));
3748 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3749 }
3750
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3751 if (data_len < 1 || data_len > buf_len) {
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3752 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length: %" MBEDTLS_PRINTF_SIZET
3753 " > %" MBEDTLS_PRINTF_SIZET,
3754 data_len, buf_len));
3755 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3756 }
3757
3758 /* Store peer's ECDH public key. */
Gilles Peskinec8df8982023-10-02 14:58:16 +0200[diff] [blame]3759 if (data_len > sizeof(handshake->xxdh_psa_peerkey)) {
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3760 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %" MBEDTLS_PRINTF_SIZET
3761 " > %" MBEDTLS_PRINTF_SIZET,
3762 data_len,
3763 sizeof(handshake->xxdh_psa_peerkey)));
Gilles Peskinec8df8982023-10-02 14:58:16 +0200[diff] [blame]3764 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
3765 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3766 memcpy(handshake->xxdh_psa_peerkey, p, data_len);
3767 handshake->xxdh_psa_peerkey_len = data_len;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3768
3769 /* Compute ECDH shared secret. */
3770 status = psa_raw_key_agreement(
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3771 PSA_ALG_ECDH, handshake->xxdh_psa_privkey,
3772 handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3773 handshake->premaster, sizeof(handshake->premaster),
3774 &handshake->pmslen);
3775 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3776 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3777 MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3778 if (handshake->xxdh_psa_privkey_is_external == 0) {
3779 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3780 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3781 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3782 return ret;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3783 }
3784
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3785 if (handshake->xxdh_psa_privkey_is_external == 0) {
3786 status = psa_destroy_key(handshake->xxdh_psa_privkey);
Neil Armstrong8113d252022-03-23 10:57:04 +0100[diff] [blame]3787
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3788 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3789 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3790 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
3791 return ret;
Neil Armstrong8113d252022-03-23 10:57:04 +0100[diff] [blame]3792 }
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3793 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3794 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3795#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3796 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]3797 p, (size_t) (end - p))) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3798 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
3799 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3800 }
3801
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3802 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3803 MBEDTLS_DEBUG_ECDH_QP);
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3804
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3805 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
3806 &ssl->handshake->pmslen,
3807 ssl->handshake->premaster,
3808 MBEDTLS_MPI_MAX_SIZE,
3809 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3810 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
3811 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3812 }
3813
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3814 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3815 MBEDTLS_DEBUG_ECDH_Z);
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]3816#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3817 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3818#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3819 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3820 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3821 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3822#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3823 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
3824 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3825 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3826 return ret;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3827 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3828
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3829 if (p != end) {
3830 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3831 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3832 }
3833
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3834#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3835 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]3836 (mbedtls_key_exchange_type_t) ciphersuite_info->
3837 key_exchange)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3838 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3839 return ret;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]3840 }
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3841#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3842 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3843#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
3844#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3845 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3846#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3847 if (ssl->handshake->async_in_progress != 0) {
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3848 /* There is an asynchronous operation in progress to
3849 * decrypt the encrypted premaster secret, so skip
3850 * directly to resuming this operation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3851 MBEDTLS_SSL_DEBUG_MSG(3, ("PSK identity already parsed"));
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3852 /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
3853 * won't actually use it, but maintain p anyway for robustness. */
3854 p += ssl->conf->psk_identity_len + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3855 } else
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3856#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3857 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3858 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3859 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3860 }
3861
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3862 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) {
3863 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_encrypted_pms"), ret);
3864 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3865 }
3866
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3867#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3868 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]3869 (mbedtls_key_exchange_type_t) ciphersuite_info->
3870 key_exchange)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3871 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3872 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3873 }
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3874#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3875 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3876#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3877#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3878 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
3879 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3880 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3881 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3882 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3883 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3884 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
3885 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3886 }
3887
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3888 if (p != end) {
3889 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3890 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3891 }
3892
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3893#if defined(MBEDTLS_USE_PSA_CRYPTO)
3894 unsigned char *pms = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3895 unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3896 size_t pms_len;
3897
3898 /* Write length only when we know the actual value */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3899 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3900 pms + 2, pms_end - (pms + 2), &pms_len,
3901 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3902 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3903 return ret;
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3904 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3905 MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3906 pms += 2 + pms_len;
3907
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3908 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3909#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3910 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]3911 (mbedtls_key_exchange_type_t) ciphersuite_info->
3912 key_exchange)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3913 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3914 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3915 }
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3916#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3917 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3918#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3919#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3920 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]3921#if defined(MBEDTLS_USE_PSA_CRYPTO)
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3922 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3923 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
3924 uint8_t ecpoint_len;
3925
3926 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3927
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3928 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3929 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3930 psa_destroy_key(handshake->xxdh_psa_privkey);
3931 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3932 return ret;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3933 }
3934
3935 /* Keep a copy of the peer's public key */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3936 if (p >= end) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3937 psa_destroy_key(handshake->xxdh_psa_privkey);
3938 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3939 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Neil Armstrong3cae1672022-04-05 10:01:15 +0200[diff] [blame]3940 }
3941
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3942 ecpoint_len = *(p++);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3943 if ((size_t) (end - p) < ecpoint_len) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3944 psa_destroy_key(handshake->xxdh_psa_privkey);
3945 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3946 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3947 }
3948
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]3949 /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
3950 the sizes of the FFDH keys which are at least 2048 bits.
3951 The size of the array is thus greater than 256 bytes which is greater than any
3952 possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]3953#if !defined(PSA_WANT_ALG_FFDH)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3954 if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
3955 psa_destroy_key(handshake->xxdh_psa_privkey);
3956 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3957 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3958 }
Przemek Stekiel615cbcd2023-07-06 11:08:39 +0200[diff] [blame]3959#else
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]3960 MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
3961 "peer key buffer too small");
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]3962#endif
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3963
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3964 memcpy(handshake->xxdh_psa_peerkey, p, ecpoint_len);
3965 handshake->xxdh_psa_peerkey_len = ecpoint_len;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3966 p += ecpoint_len;
3967
Neil Armstrong3bcef082022-03-23 18:16:54 +0100[diff] [blame]3968 /* As RFC 5489 section 2, the premaster secret is formed as follows:
Neil Armstrongfdf20cb2022-03-24 09:43:02 +0100[diff] [blame]3969 * - a uint16 containing the length (in octets) of the ECDH computation
3970 * - the octet string produced by the ECDH computation
3971 * - a uint16 containing the length (in octets) of the PSK
3972 * - the PSK itself
3973 */
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3974 unsigned char *psm = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3975 const unsigned char * const psm_end =
3976 psm + sizeof(ssl->handshake->premaster);
Neil Armstrong2d63da92022-03-23 18:17:31 +0100[diff] [blame]3977 /* uint16 to store length (in octets) of the ECDH computation */
3978 const size_t zlen_size = 2;
Neil Armstrong549a3e42022-03-23 18:16:24 +0100[diff] [blame]3979 size_t zlen = 0;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3980
3981 /* Compute ECDH shared secret. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3982 status = psa_raw_key_agreement(PSA_ALG_ECDH,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3983 handshake->xxdh_psa_privkey,
3984 handshake->xxdh_psa_peerkey,
3985 handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3986 psm + zlen_size,
3987 psm_end - (psm + zlen_size),
3988 &zlen);
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3989
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3990 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
3991 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3992
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3993 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3994 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3995 } else if (destruction_status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3996 return PSA_TO_MBEDTLS_ERR(destruction_status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3997 }
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3998
Neil Armstrong3bcef082022-03-23 18:16:54 +0100[diff] [blame]3999 /* Write the ECDH computation length before the ECDH computation */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4000 MBEDTLS_PUT_UINT16_BE(zlen, psm, 0);
Neil Armstrong2d63da92022-03-23 18:17:31 +0100[diff] [blame]4001 psm += zlen_size + zlen;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]4002
Przemek Stekiel14d11b02022-04-14 08:33:29 +0200[diff] [blame]4003#else /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4004 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
4005 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
4006 return ret;
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]4007 }
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]4008
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4009 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]4010 p, (size_t) (end - p))) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4011 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
4012 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]4013 }
4014
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4015 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
4016 MBEDTLS_DEBUG_ECDH_QP);
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]4017
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4018 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]4019 (mbedtls_key_exchange_type_t) ciphersuite_info->
4020 key_exchange)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4021 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
4022 return ret;
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]4023 }
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]4024#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4025 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4026#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
4027#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4028 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
4029 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
4030 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
4031 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4032 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4033 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4034#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4035#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4036 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4037#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4038 if ((ret = mbedtls_psa_ecjpake_read_round(
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]4039 &ssl->handshake->psa_pake_ctx, p, (size_t) (end - p),
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4040 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
4041 psa_destroy_key(ssl->handshake->psa_pake_password);
4042 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4043
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4044 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
4045 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4046 }
4047#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4048 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]4049 p, (size_t) (end - p));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4050 if (ret != 0) {
4051 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
4052 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4053 }
4054
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4055 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
4056 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
4057 ssl->conf->f_rng, ssl->conf->p_rng);
4058 if (ret != 0) {
4059 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
4060 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4061 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4062#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4063 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4064#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4065 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4066 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4067 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4068 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4069
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4070 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
4071 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
4072 return ret;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]4073 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4074
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4075 ssl->state++;
4076
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4077 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4078
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4079 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4080}
4081
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4082#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]4083MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4084static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4085{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]4086 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]4087 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4088
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4089 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4090
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4091 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4092 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]4093 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4094 return 0;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]4095 }
4096
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4097 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4098 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4099}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4100#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]4101MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4102static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4103{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4104 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4105 size_t i, sig_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4106 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]4107 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]4108 size_t hashlen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4109 mbedtls_pk_type_t pk_alg;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4110 mbedtls_md_type_t md_alg;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]4111 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]4112 ssl->handshake->ciphersuite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4113 mbedtls_pk_context *peer_pk;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4114
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4115 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4116
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4117 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4118 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4119 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4120 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4121 }
4122
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4123#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4124 if (ssl->session_negotiate->peer_cert == NULL) {
4125 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4126 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4127 return 0;
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4128 }
4129#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4130 if (ssl->session_negotiate->peer_cert_digest == NULL) {
4131 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4132 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4133 return 0;
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4134 }
4135#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4136
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4137 /* Read the message without adding it to the checksum */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4138 ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */);
4139 if (0 != ret) {
4140 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret);
4141 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4142 }
4143
4144 ssl->state++;
4145
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4146 /* Process the message contents */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4147 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
4148 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) {
4149 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4150 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4151 }
4152
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4153 i = mbedtls_ssl_hs_hdr_len(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4154
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]4155#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4156 peer_pk = &ssl->handshake->peer_pubkey;
4157#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4158 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]4159 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4160 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]4161 }
4162 peer_pk = &ssl->session_negotiate->peer_cert->pk;
4163#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4164
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4165 /*
4166 * struct {
4167 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
4168 * opaque signature<0..2^16-1>;
4169 * } DigitallySigned;
4170 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4171 if (i + 2 > ssl->in_hslen) {
4172 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4173 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4174 }
Manuel Pégourié-Gonnard5ee96542014-09-10 14:27:21 +0000[diff] [blame]4175
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4176 /*
4177 * Hash
4178 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4179 md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]);
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4180
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4181 if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) {
4182 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4183 " for verify message"));
4184 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4185 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4186
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4187#if !defined(MBEDTLS_MD_SHA1)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4188 if (MBEDTLS_MD_SHA1 == md_alg) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4189 hash_start += 16;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4190 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4191#endif
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]4192
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4193 /* Info from md_alg will be used instead */
4194 hashlen = 0;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]4195
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4196 i++;
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4197
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4198 /*
4199 * Signature
4200 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4201 if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i]))
4202 == MBEDTLS_PK_NONE) {
4203 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4204 " for verify message"));
4205 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]4206 }
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]4207
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4208 /*
4209 * Check the certificate's key type matches the signature alg
4210 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4211 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
4212 MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
4213 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4214 }
4215
4216 i++;
4217
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4218 if (i + 2 > ssl->in_hslen) {
4219 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4220 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard5ee96542014-09-10 14:27:21 +0000[diff] [blame]4221 }
4222
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]4223 sig_len = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i);
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4224 i += 2;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]4225
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4226 if (i + sig_len != ssl->in_hslen) {
4227 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4228 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4229 }
4230
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4231 /* Calculate hash and verify signature */
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]4232 {
4233 size_t dummy_hlen;
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]4234 ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
4235 if (0 != ret) {
4236 MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
4237 return ret;
4238 }
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]4239 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4240
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4241 if ((ret = mbedtls_pk_verify(peer_pk,
4242 md_alg, hash_start, hashlen,
4243 ssl->in_msg + i, sig_len)) != 0) {
4244 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
4245 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4246 }
4247
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]4248 ret = mbedtls_ssl_update_handshake_status(ssl);
4249 if (0 != ret) {
4250 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
4251 return ret;
4252 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4253
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4254 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4255
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4256 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4257}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4258#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4259
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4260#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]4261MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4262static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4263{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4264 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]4265 size_t tlen;
Manuel Pégourié-Gonnardb0394be2015-05-19 11:40:30 +0200[diff] [blame]4266 uint32_t lifetime;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4267
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4268 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4269
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4270 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4271 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4272
4273 /*
4274 * struct {
4275 * uint32 ticket_lifetime_hint;
4276 * opaque ticket<0..2^16-1>;
4277 * } NewSessionTicket;
4278 *
4279 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
4280 * 8 . 9 ticket_len (n)
4281 * 10 . 9+n ticket content
4282 */
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]4283
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4284 if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
4285 ssl->session_negotiate,
4286 ssl->out_msg + 10,
4287 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
4288 &tlen, &lifetime)) != 0) {
4289 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret);
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]4290 tlen = 0;
4291 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4292
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4293 MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4);
4294 MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8);
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]4295 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4296
Manuel Pégourié-Gonnard145dfcb2014-02-26 14:23:33 +0100[diff] [blame]4297 /*
4298 * Morally equivalent to updating ssl->state, but NewSessionTicket and
4299 * ChangeCipherSpec share the same state.
4300 */
4301 ssl->handshake->new_session_ticket = 0;
4302
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4303 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4304 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4305 return ret;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4306 }
4307
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4308 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4309
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4310 return 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4311}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4312#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4313
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4314/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4315 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4316 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4317int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4318{
4319 int ret = 0;
4320
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4321 MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state));
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4322
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4323 switch (ssl->state) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4324 case MBEDTLS_SSL_HELLO_REQUEST:
4325 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4326 break;
4327
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4328 /*
4329 * <== ClientHello
4330 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4331 case MBEDTLS_SSL_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4332 ret = ssl_parse_client_hello(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4333 break;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4334
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4335#if defined(MBEDTLS_SSL_PROTO_DTLS)
4336 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4337 return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED;
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]4338#endif
4339
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4340 /*
4341 * ==> ServerHello
4342 * Certificate
4343 * ( ServerKeyExchange )
4344 * ( CertificateRequest )
4345 * ServerHelloDone
4346 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4347 case MBEDTLS_SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4348 ret = ssl_write_server_hello(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4349 break;
4350
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4351 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4352 ret = mbedtls_ssl_write_certificate(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4353 break;
4354
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4355 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4356 ret = ssl_write_server_key_exchange(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4357 break;
4358
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4359 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4360 ret = ssl_write_certificate_request(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4361 break;
4362
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4363 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4364 ret = ssl_write_server_hello_done(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4365 break;
4366
4367 /*
4368 * <== ( Certificate/Alert )
4369 * ClientKeyExchange
4370 * ( CertificateVerify )
4371 * ChangeCipherSpec
4372 * Finished
4373 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4374 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4375 ret = mbedtls_ssl_parse_certificate(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4376 break;
4377
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4378 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4379 ret = ssl_parse_client_key_exchange(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4380 break;
4381
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4382 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4383 ret = ssl_parse_certificate_verify(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4384 break;
4385
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4386 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4387 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4388 break;
4389
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4390 case MBEDTLS_SSL_CLIENT_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4391 ret = mbedtls_ssl_parse_finished(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4392 break;
4393
4394 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4395 * ==> ( NewSessionTicket )
4396 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4397 * Finished
4398 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4399 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4400#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4401 if (ssl->handshake->new_session_ticket != 0) {
4402 ret = ssl_write_new_session_ticket(ssl);
4403 } else
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]4404#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4405 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4406 break;
4407
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4408 case MBEDTLS_SSL_SERVER_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4409 ret = mbedtls_ssl_write_finished(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4410 break;
4411
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4412 case MBEDTLS_SSL_FLUSH_BUFFERS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4413 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4414 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4415 break;
4416
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4417 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4418 mbedtls_ssl_handshake_wrapup(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4419 break;
4420
4421 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4422 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
4423 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4424 }
4425
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4426 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4427}
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4428
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4429void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order)
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4430{
TRodziewicz3946f792021-06-14 12:11:18 +0200[diff] [blame]4431 conf->respect_cli_pref = order;
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4432}
4433
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]4434#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */