TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ca8c61b81519176b5287548b0e789e97f8ca2802 / . / library / ssl_tls12_client.c
blob: 5a98165d0995601426ceddde2d08a0956f90f40e [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]2 * TLS client-side functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]20#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]23
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]24#include "mbedtls/platform.h"
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]25
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]26#include "mbedtls/ssl.h"
Ronald Cron7320e642022-03-08 13:34:49 +0100[diff] [blame]27#include "ssl_client.h"
Chris Jones84a773f2021-03-05 18:38:47 +0000[diff] [blame]28#include "ssl_misc.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]29#include "mbedtls/debug.h"
30#include "mbedtls/error.h"
Gabor Mezei765862c2021-10-19 12:22:25 +0200[diff] [blame]31#include "mbedtls/constant_time.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]32
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]33#if defined(MBEDTLS_USE_PSA_CRYPTO)
Manuel Pégourié-Gonnard2be8c632023-06-07 13:07:21 +0200[diff] [blame]34#include "psa_util_internal.h"
Ronald Cron69a63422021-10-18 09:47:58 +0200[diff] [blame]35#include "psa/crypto.h"
Andrzej Kurek1c7a9982023-05-30 09:21:20 -0400[diff] [blame]36#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]37/* Define a local translating function to save code size by not using too many
38 * arguments in each translating place. */
39static int local_err_translation(psa_status_t status)
40{
41 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -0400[diff] [blame]42 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]43 psa_generic_status_to_mbedtls);
44}
45#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kurek1c7a9982023-05-30 09:21:20 -0400[diff] [blame]46#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]47#endif /* MBEDTLS_USE_PSA_CRYPTO */
48
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]49#include <string.h>
50
Manuel Pégourié-Gonnard93866642015-06-22 19:21:23 +0200[diff] [blame]51#include <stdint.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]52
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]54#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]55#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]58#include "mbedtls/platform_util.h"
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]59#endif
60
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]61#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]62MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]63static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
64 unsigned char *buf,
65 const unsigned char *end,
66 size_t *olen)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]67{
68 unsigned char *p = buf;
69
70 *olen = 0;
71
Tom Cosgrovece7f18c2022-07-28 05:50:56 +0100[diff] [blame]72 /* We're always including a TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
Hanno Becker40f8b512017-10-12 14:58:55 +0100[diff] [blame]73 * initial ClientHello, in which case also adding the renegotiation
74 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]75 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
76 return 0;
77 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]78
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]79 MBEDTLS_SSL_DEBUG_MSG(3,
80 ("client hello, adding renegotiation extension"));
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]81
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]82 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + ssl->verify_data_len);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]83
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]84 /*
85 * Secure renegotiation
86 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]87 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]88 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]89
90 *p++ = 0x00;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]91 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len + 1);
92 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len);
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]93
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]94 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]95
96 *olen = 5 + ssl->verify_data_len;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]97
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]98 return 0;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]99}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]100#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]101
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]102#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]103 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]104
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]105MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]106static int ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
107 unsigned char *buf,
108 const unsigned char *end,
109 size_t *olen)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]110{
111 unsigned char *p = buf;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]112 (void) ssl; /* ssl used for debugging only */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]113
114 *olen = 0;
115
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]116 MBEDTLS_SSL_DEBUG_MSG(3,
117 ("client hello, adding supported_point_formats extension"));
118 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]119
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]120 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]121 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]122
123 *p++ = 0x00;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]124 *p++ = 2;
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]125
126 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]127 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]128
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]129 *olen = 6;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]130
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]131 return 0;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]132}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]133#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]134 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]135
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]136#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]137MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]138static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
139 unsigned char *buf,
140 const unsigned char *end,
141 size_t *olen)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]142{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]143 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]144 unsigned char *p = buf;
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]145 size_t kkpp_len = 0;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]146
147 *olen = 0;
148
149 /* Skip costly extension if we can't use EC J-PAKE anyway */
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]150#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]151 if (ssl->handshake->psa_pake_ctx_is_ok != 1) {
152 return 0;
153 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]154#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]155 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
156 return 0;
157 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]158#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]159
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]160 MBEDTLS_SSL_DEBUG_MSG(3,
161 ("client hello, adding ecjpake_kkpp extension"));
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]162
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]163 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]164
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]165 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]166 p += 2;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]167
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]168 /*
169 * We may need to send ClientHello multiple times for Hello verification.
170 * We don't want to compute fresh values every time (both for performance
171 * and consistency reasons), so cache the extension content.
172 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]173 if (ssl->handshake->ecjpake_cache == NULL ||
174 ssl->handshake->ecjpake_cache_len == 0) {
175 MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters"));
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]176
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]177#if defined(MBEDTLS_USE_PSA_CRYPTO)
Valerio Setti6b3dab02022-11-17 17:14:54 +0100[diff] [blame]178 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]179 p + 2, end - p - 2, &kkpp_len,
180 MBEDTLS_ECJPAKE_ROUND_ONE);
181 if (ret != 0) {
182 psa_destroy_key(ssl->handshake->psa_pake_password);
183 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
184 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
185 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]186 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]187#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]188 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
189 p + 2, end - p - 2, &kkpp_len,
190 ssl->conf->f_rng, ssl->conf->p_rng);
191 if (ret != 0) {
192 MBEDTLS_SSL_DEBUG_RET(1,
193 "mbedtls_ecjpake_write_round_one", ret);
194 return ret;
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]195 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]196#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]197
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]198 ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len);
199 if (ssl->handshake->ecjpake_cache == NULL) {
200 MBEDTLS_SSL_DEBUG_MSG(1, ("allocation failed"));
201 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]202 }
203
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]204 memcpy(ssl->handshake->ecjpake_cache, p + 2, kkpp_len);
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]205 ssl->handshake->ecjpake_cache_len = kkpp_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]206 } else {
207 MBEDTLS_SSL_DEBUG_MSG(3, ("re-using cached ecjpake parameters"));
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]208
209 kkpp_len = ssl->handshake->ecjpake_cache_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]210 MBEDTLS_SSL_CHK_BUF_PTR(p + 2, end, kkpp_len);
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]211
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]212 memcpy(p + 2, ssl->handshake->ecjpake_cache, kkpp_len);
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]213 }
214
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]215 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]216 p += 2;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]217
218 *olen = kkpp_len + 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]219
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]220 return 0;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]221}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]222#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]223
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]224#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]225MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]226static int ssl_write_cid_ext(mbedtls_ssl_context *ssl,
227 unsigned char *buf,
228 const unsigned char *end,
229 size_t *olen)
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]230{
231 unsigned char *p = buf;
232 size_t ext_len;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]233
234 /*
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]235 * struct {
236 * opaque cid<0..2^8-1>;
237 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]238 */
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]239
240 *olen = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]241 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
242 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
243 return 0;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]244 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]245 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding CID extension"));
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]246
247 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
248 * which is at most 255, so the increment cannot overflow. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]249 MBEDTLS_SSL_CHK_BUF_PTR(p, end, (unsigned) (ssl->own_cid_len + 5));
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]250
251 /* Add extension ID + size */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]252 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]253 p += 2;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]254 ext_len = (size_t) ssl->own_cid_len + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]255 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]256 p += 2;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]257
258 *p++ = (uint8_t) ssl->own_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]259 memcpy(p, ssl->own_cid, ssl->own_cid_len);
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]260
261 *olen = ssl->own_cid_len + 5;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]262
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]263 return 0;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]264}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]265#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]266
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]267#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]268MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]269static int ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
270 unsigned char *buf,
271 const unsigned char *end,
272 size_t *olen)
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]273{
274 unsigned char *p = buf;
275
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]276 *olen = 0;
277
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]278 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
279 return 0;
280 }
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]281
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]282 MBEDTLS_SSL_DEBUG_MSG(3,
283 ("client hello, adding max_fragment_length extension"));
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]284
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]285 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]286
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]287 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]288 p += 2;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]289
290 *p++ = 0x00;
291 *p++ = 1;
292
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]293 *p++ = ssl->conf->mfl_code;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]294
295 *olen = 5;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]296
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]297 return 0;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]298}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]299#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]300
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]301#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]302MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]303static int ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
304 unsigned char *buf,
305 const unsigned char *end,
306 size_t *olen)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]307{
308 unsigned char *p = buf;
309
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]310 *olen = 0;
311
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]312 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
313 return 0;
314 }
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]315
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]316 MBEDTLS_SSL_DEBUG_MSG(3,
317 ("client hello, adding encrypt_then_mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]318
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]319 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]320
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]321 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]322 p += 2;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]323
324 *p++ = 0x00;
325 *p++ = 0x00;
326
327 *olen = 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]328
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]329 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]330}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]331#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]332
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]333#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]334MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]335static int ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
336 unsigned char *buf,
337 const unsigned char *end,
338 size_t *olen)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]339{
340 unsigned char *p = buf;
341
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]342 *olen = 0;
343
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]344 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
345 return 0;
346 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]347
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]348 MBEDTLS_SSL_DEBUG_MSG(3,
349 ("client hello, adding extended_master_secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]350
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]351 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]352
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]353 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]354 p += 2;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]355
356 *p++ = 0x00;
357 *p++ = 0x00;
358
359 *olen = 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]360
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]361 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]362}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]363#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]364
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]365#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]366MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]367static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
368 unsigned char *buf,
369 const unsigned char *end,
370 size_t *olen)
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]371{
372 unsigned char *p = buf;
373 size_t tlen = ssl->session_negotiate->ticket_len;
374
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]375 *olen = 0;
376
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]377 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
378 return 0;
379 }
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]380
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]381 MBEDTLS_SSL_DEBUG_MSG(3,
382 ("client hello, adding session ticket extension"));
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]383
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]384 /* The addition is safe here since the ticket length is 16 bit. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]385 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + tlen);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]386
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]387 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]388 p += 2;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]390 MBEDTLS_PUT_UINT16_BE(tlen, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]391 p += 2;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]392
393 *olen = 4;
394
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]395 if (ssl->session_negotiate->ticket == NULL || tlen == 0) {
396 return 0;
397 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]398
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]399 MBEDTLS_SSL_DEBUG_MSG(3,
400 ("sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen));
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]401
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]402 memcpy(p, ssl->session_negotiate->ticket, tlen);
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]403
404 *olen += tlen;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]405
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]406 return 0;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]407}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]408#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]409
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]410#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]411MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]412static int ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
413 unsigned char *buf,
414 const unsigned char *end,
415 size_t *olen)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]416{
417 unsigned char *p = buf;
Johan Pascalf6417ec2020-09-22 15:15:19 +0200[diff] [blame]418 size_t protection_profiles_index = 0, ext_len = 0;
419 uint16_t mki_len = 0, profile_value = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]420
421 *olen = 0;
422
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]423 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
424 (ssl->conf->dtls_srtp_profile_list == NULL) ||
425 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
426 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]427 }
428
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]429 /* RFC 5764 section 4.1.1
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]430 * uint8 SRTPProtectionProfile[2];
431 *
432 * struct {
433 * SRTPProtectionProfiles SRTPProtectionProfiles;
434 * opaque srtp_mki<0..255>;
435 * } UseSRTPData;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]436 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]437 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]438 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]439 mki_len = ssl->dtls_srtp_info.mki_len;
440 }
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]441 /* Extension length = 2 bytes for profiles length,
442 * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ),
443 * 1 byte for srtp_mki vector length and the mki_len value
444 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]445 ext_len = 2 + 2 * (ssl->conf->dtls_srtp_profile_list_len) + 1 + mki_len;
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]446
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]447 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding use_srtp extension"));
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]448
449 /* Check there is room in the buffer for the extension + 4 bytes
450 * - the extension tag (2 bytes)
451 * - the extension length (2 bytes)
452 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]453 MBEDTLS_SSL_CHK_BUF_PTR(p, end, ext_len + 4);
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]454
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]455 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]456 p += 2;
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]457
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]458 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]459 p += 2;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]460
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]461 /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */
Johan Pascalaae4d222020-09-22 21:21:39 +0200[diff] [blame]462 /* micro-optimization:
463 * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH
464 * which is lower than 127, so the upper byte of the length is always 0
465 * For the documentation, the more generic code is left in comments
466 * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len )
467 * >> 8 ) & 0xFF );
468 */
469 *p++ = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]470 *p++ = MBEDTLS_BYTE_0(2 * ssl->conf->dtls_srtp_profile_list_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]471
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]472 for (protection_profiles_index = 0;
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]473 protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]474 protection_profiles_index++) {
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]475 profile_value = mbedtls_ssl_check_srtp_profile_value
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]476 (ssl->conf->dtls_srtp_profile_list[protection_profiles_index]);
477 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
478 MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_write_use_srtp_ext, add profile: %04x",
479 profile_value));
480 MBEDTLS_PUT_UINT16_BE(profile_value, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]481 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]482 } else {
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]483 /*
484 * Note: we shall never arrive here as protection profiles
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]485 * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]486 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]487 MBEDTLS_SSL_DEBUG_MSG(3,
488 ("client hello, "
489 "illegal DTLS-SRTP protection profile %d",
490 ssl->conf->dtls_srtp_profile_list[protection_profiles_index]
491 ));
492 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]493 }
494 }
495
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]496 *p++ = mki_len & 0xFF;
497
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]498 if (mki_len != 0) {
499 memcpy(p, ssl->dtls_srtp_info.mki_value, mki_len);
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]500 /*
501 * Increment p to point to the current position.
502 */
503 p += mki_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]504 MBEDTLS_SSL_DEBUG_BUF(3, "sending mki", ssl->dtls_srtp_info.mki_value,
505 ssl->dtls_srtp_info.mki_len);
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]506 }
507
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]508 /*
509 * total extension length: extension type (2 bytes)
510 * + extension length (2 bytes)
511 * + protection profile length (2 bytes)
512 * + 2 * number of protection profiles
513 * + srtp_mki vector length(1 byte)
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]514 * + mki value
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]515 */
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]516 *olen = p - buf;
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]517
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]518 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]519}
520#endif /* MBEDTLS_SSL_DTLS_SRTP */
521
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]522int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
523 unsigned char *buf,
524 const unsigned char *end,
525 int uses_ec,
526 size_t *out_len)
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]527{
528 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
529 unsigned char *p = buf;
530 size_t ext_len = 0;
531
532 (void) ssl;
533 (void) end;
534 (void) uses_ec;
535 (void) ret;
536 (void) ext_len;
537
538 *out_len = 0;
539
540 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
541 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
542#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]543 if ((ret = ssl_write_renegotiation_ext(ssl, p, end, &ext_len)) != 0) {
544 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_renegotiation_ext", ret);
545 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]546 }
547 p += ext_len;
548#endif
549
550#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
551 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]552 if (uses_ec) {
553 if ((ret = ssl_write_supported_point_formats_ext(ssl, p, end,
554 &ext_len)) != 0) {
555 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_point_formats_ext", ret);
556 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]557 }
558 p += ext_len;
559 }
560#endif
561
562#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]563 if ((ret = ssl_write_ecjpake_kkpp_ext(ssl, p, end, &ext_len)) != 0) {
564 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_ecjpake_kkpp_ext", ret);
565 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]566 }
567 p += ext_len;
568#endif
569
570#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]571 if ((ret = ssl_write_cid_ext(ssl, p, end, &ext_len)) != 0) {
572 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_cid_ext", ret);
573 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]574 }
575 p += ext_len;
576#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
577
578#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]579 if ((ret = ssl_write_max_fragment_length_ext(ssl, p, end,
580 &ext_len)) != 0) {
581 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_max_fragment_length_ext", ret);
582 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]583 }
584 p += ext_len;
585#endif
586
587#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]588 if ((ret = ssl_write_encrypt_then_mac_ext(ssl, p, end, &ext_len)) != 0) {
589 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_encrypt_then_mac_ext", ret);
590 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]591 }
592 p += ext_len;
593#endif
594
595#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]596 if ((ret = ssl_write_extended_ms_ext(ssl, p, end, &ext_len)) != 0) {
597 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_extended_ms_ext", ret);
598 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]599 }
600 p += ext_len;
601#endif
602
603#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]604 if ((ret = ssl_write_use_srtp_ext(ssl, p, end, &ext_len)) != 0) {
605 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_use_srtp_ext", ret);
606 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]607 }
608 p += ext_len;
609#endif
610
611#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]612 if ((ret = ssl_write_session_ticket_ext(ssl, p, end, &ext_len)) != 0) {
613 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_session_ticket_ext", ret);
614 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]615 }
616 p += ext_len;
617#endif
618
619 *out_len = p - buf;
620
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]621 return 0;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]622}
623
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]624MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]625static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
626 const unsigned char *buf,
627 size_t len)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]628{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]629#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]630 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]631 /* Check verify-data in constant-time. The length OTOH is no secret */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]632 if (len != 1 + ssl->verify_data_len * 2 ||
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]633 buf[0] != ssl->verify_data_len * 2 ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634 mbedtls_ct_memcmp(buf + 1,
635 ssl->own_verify_data, ssl->verify_data_len) != 0 ||
636 mbedtls_ct_memcmp(buf + 1 + ssl->verify_data_len,
637 ssl->peer_verify_data, ssl->verify_data_len) != 0) {
638 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]639 mbedtls_ssl_send_alert_message(
640 ssl,
641 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]642 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
643 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]644 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]645 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]646#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]647 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]648 if (len != 1 || buf[0] != 0x00) {
649 MBEDTLS_SSL_DEBUG_MSG(1,
650 ("non-zero length renegotiation info"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]651 mbedtls_ssl_send_alert_message(
652 ssl,
653 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]654 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
655 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]656 }
657
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]658 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]659 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]660
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]661 return 0;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]662}
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]663
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]664#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]665MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]666static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
667 const unsigned char *buf,
668 size_t len)
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]669{
670 /*
671 * server should use the extension only if we did,
672 * and if so the server's value should match ours (and len is always 1)
673 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]674 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]675 len != 1 ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]676 buf[0] != ssl->conf->mfl_code) {
677 MBEDTLS_SSL_DEBUG_MSG(1,
678 ("non-matching max fragment length extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]679 mbedtls_ssl_send_alert_message(
680 ssl,
681 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]682 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
683 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]684 }
685
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]686 return 0;
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]687}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]688#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]689
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]690#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]691MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]692static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
693 const unsigned char *buf,
694 size_t len)
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]695{
696 size_t peer_cid_len;
697
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]698 if ( /* CID extension only makes sense in DTLS */
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]699 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
700 /* The server must only send the CID extension if we have offered it. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]701 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
702 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension unexpected"));
703 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
704 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
705 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Hanno Becker22626482019-05-03 12:46:59 +0100[diff] [blame]706 }
707
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]708 if (len == 0) {
709 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
710 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
711 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
712 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]713 }
714
715 peer_cid_len = *buf++;
716 len--;
717
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]718 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
719 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
720 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
721 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
722 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]723 }
724
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]725 if (len != peer_cid_len) {
726 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
727 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
728 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
729 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]730 }
731
Hanno Becker5a299902019-05-03 12:47:49 +0100[diff] [blame]732 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]733 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]734 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]735
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]736 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
737 MBEDTLS_SSL_DEBUG_BUF(3, "Server CID", buf, peer_cid_len);
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]738
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]739 return 0;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]740}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]741#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]742
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]743#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]744MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]745static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
746 const unsigned char *buf,
747 size_t len)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]748{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]749 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
750 len != 0) {
751 MBEDTLS_SSL_DEBUG_MSG(1,
752 ("non-matching encrypt-then-MAC extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]753 mbedtls_ssl_send_alert_message(
754 ssl,
755 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]756 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
757 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]758 }
759
760 ((void) buf);
761
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]762 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]763
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]764 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]765}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]766#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]767
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]768#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]769MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]770static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
771 const unsigned char *buf,
772 size_t len)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]773{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]774 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
775 len != 0) {
776 MBEDTLS_SSL_DEBUG_MSG(1,
777 ("non-matching extended master secret extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]778 mbedtls_ssl_send_alert_message(
779 ssl,
780 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]781 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
782 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]783 }
784
785 ((void) buf);
786
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]787 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]788
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]789 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]790}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]791#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]792
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]793#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]794MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]795static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
796 const unsigned char *buf,
797 size_t len)
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]798{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]799 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
800 len != 0) {
801 MBEDTLS_SSL_DEBUG_MSG(1,
802 ("non-matching session ticket extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]803 mbedtls_ssl_send_alert_message(
804 ssl,
805 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]806 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
807 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]808 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]809
810 ((void) buf);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]811
812 ssl->handshake->new_session_ticket = 1;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]813
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]814 return 0;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]815}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]816#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]817
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]818#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]819 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]820MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]821static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl,
822 const unsigned char *buf,
823 size_t len)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]824{
825 size_t list_size;
826 const unsigned char *p;
827
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]828 if (len == 0 || (size_t) (buf[0] + 1) != len) {
829 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
830 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
831 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
832 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]833 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]834 list_size = buf[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]835
Manuel Pégourié-Gonnardfd35af12014-06-23 14:10:13 +0200[diff] [blame]836 p = buf + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]837 while (list_size > 0) {
838 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
839 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
Valerio Setti46423162023-03-27 14:33:27 +0200[diff] [blame]840#if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C)
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]841 ssl->handshake->ecdh_ctx.point_format = p[0];
Valerio Setti77a904c2023-03-24 07:28:49 +0100[diff] [blame]842#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_ECDH_C */
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]843#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]844 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
845 mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
846 p[0]);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]847#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]848 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
849 return 0;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]850 }
851
852 list_size--;
853 p++;
854 }
855
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]856 MBEDTLS_SSL_DEBUG_MSG(1, ("no point format in common"));
857 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
858 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
859 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]860}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]861#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]862 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]863
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]864#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]865MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]866static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
867 const unsigned char *buf,
868 size_t len)
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]869{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]870 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]871
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]872 if (ssl->handshake->ciphersuite_info->key_exchange !=
873 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
874 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
875 return 0;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]876 }
877
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]878 /* If we got here, we no longer need our cached extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]879 mbedtls_free(ssl->handshake->ecjpake_cache);
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]880 ssl->handshake->ecjpake_cache = NULL;
881 ssl->handshake->ecjpake_cache_len = 0;
882
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]883#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]884 if ((ret = mbedtls_psa_ecjpake_read_round(
885 &ssl->handshake->psa_pake_ctx, buf, len,
886 MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
887 psa_destroy_key(ssl->handshake->psa_pake_password);
888 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]889
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]890 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]891 mbedtls_ssl_send_alert_message(
892 ssl,
893 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]894 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
895 return ret;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]896 }
897
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]898 return 0;
899#else
900 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
901 buf, len)) != 0) {
902 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
903 mbedtls_ssl_send_alert_message(
904 ssl,
905 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
906 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
907 return ret;
908 }
909
910 return 0;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]911#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]912}
913#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]914
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]915#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]916MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]917static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
918 const unsigned char *buf, size_t len)
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]919{
920 size_t list_len, name_len;
921 const char **p;
922
923 /* If we didn't send it, the server shouldn't send it */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]924 if (ssl->conf->alpn_list == NULL) {
925 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching ALPN extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]926 mbedtls_ssl_send_alert_message(
927 ssl,
928 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]929 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
930 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]931 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]932
933 /*
934 * opaque ProtocolName<1..2^8-1>;
935 *
936 * struct {
937 * ProtocolName protocol_name_list<2..2^16-1>
938 * } ProtocolNameList;
939 *
940 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
941 */
942
943 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]944 if (len < 4) {
945 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
946 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
947 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]948 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]949
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]950 list_len = (buf[0] << 8) | buf[1];
951 if (list_len != len - 2) {
952 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
953 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
954 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]955 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]956
957 name_len = buf[2];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]958 if (name_len != list_len - 1) {
959 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
960 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
961 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]962 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]963
964 /* Check that the server chosen protocol was in our list and save it */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]965 for (p = ssl->conf->alpn_list; *p != NULL; p++) {
966 if (name_len == strlen(*p) &&
967 memcmp(buf + 3, *p, name_len) == 0) {
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]968 ssl->alpn_chosen = *p;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]969 return 0;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]970 }
971 }
972
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]973 MBEDTLS_SSL_DEBUG_MSG(1, ("ALPN extension: no matching protocol"));
974 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
975 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
976 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]977}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]978#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]979
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]980#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]981MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]982static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
983 const unsigned char *buf,
984 size_t len)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]985{
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]986 mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]987 size_t i, mki_len = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]988 uint16_t server_protection_profile_value = 0;
989
990 /* If use_srtp is not configured, just ignore the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]991 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
992 (ssl->conf->dtls_srtp_profile_list == NULL) ||
993 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
994 return 0;
995 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]996
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]997 /* RFC 5764 section 4.1.1
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]998 * uint8 SRTPProtectionProfile[2];
999 *
1000 * struct {
1001 * SRTPProtectionProfiles SRTPProtectionProfiles;
1002 * opaque srtp_mki<0..255>;
1003 * } UseSRTPData;
1004
1005 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
1006 *
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1007 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1008 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1009 mki_len = ssl->dtls_srtp_info.mki_len;
1010 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1011
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1012 /*
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]1013 * Length is 5 + optional mki_value : one protection profile length (2 bytes)
1014 * + protection profile (2 bytes)
1015 * + mki_len(1 byte)
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]1016 * and optional srtp_mki
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1017 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1018 if ((len < 5) || (len != (buf[4] + 5u))) {
1019 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1020 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1021
1022 /*
1023 * get the server protection profile
1024 */
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1025
1026 /*
1027 * protection profile length must be 0x0002 as we must have only
1028 * one protection profile in server Hello
1029 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1030 if ((buf[0] != 0) || (buf[1] != 2)) {
1031 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1032 }
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1033
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1034 server_protection_profile_value = (buf[2] << 8) | buf[3];
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1035 server_protection = mbedtls_ssl_check_srtp_profile_value(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1036 server_protection_profile_value);
1037 if (server_protection != MBEDTLS_TLS_SRTP_UNSET) {
1038 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
1039 mbedtls_ssl_get_srtp_profile_as_string(
1040 server_protection)));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1041 }
1042
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1043 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1044
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1045 /*
1046 * Check we have the server profile in our list
1047 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1048 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
1049 if (server_protection == ssl->conf->dtls_srtp_profile_list[i]) {
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]1050 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1051 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1052 mbedtls_ssl_get_srtp_profile_as_string(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1053 server_protection)));
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1054 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1055 }
1056 }
1057
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1058 /* If no match was found : server problem, it shall never answer with incompatible profile */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1059 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
1060 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1061 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1062 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1063 }
Johan Pascal20c7db32020-10-26 22:45:58 +0100[diff] [blame]1064
1065 /* If server does not use mki in its reply, make sure the client won't keep
1066 * one as negotiated */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1067 if (len == 5) {
Johan Pascal20c7db32020-10-26 22:45:58 +0100[diff] [blame]1068 ssl->dtls_srtp_info.mki_len = 0;
1069 }
1070
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1071 /*
1072 * RFC5764:
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1073 * If the client detects a nonzero-length MKI in the server's response
1074 * that is different than the one the client offered, then the client
1075 * MUST abort the handshake and SHOULD send an invalid_parameter alert.
1076 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1077 if (len > 5 && (buf[4] != mki_len ||
1078 (memcmp(ssl->dtls_srtp_info.mki_value, &buf[5], mki_len)))) {
1079 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1080 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1081 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1082 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1083#if defined(MBEDTLS_DEBUG_C)
1084 if (len > 5) {
1085 MBEDTLS_SSL_DEBUG_BUF(3, "received mki", ssl->dtls_srtp_info.mki_value,
1086 ssl->dtls_srtp_info.mki_len);
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]1087 }
1088#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1089 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1090}
1091#endif /* MBEDTLS_SSL_DTLS_SRTP */
1092
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1093/*
1094 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1095 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1096#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1097MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1098static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1099{
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]1100 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1101 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Glenn Strauss83158112022-04-13 14:59:34 -0400[diff] [blame]1102 uint16_t dtls_legacy_version;
Jerry Yue01304f2022-04-07 10:51:55 +0800[diff] [blame]1103
1104#if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
1105 uint8_t cookie_len;
1106#else
1107 uint16_t cookie_len;
1108#endif
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1109
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1110 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse hello verify request"));
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1111
Gilles Peskineb64bf062019-09-27 14:02:44 +0200[diff] [blame]1112 /* Check that there is enough room for:
1113 * - 2 bytes of version
1114 * - 1 byte of cookie_len
1115 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1116 if (mbedtls_ssl_hs_hdr_len(ssl) + 3 > ssl->in_msglen) {
1117 MBEDTLS_SSL_DEBUG_MSG(1,
1118 ("incoming HelloVerifyRequest message is too short"));
1119 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1120 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1121 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Gilles Peskineb64bf062019-09-27 14:02:44 +0200[diff] [blame]1122 }
1123
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1124 /*
1125 * struct {
1126 * ProtocolVersion server_version;
1127 * opaque cookie<0..2^8-1>;
1128 * } HelloVerifyRequest;
1129 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1130 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
1131 dtls_legacy_version = MBEDTLS_GET_UINT16_BE(p, 0);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1132 p += 2;
1133
TRodziewicz2d8800e2021-05-13 19:14:19 +0200[diff] [blame]1134 /*
Glenn Strauss83158112022-04-13 14:59:34 -0400[diff] [blame]1135 * Since the RFC is not clear on this point, accept DTLS 1.0 (0xfeff)
1136 * The DTLS 1.3 (current draft) renames ProtocolVersion server_version to
1137 * legacy_version and locks the value of legacy_version to 0xfefd (DTLS 1.2)
TRodziewicz2d8800e2021-05-13 19:14:19 +0200[diff] [blame]1138 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1139 if (dtls_legacy_version != 0xfefd && dtls_legacy_version != 0xfeff) {
1140 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server version"));
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1141
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1142 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1143 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1144
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1145 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1146 }
1147
1148 cookie_len = *p++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1149 if ((ssl->in_msg + ssl->in_msglen) - p < cookie_len) {
1150 MBEDTLS_SSL_DEBUG_MSG(1,
1151 ("cookie length does not match incoming message size"));
1152 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1153 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1154 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1155 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1156 MBEDTLS_SSL_DEBUG_BUF(3, "cookie", p, cookie_len);
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1157
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1158 mbedtls_free(ssl->handshake->cookie);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1159
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1160 ssl->handshake->cookie = mbedtls_calloc(1, cookie_len);
1161 if (ssl->handshake->cookie == NULL) {
1162 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc failed (%d bytes)", cookie_len));
1163 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1164 }
1165
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1166 memcpy(ssl->handshake->cookie, p, cookie_len);
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1167 ssl->handshake->cookie_len = cookie_len;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1168
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]1169 /* Start over at ClientHello */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1170 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]1171 ret = mbedtls_ssl_reset_checksum(ssl);
1172 if (0 != ret) {
1173 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_reset_checksum"), ret);
1174 return ret;
1175 }
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1176
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1177 mbedtls_ssl_recv_flight_completed(ssl);
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1178
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1179 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse hello verify request"));
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1180
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1181 return 0;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1182}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1183#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1184
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1185MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1186static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1187{
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1188 int ret, i;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1189 size_t n;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1190 size_t ext_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1191 unsigned char *buf, *ext;
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1192 unsigned char comp;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1193#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1194 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1195#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1196 int handshake_failure = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1197 const mbedtls_ssl_ciphersuite_t *suite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1198
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1199 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1200
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1201 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1202 /* No alert on a read error. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1203 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
1204 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1205 }
1206
Hanno Becker79594fd2019-05-08 09:38:41 +0100[diff] [blame]1207 buf = ssl->in_msg;
1208
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1209 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1210#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1211 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1212 ssl->renego_records_seen++;
1213
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1214 if (ssl->conf->renego_max_records >= 0 &&
1215 ssl->renego_records_seen > ssl->conf->renego_max_records) {
1216 MBEDTLS_SSL_DEBUG_MSG(1,
1217 ("renegotiation requested, but not honored by server"));
1218 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1219 }
1220
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1221 MBEDTLS_SSL_DEBUG_MSG(1,
1222 ("non-handshake message during renegotiation"));
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]1223
1224 ssl->keep_current_message = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1225 return MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO;
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1226 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1227#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1228
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1229 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1230 mbedtls_ssl_send_alert_message(
1231 ssl,
1232 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1233 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
1234 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1235 }
1236
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1237#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1238 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1239 if (buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST) {
1240 MBEDTLS_SSL_DEBUG_MSG(2, ("received hello verify request"));
1241 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
1242 return ssl_parse_hello_verify_request(ssl);
1243 } else {
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1244 /* We made it through the verification process */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1245 mbedtls_free(ssl->handshake->cookie);
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]1246 ssl->handshake->cookie = NULL;
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1247 ssl->handshake->cookie_len = 0;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1248 }
1249 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1250#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1251
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1252 if (ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len(ssl) ||
1253 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO) {
1254 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1255 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1256 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1257 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1258 }
1259
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1260 /*
1261 * 0 . 1 server_version
1262 * 2 . 33 random (maybe including 4 bytes of Unix time)
1263 * 34 . 34 session_id length = n
1264 * 35 . 34+n session_id
1265 * 35+n . 36+n cipher_suite
1266 * 37+n . 37+n compression_method
1267 *
1268 * 38+n . 39+n extensions length (optional)
1269 * 40+n . .. extensions
1270 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1271 buf += mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1272
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1273 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", buf, 2);
1274 ssl->tls_version = mbedtls_ssl_read_version(buf, ssl->conf->transport);
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1275 ssl->session_negotiate->tls_version = ssl->tls_version;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1276
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1277 if (ssl->tls_version < ssl->conf->min_tls_version ||
1278 ssl->tls_version > ssl->conf->max_tls_version) {
1279 MBEDTLS_SSL_DEBUG_MSG(1,
1280 (
1281 "server version out of bounds - min: [0x%x], server: [0x%x], max: [0x%x]",
1282 (unsigned) ssl->conf->min_tls_version,
1283 (unsigned) ssl->tls_version,
1284 (unsigned) ssl->conf->max_tls_version));
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1285
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1286 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1287 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1288
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1289 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1290 }
1291
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1292 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %lu",
1293 ((unsigned long) buf[2] << 24) |
1294 ((unsigned long) buf[3] << 16) |
1295 ((unsigned long) buf[4] << 8) |
1296 ((unsigned long) buf[5])));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1297
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1298 memcpy(ssl->handshake->randbytes + 32, buf + 2, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1299
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1300 n = buf[34];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1301
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1302 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 2, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1303
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1304 if (n > 32) {
1305 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1306 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1307 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1308 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1309 }
1310
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1311 if (ssl->in_hslen > mbedtls_ssl_hs_hdr_len(ssl) + 39 + n) {
1312 ext_len = ((buf[38 + n] << 8)
1313 | (buf[39 + n]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1314
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1315 if ((ext_len > 0 && ext_len < 4) ||
1316 ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 40 + n + ext_len) {
1317 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1318 mbedtls_ssl_send_alert_message(
1319 ssl,
1320 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1321 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1322 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1323 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1324 } else if (ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl) + 38 + n) {
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1325 ext_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1326 } else {
1327 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1328 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1329 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1330 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1331 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1332
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1333 /* ciphersuite (used later) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1334 i = (buf[35 + n] << 8) | buf[36 + n];
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1335
1336 /*
1337 * Read and check compression
1338 */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1339 comp = buf[37 + n];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1340
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1341 if (comp != MBEDTLS_SSL_COMPRESS_NULL) {
1342 MBEDTLS_SSL_DEBUG_MSG(1,
1343 ("server hello, bad compression: %d", comp));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1344 mbedtls_ssl_send_alert_message(
1345 ssl,
1346 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1347 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1348 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1349 }
1350
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1351 /*
1352 * Initialize update checksum functions
1353 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1354 ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(i);
1355 if (ssl->handshake->ciphersuite_info == NULL) {
1356 MBEDTLS_SSL_DEBUG_MSG(1,
1357 ("ciphersuite info for %04x not found", (unsigned int) i));
1358 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1359 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
1360 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1361 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1362
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1363 mbedtls_ssl_optimize_checksum(ssl, ssl->handshake->ciphersuite_info);
Manuel Pégourié-Gonnard3c599f12014-03-10 13:25:07 +0100[diff] [blame]1364
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1365 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
1366 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 35, n);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1367
1368 /*
1369 * Check if the session can be resumed
1370 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1371 if (ssl->handshake->resume == 0 || n == 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1372#if defined(MBEDTLS_SSL_RENEGOTIATION)
1373 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1374#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1375 ssl->session_negotiate->ciphersuite != i ||
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1376 ssl->session_negotiate->id_len != n ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1377 memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1378 ssl->state++;
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1379 ssl->handshake->resume = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1380#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1381 ssl->session_negotiate->start = mbedtls_time(NULL);
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1382#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1383 ssl->session_negotiate->ciphersuite = i;
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1384 ssl->session_negotiate->id_len = n;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1385 memcpy(ssl->session_negotiate->id, buf + 35, n);
1386 } else {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1387 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1388 }
1389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1390 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
1391 ssl->handshake->resume ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1392
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1393 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %04x", (unsigned) i));
1394 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: %d",
1395 buf[37 + n]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1396
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]1397 /*
1398 * Perform cipher suite validation in same way as in ssl_write_client_hello.
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1399 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1400 i = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1401 while (1) {
1402 if (ssl->conf->ciphersuite_list[i] == 0) {
1403 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1404 mbedtls_ssl_send_alert_message(
1405 ssl,
1406 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1407 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1408 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1409 }
1410
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1411 if (ssl->conf->ciphersuite_list[i++] ==
1412 ssl->session_negotiate->ciphersuite) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1413 break;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1414 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1415 }
1416
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1417 suite_info = mbedtls_ssl_ciphersuite_from_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1418 ssl->session_negotiate->ciphersuite);
1419 if (mbedtls_ssl_validate_ciphersuite(ssl, suite_info, ssl->tls_version,
1420 ssl->tls_version) != 0) {
1421 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1422 mbedtls_ssl_send_alert_message(
1423 ssl,
1424 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1425 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1426 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1427 }
1428
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1429 MBEDTLS_SSL_DEBUG_MSG(3,
1430 ("server hello, chosen ciphersuite: %s", suite_info->name));
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1431
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1432#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1433 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
1434 ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
Manuel Pégourié-Gonnardda19f4c2018-06-12 12:40:54 +0200[diff] [blame]1435 ssl->handshake->ecrs_enabled = 1;
1436 }
1437#endif
1438
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1439 if (comp != MBEDTLS_SSL_COMPRESS_NULL) {
1440 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1441 mbedtls_ssl_send_alert_message(
1442 ssl,
1443 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1444 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1445 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1446 }
1447
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1448 ext = buf + 40 + n;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1449
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1450 MBEDTLS_SSL_DEBUG_MSG(2,
1451 ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
1452 ext_len));
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1453
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1454 while (ext_len) {
1455 unsigned int ext_id = ((ext[0] << 8)
1456 | (ext[1]));
1457 unsigned int ext_size = ((ext[2] << 8)
1458 | (ext[3]));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1459
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1460 if (ext_size + 4 > ext_len) {
1461 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1462 mbedtls_ssl_send_alert_message(
1463 ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1464 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1465 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1466 }
1467
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1468 switch (ext_id) {
1469 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1470 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1471#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1472 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1473#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1474
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1475 if ((ret = ssl_parse_renegotiation_info(ssl, ext + 4,
1476 ext_size)) != 0) {
1477 return ret;
1478 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1479
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1480 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1481
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1482#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1483 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1484 MBEDTLS_SSL_DEBUG_MSG(3,
1485 ("found max_fragment_length extension"));
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1486
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1487 if ((ret = ssl_parse_max_fragment_length_ext(ssl,
1488 ext + 4, ext_size)) != 0) {
1489 return ret;
1490 }
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1491
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1492 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1493#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1494
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1495#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1496 case MBEDTLS_TLS_EXT_CID:
1497 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1498
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1499 if ((ret = ssl_parse_cid_ext(ssl,
1500 ext + 4,
1501 ext_size)) != 0) {
1502 return ret;
1503 }
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1504
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1505 break;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1506#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1507
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1508#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1509 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1510 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt_then_mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1511
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1512 if ((ret = ssl_parse_encrypt_then_mac_ext(ssl,
1513 ext + 4, ext_size)) != 0) {
1514 return ret;
1515 }
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1516
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1517 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1518#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1519
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1520#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1521 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1522 MBEDTLS_SSL_DEBUG_MSG(3,
1523 ("found extended_master_secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1524
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1525 if ((ret = ssl_parse_extended_ms_ext(ssl,
1526 ext + 4, ext_size)) != 0) {
1527 return ret;
1528 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1529
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1530 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1531#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1532
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1533#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1534 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1535 MBEDTLS_SSL_DEBUG_MSG(3, ("found session_ticket extension"));
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1536
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1537 if ((ret = ssl_parse_session_ticket_ext(ssl,
1538 ext + 4, ext_size)) != 0) {
1539 return ret;
1540 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1541
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1542 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1543#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1544
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1545#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1546 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1547 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1548 MBEDTLS_SSL_DEBUG_MSG(3,
1549 ("found supported_point_formats extension"));
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1550
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1551 if ((ret = ssl_parse_supported_point_formats_ext(ssl,
1552 ext + 4, ext_size)) != 0) {
1553 return ret;
1554 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1555
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1556 break;
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1557#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1558 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1559
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1560#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1561 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1562 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake_kkpp extension"));
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1563
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1564 if ((ret = ssl_parse_ecjpake_kkpp(ssl,
1565 ext + 4, ext_size)) != 0) {
1566 return ret;
1567 }
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1568
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1569 break;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1570#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1571
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1572#if defined(MBEDTLS_SSL_ALPN)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1573 case MBEDTLS_TLS_EXT_ALPN:
1574 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1575
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1576 if ((ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size)) != 0) {
1577 return ret;
1578 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1579
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1580 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1581#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1582
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1583#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1584 case MBEDTLS_TLS_EXT_USE_SRTP:
1585 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1586
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1587 if ((ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size)) != 0) {
1588 return ret;
1589 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1590
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1591 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1592#endif /* MBEDTLS_SSL_DTLS_SRTP */
1593
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1594 default:
1595 MBEDTLS_SSL_DEBUG_MSG(3,
1596 ("unknown extension found: %u (ignoring)", ext_id));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1597 }
1598
1599 ext_len -= 4 + ext_size;
1600 ext += 4 + ext_size;
1601
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1602 if (ext_len > 0 && ext_len < 4) {
1603 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1604 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1605 }
1606 }
1607
1608 /*
Andrzej Kurek21b50802022-07-06 03:26:55 -0400[diff] [blame]1609 * mbedtls_ssl_derive_keys() has to be called after the parsing of the
1610 * extensions. It sets the transform data for the resumed session which in
1611 * case of DTLS includes the server CID extracted from the CID extension.
1612 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1613 if (ssl->handshake->resume) {
1614 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
1615 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
Andrzej Kurek7cf87252022-06-14 07:12:33 -0400[diff] [blame]1616 mbedtls_ssl_send_alert_message(
1617 ssl,
1618 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1619 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
1620 return ret;
Andrzej Kurek7cf87252022-06-14 07:12:33 -0400[diff] [blame]1621 }
1622 }
1623
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1624 /*
1625 * Renegotiation security checks
1626 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1627 if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1628 ssl->conf->allow_legacy_renegotiation ==
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1629 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1630 MBEDTLS_SSL_DEBUG_MSG(1,
1631 ("legacy renegotiation, breaking off handshake"));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1632 handshake_failure = 1;
1633 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1634#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1635 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1636 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1637 renegotiation_info_seen == 0) {
1638 MBEDTLS_SSL_DEBUG_MSG(1,
1639 ("renegotiation_info extension missing (secure)"));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1640 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1641 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1642 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1643 ssl->conf->allow_legacy_renegotiation ==
1644 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1645 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1646 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1647 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1648 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1649 renegotiation_info_seen == 1) {
1650 MBEDTLS_SSL_DEBUG_MSG(1,
1651 ("renegotiation_info extension present (legacy)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1652 handshake_failure = 1;
1653 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1654#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1655
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1656 if (handshake_failure == 1) {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1657 mbedtls_ssl_send_alert_message(
1658 ssl,
1659 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1660 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1661 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1662 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1663
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1664 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1665
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1666 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1667}
1668
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1669#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1670 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1671MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1672static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl,
1673 unsigned char **p,
1674 unsigned char *end)
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1675{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1676 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Gilles Peskinee8a2fc82020-12-08 22:46:11 +0100[diff] [blame]1677 size_t dhm_actual_bitlen;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1678
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1679 /*
1680 * Ephemeral DH parameters:
1681 *
1682 * struct {
1683 * opaque dh_p<1..2^16-1>;
1684 * opaque dh_g<1..2^16-1>;
1685 * opaque dh_Ys<1..2^16-1>;
1686 * } ServerDHParams;
1687 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1688 if ((ret = mbedtls_dhm_read_params(&ssl->handshake->dhm_ctx,
1689 p, end)) != 0) {
1690 MBEDTLS_SSL_DEBUG_RET(2, ("mbedtls_dhm_read_params"), ret);
1691 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1692 }
1693
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1694 dhm_actual_bitlen = mbedtls_dhm_get_bitlen(&ssl->handshake->dhm_ctx);
1695 if (dhm_actual_bitlen < ssl->conf->dhm_min_bitlen) {
1696 MBEDTLS_SSL_DEBUG_MSG(1, ("DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u",
1697 dhm_actual_bitlen,
1698 ssl->conf->dhm_min_bitlen));
1699 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1700 }
1701
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1702 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
1703 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
1704 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1705
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1706 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1707}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1708#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1709 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1710
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]1711#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1712#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1713 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1714 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1715MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1716static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
1717 unsigned char **p,
1718 unsigned char *end)
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1719{
1720 uint16_t tls_id;
1721 uint8_t ecpoint_len;
1722 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]1723 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]1724 size_t ec_bits = 0;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1725
1726 /*
Manuel Pégourié-Gonnarde5119892021-12-09 11:45:03 +0100[diff] [blame]1727 * struct {
1728 * ECParameters curve_params;
1729 * ECPoint public;
1730 * } ServerECDHParams;
1731 *
Manuel Pégourié-Gonnard422370d2022-02-07 11:55:21 +0100[diff] [blame]1732 * 1 curve_type (must be "named_curve")
Manuel Pégourié-Gonnarde5119892021-12-09 11:45:03 +0100[diff] [blame]1733 * 2..3 NamedCurve
1734 * 4 ECPoint.len
1735 * 5+ ECPoint contents
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1736 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1737 if (end - *p < 4) {
1738 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1739 }
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1740
1741 /* First byte is curve_type; only named_curve is handled */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1742 if (*(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) {
1743 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1744 }
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1745
1746 /* Next two bytes are the namedcurve value */
1747 tls_id = *(*p)++;
1748 tls_id <<= 8;
1749 tls_id |= *(*p)++;
1750
Manuel Pégourié-Gonnard141be6c2022-01-25 11:46:19 +0100[diff] [blame]1751 /* Check it's a curve we offered */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1752 if (mbedtls_ssl_check_curve_tls_id(ssl, tls_id) != 0) {
1753 MBEDTLS_SSL_DEBUG_MSG(2,
1754 ("bad server key exchange message (ECDHE curve): %u",
1755 (unsigned) tls_id));
1756 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnardff229cf2022-02-07 12:00:32 +0100[diff] [blame]1757 }
Manuel Pégourié-Gonnard141be6c2022-01-25 11:46:19 +0100[diff] [blame]1758
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]1759 /* Convert EC's TLS ID to PSA key type. */
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]1760 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1761 &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
1762 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1763 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]1764 handshake->xxdh_psa_type = key_type;
1765 handshake->xxdh_bits = ec_bits;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1766
Manuel Pégourié-Gonnard4a0ac1f2022-01-18 12:30:40 +0100[diff] [blame]1767 /* Keep a copy of the peer's public key */
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1768 ecpoint_len = *(*p)++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1769 if ((size_t) (end - *p) < ecpoint_len) {
1770 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1771 }
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1772
Przemek Stekiel615cbcd2023-07-06 11:08:39 +0200[diff] [blame]1773 /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
1774 the sizes of the FFDH keys which are at least 2048 bits.
1775 The size of the array is thus greater than 256 bytes which is greater than any
1776 possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]1777#if !defined(PSA_WANT_ALG_FFDH)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]1778 if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1779 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1780 }
Przemek Stekiel615cbcd2023-07-06 11:08:39 +0200[diff] [blame]1781#else
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]1782 MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
1783 "peer key buffer too small");
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]1784#endif
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1785
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]1786 memcpy(handshake->xxdh_psa_peerkey, *p, ecpoint_len);
1787 handshake->xxdh_psa_peerkey_len = ecpoint_len;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1788 *p += ecpoint_len;
Manuel Pégourié-Gonnard4a0ac1f2022-01-18 12:30:40 +0100[diff] [blame]1789
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1790 return 0;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1791}
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1792#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1793 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1794 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]1795#else
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1796#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1797 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1798 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1799 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1800 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1801MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1802static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl)
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1803{
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]1804 uint16_t tls_id;
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1805 mbedtls_ecp_group_id grp_id;
1806#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
1807 grp_id = ssl->handshake->ecdh_ctx.grp.id;
1808#else
1809 grp_id = ssl->handshake->ecdh_ctx.grp_id;
1810#endif
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1811
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1812 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
1813 if (tls_id == 0) {
1814 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1815 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1816 }
1817
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1818 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s",
1819 mbedtls_ssl_get_curve_name_from_tls_id(tls_id)));
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1820
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1821 if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
1822 return -1;
1823 }
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1824
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1825 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
1826 MBEDTLS_DEBUG_ECDH_QP);
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1827
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1828 return 0;
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1829}
1830
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1831#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1832 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
1833 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1834 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1835 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1836
1837#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1838 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1839 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1840MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1841static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
1842 unsigned char **p,
1843 unsigned char *end)
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1844{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1845 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1846
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1847 /*
1848 * Ephemeral ECDH parameters:
1849 *
1850 * struct {
1851 * ECParameters curve_params;
1852 * ECPoint public;
1853 * } ServerECDHParams;
1854 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1855 if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx,
1856 (const unsigned char **) p, end)) != 0) {
1857 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1858#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1859 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard1c1c20e2018-09-12 10:34:43 +0200[diff] [blame]1860 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1861 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]1862#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1863 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1864 }
1865
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1866 if (ssl_check_server_ecdh_params(ssl) != 0) {
1867 MBEDTLS_SSL_DEBUG_MSG(1,
1868 ("bad server key exchange message (ECDHE curve)"));
1869 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1870 }
1871
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1872 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1873}
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1874#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \
1875 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1876 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1877#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1878#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1879MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1880static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
1881 unsigned char **p,
1882 unsigned char *end)
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1883{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1884 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
irwir6527bd62019-09-21 18:51:25 +0300[diff] [blame]1885 uint16_t len;
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]1886 ((void) ssl);
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1887
1888 /*
1889 * PSK parameters:
1890 *
1891 * opaque psk_identity_hint<0..2^16-1>;
1892 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1893 if (end - (*p) < 2) {
1894 MBEDTLS_SSL_DEBUG_MSG(1,
1895 ("bad server key exchange message (psk_identity_hint length)"));
1896 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Krzysztof Stachowiak740b2182018-03-13 11:31:14 +0100[diff] [blame]1897 }
Manuel Pégourié-Gonnard59b9fe22013-10-15 11:55:33 +0200[diff] [blame]1898 len = (*p)[0] << 8 | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1899 *p += 2;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1900
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1901 if (end - (*p) < len) {
1902 MBEDTLS_SSL_DEBUG_MSG(1,
1903 ("bad server key exchange message (psk_identity_hint length)"));
1904 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1905 }
1906
Manuel Pégourié-Gonnard9d624122016-02-22 11:10:14 +0100[diff] [blame]1907 /*
Tom Cosgroveed4f59e2022-12-05 12:07:50 +0000[diff] [blame]1908 * Note: we currently ignore the PSK identity hint, as we only allow one
Tom Cosgrove1797b052022-12-04 17:19:59 +0000[diff] [blame]1909 * PSK to be provisioned on the client. This could be changed later if
Manuel Pégourié-Gonnard9d624122016-02-22 11:10:14 +0100[diff] [blame]1910 * someone needs that feature.
1911 */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1912 *p += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1913 ret = 0;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1914
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1915 return ret;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1916}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1917#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1918
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1919#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
1920 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1921/*
1922 * Generate a pre-master secret and encrypt it with the server's RSA key
1923 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1924MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1925static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl,
1926 size_t offset, size_t *olen,
1927 size_t pms_offset)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1928{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1929 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]1930 size_t len_bytes = 2;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1931 unsigned char *p = ssl->handshake->premaster + pms_offset;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1932 mbedtls_pk_context *peer_pk;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1933
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1934 if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) {
1935 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms"));
1936 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]1937 }
1938
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1939 /*
1940 * Generate (part of) the pre-master as
1941 * struct {
1942 * ProtocolVersion client_version;
1943 * opaque random[46];
1944 * } PreMasterSecret;
1945 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1946 mbedtls_ssl_write_version(p, ssl->conf->transport,
1947 MBEDTLS_SSL_VERSION_TLS1_2);
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1948
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1949 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) {
1950 MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
1951 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1952 }
1953
1954 ssl->handshake->pmslen = 48;
1955
Hanno Beckerc7d7e292019-02-06 16:49:54 +0000[diff] [blame]1956#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1957 peer_pk = &ssl->handshake->peer_pubkey;
1958#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1959 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Becker8273df82019-02-06 17:37:32 +0000[diff] [blame]1960 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1961 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1962 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]1963 }
Hanno Beckerc7d7e292019-02-06 16:49:54 +0000[diff] [blame]1964 peer_pk = &ssl->session_negotiate->peer_cert->pk;
1965#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]1966
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1967 /*
1968 * Now write it out, encrypted
1969 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1970 if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) {
1971 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch"));
1972 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1973 }
1974
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1975 if ((ret = mbedtls_pk_encrypt(peer_pk,
1976 p, ssl->handshake->pmslen,
1977 ssl->out_msg + offset + len_bytes, olen,
1978 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
1979 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
1980 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret);
1981 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1982 }
1983
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1984 if (len_bytes == 2) {
1985 MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset);
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1986 *olen += 2;
1987 }
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1988
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]1989#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1990 /* We don't need the peer's public key anymore. Free it. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1991 mbedtls_pk_free(peer_pk);
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]1992#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1993 return 0;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1994}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1995#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
1996 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1997
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1998#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1999 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2000MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2001static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2002{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2003 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2004 mbedtls_pk_context *peer_pk;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2005
Hanno Beckerbe7f5082019-02-06 17:44:07 +0000[diff] [blame]2006#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2007 peer_pk = &ssl->handshake->peer_pubkey;
2008#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2009 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Becker8273df82019-02-06 17:37:32 +0000[diff] [blame]2010 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2011 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2012 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2013 }
Hanno Beckerbe7f5082019-02-06 17:44:07 +0000[diff] [blame]2014 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2015#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2016
Manuel Pégourié-Gonnard66b0d612022-06-17 10:49:29 +0200[diff] [blame]2017 /* This is a public key, so it can't be opaque, so can_do() is a good
2018 * enough check to ensure pk_ec() is safe to use below. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2019 if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECKEY)) {
2020 MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
2021 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2022 }
2023
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2024#if defined(MBEDTLS_ECP_C)
2025 const mbedtls_ecp_keypair *peer_key = mbedtls_pk_ec_ro(*peer_pk);
2026#endif /* MBEDTLS_ECP_C */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2027
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2028#if defined(MBEDTLS_USE_PSA_CRYPTO)
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2029 uint16_t tls_id = 0;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2030 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2031 mbedtls_ecp_group_id grp_id = mbedtls_pk_get_group_id(peer_pk);
Przemek Stekiel561a4232022-03-16 13:16:24 +0100[diff] [blame]2032
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2033 if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2034 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
2035 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
Przemek Stekiel561a4232022-03-16 13:16:24 +0100[diff] [blame]2036 }
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2037
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2038 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2039 if (tls_id == 0) {
2040 MBEDTLS_SSL_DEBUG_MSG(1, ("ECC group %u not suported",
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2041 grp_id));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2042 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2043 }
2044
Valerio Setti1e868cc2023-01-09 17:30:01 +0100[diff] [blame]2045 /* If the above conversion to TLS ID was fine, then also this one will be,
2046 so there is no need to check the return value here */
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2047 mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2048 &ssl->handshake->xxdh_bits);
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2049
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2050 ssl->handshake->xxdh_psa_type = key_type;
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2051
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2052 /* Store peer's public key in psa format. */
Valerio Settid7ca3952023-05-17 15:36:18 +0200[diff] [blame]2053#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2054 memcpy(ssl->handshake->xxdh_psa_peerkey, peer_pk->pub_raw, peer_pk->pub_raw_len);
2055 ssl->handshake->xxdh_psa_peerkey_len = peer_pk->pub_raw_len;
Valerio Settid7ca3952023-05-17 15:36:18 +0200[diff] [blame]2056 ret = 0;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2057#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
Valerio Settid7ca3952023-05-17 15:36:18 +0200[diff] [blame]2058 size_t olen = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2059 ret = mbedtls_ecp_point_write_binary(&peer_key->grp, &peer_key->Q,
2060 MBEDTLS_ECP_PF_UNCOMPRESSED, &olen,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2061 ssl->handshake->xxdh_psa_peerkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2062 MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH);
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2063
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2064 if (ret != 0) {
2065 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecp_point_write_binary"), ret);
2066 return ret;
Przemek Stekiel561a4232022-03-16 13:16:24 +0100[diff] [blame]2067 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2068 ssl->handshake->xxdh_psa_peerkey_len = olen;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2069#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
2070#else /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2071 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key,
2072 MBEDTLS_ECDH_THEIRS)) != 0) {
2073 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
2074 return ret;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2075 }
2076
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2077 if (ssl_check_server_ecdh_params(ssl) != 0) {
2078 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
2079 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2080 }
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2081#endif /* MBEDTLS_USE_PSA_CRYPTO */
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2082#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2083 /* We don't need the peer's public key anymore. Free it,
2084 * so that more RAM is available for upcoming expensive
2085 * operations like ECDHE. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2086 mbedtls_pk_free(peer_pk);
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2087#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2088
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2089 return ret;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2090}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2091#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2092 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2093
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2094MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2095static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2096{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2097 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2098 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2099 ssl->handshake->ciphersuite_info;
Andres Amaya Garcia53c77cc2017-06-27 16:15:06 +0100[diff] [blame]2100 unsigned char *p = NULL, *end = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2101
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2102 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2103
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2104#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2105 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
2106 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2107 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2108 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2109 }
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +0200[diff] [blame]2110 ((void) p);
2111 ((void) end);
2112#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2113
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2114#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2115 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2116 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2117 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
2118 if ((ret = ssl_get_ecdh_params_from_cert(ssl)) != 0) {
2119 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2120 mbedtls_ssl_send_alert_message(
2121 ssl,
2122 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2123 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2124 return ret;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2125 }
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2126
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2127 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2128 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2129 return 0;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2130 }
2131 ((void) p);
2132 ((void) end);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2133#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2134 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2135
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2136#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2137 if (ssl->handshake->ecrs_enabled &&
2138 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2139 goto start_processing;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2140 }
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2141#endif
2142
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2143 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2144 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2145 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2146 }
2147
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2148 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2149 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2150 mbedtls_ssl_send_alert_message(
2151 ssl,
2152 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2153 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
2154 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2155 }
2156
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2157 /*
2158 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2159 * doesn't use a psk_identity_hint
2160 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2161 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE) {
2162 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2163 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2164 /* Current message is probably either
2165 * CertificateRequest or ServerHelloDone */
2166 ssl->keep_current_message = 1;
Paul Bakker188c8de2013-04-19 09:13:37 +0200[diff] [blame]2167 goto exit;
2168 }
2169
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2170 MBEDTLS_SSL_DEBUG_MSG(1,
2171 ("server key exchange message must not be skipped"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2172 mbedtls_ssl_send_alert_message(
2173 ssl,
2174 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2175 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2176
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2177 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2178 }
2179
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2180#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2181 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2182 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2183 }
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2184
2185start_processing:
2186#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2187 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2188 end = ssl->in_msg + ssl->in_hslen;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2189 MBEDTLS_SSL_DEBUG_BUF(3, "server key exchange", p, end - p);
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2190
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2191#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2192 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2193 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2194 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2195 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
2196 if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) {
2197 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2198 mbedtls_ssl_send_alert_message(
2199 ssl,
2200 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2201 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2202 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2203 }
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]2204 } /* FALLTHROUGH */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2205#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2206
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2207#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2208 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2209 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2210 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2211 ; /* nothing more to do */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2212 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2213#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2214 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2215#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2216 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2217 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2218 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
2219 if (ssl_parse_server_dh_params(ssl, &p, end) != 0) {
2220 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2221 mbedtls_ssl_send_alert_message(
2222 ssl,
2223 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2224 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2225 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2226 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2227 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2228#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2229 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]2230#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2231 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2232 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2233 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2234 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2235 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
2236 if (ssl_parse_server_ecdh_params(ssl, &p, end) != 0) {
2237 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2238 mbedtls_ssl_send_alert_message(
2239 ssl,
2240 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2241 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2242 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2243 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2244 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2245#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2246 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2247 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2248#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2249 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2250#if defined(MBEDTLS_USE_PSA_CRYPTO)
Valerio Setti9bed8ec2022-11-17 16:36:19 +0100[diff] [blame]2251 /*
2252 * The first 3 bytes are:
2253 * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
2254 * [1, 2] elliptic curve's TLS ID
2255 *
2256 * However since we only support secp256r1 for now, we check only
2257 * that TLS ID here
2258 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2259 uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE(p, 1);
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2260 uint16_t exp_tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2261 MBEDTLS_ECP_DP_SECP256R1);
Valerio Setti9bed8ec2022-11-17 16:36:19 +0100[diff] [blame]2262
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2263 if (exp_tls_id == 0) {
2264 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Valerio Setti9bed8ec2022-11-17 16:36:19 +0100[diff] [blame]2265 }
2266
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2267 if ((*p != MBEDTLS_ECP_TLS_NAMED_CURVE) ||
2268 (read_tls_id != exp_tls_id)) {
2269 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Valerio Setti5151bdf2022-11-21 14:30:02 +0100[diff] [blame]2270 }
Valerio Setti9bed8ec2022-11-17 16:36:19 +0100[diff] [blame]2271
2272 p += 3;
2273
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2274 if ((ret = mbedtls_psa_ecjpake_read_round(
2275 &ssl->handshake->psa_pake_ctx, p, end - p,
2276 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
2277 psa_destroy_key(ssl->handshake->psa_pake_password);
2278 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2279
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2280 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2281 mbedtls_ssl_send_alert_message(
2282 ssl,
2283 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2284 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2285 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2286 }
2287#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2288 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
2289 p, end - p);
2290 if (ret != 0) {
2291 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2292 mbedtls_ssl_send_alert_message(
2293 ssl,
2294 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2295 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2296 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2297 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2298#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2299 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2300#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2301 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2302 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2303 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2304 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2305
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2306#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2307 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2308 size_t sig_len, hashlen;
Manuel Pégourié-Gonnard88579842023-03-28 11:20:23 +0200[diff] [blame]2309 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
Przemek Stekiel40afdd22022-09-06 13:08:28 +0200[diff] [blame]2310
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2311 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2312 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2313 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2314 size_t params_len = p - params;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2315 void *rs_ctx = NULL;
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2316 uint16_t sig_alg;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2317
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2318 mbedtls_pk_context *peer_pk;
Hanno Beckera6899bb2019-02-06 18:26:03 +0000[diff] [blame]2319
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2320#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2321 peer_pk = &ssl->handshake->peer_pubkey;
2322#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2323 if (ssl->session_negotiate->peer_cert == NULL) {
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2324 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2325 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2326 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2327 }
2328 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2329#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2330
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2331 /*
2332 * Handle the digitally-signed structure
2333 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2334 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2335 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
2336 if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
2337 sig_alg, &pk_alg, &md_alg) != 0 &&
2338 !mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg) &&
2339 !mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg)) {
2340 MBEDTLS_SSL_DEBUG_MSG(1,
2341 ("bad server key exchange message"));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2342 mbedtls_ssl_send_alert_message(
2343 ssl,
2344 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2345 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2346 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2347 }
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2348 p += 2;
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2349
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2350 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
2351 MBEDTLS_SSL_DEBUG_MSG(1,
2352 ("bad server key exchange message"));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2353 mbedtls_ssl_send_alert_message(
2354 ssl,
2355 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2356 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2357 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2358 }
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2359
2360 /*
2361 * Read signature
2362 */
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +0100[diff] [blame]2363
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2364 if (p > end - 2) {
2365 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2366 mbedtls_ssl_send_alert_message(
2367 ssl,
2368 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2369 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2370 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +0100[diff] [blame]2371 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2372 sig_len = (p[0] << 8) | p[1];
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2373 p += 2;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2374
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2375 if (p != end - sig_len) {
2376 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2377 mbedtls_ssl_send_alert_message(
2378 ssl,
2379 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2380 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2381 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2382 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2383
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2384 MBEDTLS_SSL_DEBUG_BUF(3, "signature", p, sig_len);
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2385
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2386 /*
2387 * Compute the hash that has been signed
2388 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2389 if (md_alg != MBEDTLS_MD_NONE) {
2390 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
2391 params, params_len,
2392 md_alg);
2393 if (ret != 0) {
2394 return ret;
2395 }
2396 } else {
2397 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2398 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2399 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2400
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2401 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2402
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2403 /*
2404 * Verify signature
2405 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2406 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
2407 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2408 mbedtls_ssl_send_alert_message(
2409 ssl,
2410 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2411 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2412 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2413 }
2414
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2415#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2416 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]2417 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2418 }
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2419#endif
2420
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2421#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2422 if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2423 mbedtls_pk_rsassa_pss_options rsassa_pss_options;
2424 rsassa_pss_options.mgf1_hash_id = md_alg;
Andrzej Kurek0ce59212022-08-17 07:54:34 -0400[diff] [blame]2425 rsassa_pss_options.expected_salt_len =
Manuel Pégourié-Gonnard9b41eb82023-03-28 11:14:24 +0200[diff] [blame]2426 mbedtls_md_get_size_from_type(md_alg);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2427 if (rsassa_pss_options.expected_salt_len == 0) {
2428 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2429 }
Andrzej Kurek0ce59212022-08-17 07:54:34 -0400[diff] [blame]2430
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2431 ret = mbedtls_pk_verify_ext(pk_alg, &rsassa_pss_options,
2432 peer_pk,
2433 md_alg, hash, hashlen,
2434 p, sig_len);
2435 } else
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2436#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2437 ret = mbedtls_pk_verify_restartable(peer_pk,
2438 md_alg, hash, hashlen, p, sig_len, rs_ctx);
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2439
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2440 if (ret != 0) {
David Horstmannb21bbef2022-10-06 17:49:31 +0100[diff] [blame]2441 int send_alert_msg = 1;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2442#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2443 send_alert_msg = (ret != MBEDTLS_ERR_ECP_IN_PROGRESS);
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2444#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2445 if (send_alert_msg) {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2446 mbedtls_ssl_send_alert_message(
2447 ssl,
2448 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2449 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
2450 }
2451 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2452#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2453 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2454 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2455 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2456#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2457 return ret;
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]2458 }
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2459
2460#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2461 /* We don't need the peer's public key anymore. Free it,
2462 * so that more RAM is available for upcoming expensive
2463 * operations like ECDHE. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2464 mbedtls_pk_free(peer_pk);
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2465#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2466 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2467#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2468
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2469exit:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2470 ssl->state++;
2471
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2472 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2473
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2474 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2475}
2476
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2477#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2478MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2479static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2480{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2481 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2482 ssl->handshake->ciphersuite_info;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2483
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2484 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2485
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2486 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2487 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2488 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2489 return 0;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2490 }
2491
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2492 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2493 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2494}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2495#else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2496MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2497static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2498{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2499 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2500 unsigned char *buf;
2501 size_t n = 0;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2502 size_t cert_type_len = 0, dn_len = 0;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2503 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2504 ssl->handshake->ciphersuite_info;
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2505 size_t sig_alg_len;
2506#if defined(MBEDTLS_DEBUG_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2507 unsigned char *sig_alg;
2508 unsigned char *dn;
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2509#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2510
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2511 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2512
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2513 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2514 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2515 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2516 return 0;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2517 }
2518
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2519 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2520 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2521 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2522 }
2523
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2524 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2525 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2526 mbedtls_ssl_send_alert_message(
2527 ssl,
2528 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2529 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
2530 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2531 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2532
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2533 ssl->state++;
Jerry Yufb28b882022-01-28 11:05:58 +0800[diff] [blame]2534 ssl->handshake->client_auth =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2535 (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2536
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2537 MBEDTLS_SSL_DEBUG_MSG(3, ("got %s certificate request",
2538 ssl->handshake->client_auth ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2539
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2540 if (ssl->handshake->client_auth == 0) {
Johan Pascala89ca862020-08-25 10:03:19 +0200[diff] [blame]2541 /* Current message is probably the ServerHelloDone */
2542 ssl->keep_current_message = 1;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2543 goto exit;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2544 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2545
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]2546 /*
2547 * struct {
2548 * ClientCertificateType certificate_types<1..2^8-1>;
2549 * SignatureAndHashAlgorithm
2550 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
2551 * DistinguishedName certificate_authorities<0..2^16-1>;
2552 * } CertificateRequest;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2553 *
2554 * Since we only support a single certificate on clients, let's just
2555 * ignore all the information that's supposed to help us pick a
2556 * certificate.
2557 *
2558 * We could check that our certificate matches the request, and bail out
2559 * if it doesn't, but it's simpler to just send the certificate anyway,
2560 * and give the server the opportunity to decide if it should terminate
2561 * the connection when it doesn't like our certificate.
2562 *
2563 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
2564 * point we only have one hash available (see comments in
Simon Butcherc0957bd2016-03-01 13:16:57 +0000[diff] [blame]2565 * write_certificate_verify), so let's just use what we have.
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2566 *
2567 * However, we still minimally parse the message to check it is at least
2568 * superficially sane.
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]2569 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2570 buf = ssl->in_msg;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]2571
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2572 /* certificate_types */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2573 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)) {
2574 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2575 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2576 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2577 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Krzysztof Stachowiak73b183c2018-04-05 10:20:09 +0200[diff] [blame]2578 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2579 cert_type_len = buf[mbedtls_ssl_hs_hdr_len(ssl)];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2580 n = cert_type_len;
2581
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]2582 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]2583 * In the subsequent code there are two paths that read from buf:
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]2584 * * the length of the signature algorithms field (if minor version of
2585 * SSL is 3),
2586 * * distinguished name length otherwise.
2587 * Both reach at most the index:
2588 * ...hdr_len + 2 + n,
2589 * therefore the buffer length at this point must be greater than that
2590 * regardless of the actual code path.
2591 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2592 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 2 + n) {
2593 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2594 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2595 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2596 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2597 }
2598
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2599 /* supported_signature_algorithms */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2600 sig_alg_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8)
2601 | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n]));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2602
2603 /*
2604 * The furthest access in buf is in the loop few lines below:
2605 * sig_alg[i + 1],
2606 * where:
2607 * sig_alg = buf + ...hdr_len + 3 + n,
2608 * max(i) = sig_alg_len - 1.
2609 * Therefore the furthest access is:
2610 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
2611 * which reduces to:
2612 * buf[...hdr_len + 3 + n + sig_alg_len],
2613 * which is one less than we need the buf to be.
2614 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2615 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 3 + n + sig_alg_len) {
2616 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2617 mbedtls_ssl_send_alert_message(
2618 ssl,
2619 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2620 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2621 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]2622 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2623
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2624#if defined(MBEDTLS_DEBUG_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2625 sig_alg = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n;
2626 for (size_t i = 0; i < sig_alg_len; i += 2) {
2627 MBEDTLS_SSL_DEBUG_MSG(3,
2628 ("Supported Signature Algorithm found: %02x %02x",
2629 sig_alg[i], sig_alg[i + 1]));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2630 }
2631#endif
2632
2633 n += 2 + sig_alg_len;
2634
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2635 /* certificate_authorities */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2636 dn_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8)
2637 | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n]));
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2638
2639 n += dn_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2640 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 3 + n) {
2641 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2642 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2643 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2644 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2645 }
2646
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2647#if defined(MBEDTLS_DEBUG_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2648 dn = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n - dn_len;
2649 for (size_t i = 0, dni_len = 0; i < dn_len; i += 2 + dni_len) {
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2650 unsigned char *p = dn + i + 2;
2651 mbedtls_x509_name name;
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2652 size_t asn1_len;
2653 char s[MBEDTLS_X509_MAX_DN_NAME_SIZE];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2654 memset(&name, 0, sizeof(name));
2655 dni_len = MBEDTLS_GET_UINT16_BE(dn + i, 0);
2656 if (dni_len > dn_len - i - 2 ||
2657 mbedtls_asn1_get_tag(&p, p + dni_len, &asn1_len,
2658 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) != 0 ||
2659 mbedtls_x509_get_name(&p, p + asn1_len, &name) != 0) {
2660 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2661 mbedtls_ssl_send_alert_message(
2662 ssl,
2663 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2664 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2665 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2666 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2667 MBEDTLS_SSL_DEBUG_MSG(3,
2668 ("DN hint: %.*s",
2669 mbedtls_x509_dn_gets(s, sizeof(s), &name), s));
2670 mbedtls_asn1_free_named_data_list_shallow(name.next);
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2671 }
2672#endif
2673
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2674exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2675 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2676
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2677 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2678}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2679#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2680
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2681MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2682static int ssl_parse_server_hello_done(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2683{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2684 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2685
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2686 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2687
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2688 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2689 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2690 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2691 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2692
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2693 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2694 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
2695 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2696 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2697
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2698 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) ||
2699 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE) {
2700 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
2701 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2702 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2703 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2704 }
2705
2706 ssl->state++;
2707
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2708#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2709 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
2710 mbedtls_ssl_recv_flight_completed(ssl);
2711 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2712#endif
2713
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2714 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2715
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2716 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2717}
2718
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2719MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2720static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2721{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2722 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2723
2724 size_t header_len;
2725 size_t content_len;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2726 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2727 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2728
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2729 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2730
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2731#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2732 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2733 /*
2734 * DHM key exchange -- send G^X mod P
2735 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2736 content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2737
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2738 MBEDTLS_PUT_UINT16_BE(content_len, ssl->out_msg, 4);
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2739 header_len = 6;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2740
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2741 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
2742 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
2743 &ssl->out_msg[header_len], content_len,
2744 ssl->conf->f_rng, ssl->conf->p_rng);
2745 if (ret != 0) {
2746 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
2747 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2748 }
2749
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2750 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
2751 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2752
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2753 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
2754 ssl->handshake->premaster,
2755 MBEDTLS_PREMASTER_SIZE,
2756 &ssl->handshake->pmslen,
2757 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2758 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
2759 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2760 }
2761
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2762 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
2763 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2764#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]2765#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2766 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2767 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2768 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2769 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Przemek Stekield905d332022-03-16 09:50:56 +0100[diff] [blame]2770 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
2771 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2772 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
Neil Armstrong11d49452022-04-13 15:03:43 +0200[diff] [blame]2773#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kureka0237f82022-02-24 13:24:52 -0500[diff] [blame]2774 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2775 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
Janos Follath53b8ec22019-08-08 10:28:27 +0100[diff] [blame]2776 psa_key_attributes_t key_attributes;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2777
2778 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2779
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2780 header_len = 4;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2781
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2782 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Hanno Becker0a94a642019-01-11 14:35:30 +0000[diff] [blame]2783
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2784 /*
2785 * Generate EC private key for ECDHE exchange.
2786 */
2787
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2788 /* The master secret is obtained from the shared ECDH secret by
2789 * applying the TLS 1.2 PRF with a specific salt and label. While
2790 * the PSA Crypto API encourages combining key agreement schemes
2791 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
2792 * yet support the provisioning of salt + label to the KDF.
2793 * For the time being, we therefore need to split the computation
2794 * of the ECDH secret and the application of the TLS 1.2 PRF. */
Janos Follath53b8ec22019-08-08 10:28:27 +0100[diff] [blame]2795 key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2796 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2797 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2798 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
2799 psa_set_key_bits(&key_attributes, handshake->xxdh_bits);
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2800
2801 /* Generate ECDH private key. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2802 status = psa_generate_key(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2803 &handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2804 if (status != PSA_SUCCESS) {
2805 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2806 }
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2807
Manuel Pégourié-Gonnard58d23832022-01-18 12:17:15 +0100[diff] [blame]2808 /* Export the public part of the ECDH private key from PSA.
Manuel Pégourié-Gonnard5d6053f2022-02-08 10:26:19 +0100[diff] [blame]2809 * The export format is an ECPoint structure as expected by TLS,
Manuel Pégourié-Gonnard58d23832022-01-18 12:17:15 +0100[diff] [blame]2810 * but we just need to add a length byte before that. */
2811 unsigned char *own_pubkey = ssl->out_msg + header_len + 1;
2812 unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2813 size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
Manuel Pégourié-Gonnard58d23832022-01-18 12:17:15 +0100[diff] [blame]2814 size_t own_pubkey_len;
2815
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2816 status = psa_export_public_key(handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2817 own_pubkey, own_pubkey_max_len,
2818 &own_pubkey_len);
2819 if (status != PSA_SUCCESS) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2820 psa_destroy_key(handshake->xxdh_psa_privkey);
2821 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2822 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Andrzej Kureka0237f82022-02-24 13:24:52 -0500[diff] [blame]2823 }
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2824
Manuel Pégourié-Gonnard58d23832022-01-18 12:17:15 +0100[diff] [blame]2825 ssl->out_msg[header_len] = (unsigned char) own_pubkey_len;
2826 content_len = own_pubkey_len + 1;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2827
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2828 /* The ECDH secret is the premaster secret used for key derivation. */
2829
Janos Follathdf3b0892019-08-08 11:12:24 +0100[diff] [blame]2830 /* Compute ECDH shared secret. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2831 status = psa_raw_key_agreement(PSA_ALG_ECDH,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2832 handshake->xxdh_psa_privkey,
2833 handshake->xxdh_psa_peerkey,
2834 handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2835 ssl->handshake->premaster,
2836 sizeof(ssl->handshake->premaster),
2837 &ssl->handshake->pmslen);
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2838
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2839 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
2840 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Andrzej Kureka0237f82022-02-24 13:24:52 -0500[diff] [blame]2841
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2842 if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) {
2843 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2844 }
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]2845#else
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2846 /*
2847 * ECDH key exchange -- send client public value
2848 */
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2849 header_len = 4;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2850
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2851#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2852 if (ssl->handshake->ecrs_enabled) {
2853 if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret) {
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2854 goto ecdh_calc_secret;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2855 }
Manuel Pégourié-Gonnard23e41622017-05-18 12:35:37 +0200[diff] [blame]2856
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2857 mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx);
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2858 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]2859#endif
2860
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2861 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
2862 &content_len,
2863 &ssl->out_msg[header_len], 1000,
2864 ssl->conf->f_rng, ssl->conf->p_rng);
2865 if (ret != 0) {
2866 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2867#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2868 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2869 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2870 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2871#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2872 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2873 }
2874
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2875 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
2876 MBEDTLS_DEBUG_ECDH_Q);
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2877
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2878#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2879 if (ssl->handshake->ecrs_enabled) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2880 ssl->handshake->ecrs_n = content_len;
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200[diff] [blame]2881 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2882 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]2883
2884ecdh_calc_secret:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2885 if (ssl->handshake->ecrs_enabled) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2886 content_len = ssl->handshake->ecrs_n;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2887 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]2888#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2889 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
2890 &ssl->handshake->pmslen,
2891 ssl->handshake->premaster,
2892 MBEDTLS_MPI_MAX_SIZE,
2893 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2894 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2895#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2896 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2897 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2898 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2899#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2900 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2901 }
2902
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2903 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
2904 MBEDTLS_DEBUG_ECDH_Z);
Neil Armstrong11d49452022-04-13 15:03:43 +0200[diff] [blame]2905#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2906 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2907#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2908 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2909 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2910 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2911#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
2912 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2913 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2914 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2915 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
2916 psa_key_attributes_t key_attributes;
2917
2918 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2919
2920 /*
2921 * opaque psk_identity<0..2^16-1>;
2922 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2923 if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2924 /* We don't offer PSK suites if we don't have a PSK,
2925 * and we check that the server's choice is among the
2926 * ciphersuites we offered, so this should never happen. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2927 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2928 }
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2929
Neil Armstrongfc834f22022-03-23 17:54:38 +0100[diff] [blame]2930 /* uint16 to store content length */
2931 const size_t content_len_size = 2;
2932
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2933 header_len = 4;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2934
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2935 if (header_len + content_len_size + ssl->conf->psk_identity_len
2936 > MBEDTLS_SSL_OUT_CONTENT_LEN) {
2937 MBEDTLS_SSL_DEBUG_MSG(1,
2938 ("psk identity too long or SSL buffer too short"));
2939 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2940 }
2941
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2942 unsigned char *p = ssl->out_msg + header_len;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2943
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2944 *p++ = MBEDTLS_BYTE_1(ssl->conf->psk_identity_len);
2945 *p++ = MBEDTLS_BYTE_0(ssl->conf->psk_identity_len);
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2946 header_len += content_len_size;
2947
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2948 memcpy(p, ssl->conf->psk_identity,
2949 ssl->conf->psk_identity_len);
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2950 p += ssl->conf->psk_identity_len;
2951
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2952 header_len += ssl->conf->psk_identity_len;
2953
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2954 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2955
2956 /*
2957 * Generate EC private key for ECDHE exchange.
2958 */
2959
2960 /* The master secret is obtained from the shared ECDH secret by
2961 * applying the TLS 1.2 PRF with a specific salt and label. While
2962 * the PSA Crypto API encourages combining key agreement schemes
2963 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
2964 * yet support the provisioning of salt + label to the KDF.
2965 * For the time being, we therefore need to split the computation
2966 * of the ECDH secret and the application of the TLS 1.2 PRF. */
2967 key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2968 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2969 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2970 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
2971 psa_set_key_bits(&key_attributes, handshake->xxdh_bits);
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2972
2973 /* Generate ECDH private key. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2974 status = psa_generate_key(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2975 &handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2976 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2977 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2978 }
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2979
2980 /* Export the public part of the ECDH private key from PSA.
2981 * The export format is an ECPoint structure as expected by TLS,
2982 * but we just need to add a length byte before that. */
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2983 unsigned char *own_pubkey = p + 1;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2984 unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2985 size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
Neil Armstrongbc5e8f92022-03-23 17:42:50 +0100[diff] [blame]2986 size_t own_pubkey_len = 0;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2987
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2988 status = psa_export_public_key(handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2989 own_pubkey, own_pubkey_max_len,
2990 &own_pubkey_len);
2991 if (status != PSA_SUCCESS) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2992 psa_destroy_key(handshake->xxdh_psa_privkey);
2993 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2994 return PSA_TO_MBEDTLS_ERR(status);
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2995 }
2996
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2997 *p = (unsigned char) own_pubkey_len;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2998 content_len = own_pubkey_len + 1;
2999
Neil Armstrong25400452022-03-23 17:44:07 +0100[diff] [blame]3000 /* As RFC 5489 section 2, the premaster secret is formed as follows:
3001 * - a uint16 containing the length (in octets) of the ECDH computation
3002 * - the octet string produced by the ECDH computation
3003 * - a uint16 containing the length (in octets) of the PSK
3004 * - the PSK itself
3005 */
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]3006 unsigned char *pms = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3007 const unsigned char * const pms_end = pms +
3008 sizeof(ssl->handshake->premaster);
Neil Armstrong0bdb68a2022-03-23 17:46:32 +0100[diff] [blame]3009 /* uint16 to store length (in octets) of the ECDH computation */
3010 const size_t zlen_size = 2;
Neil Armstrongbc5e8f92022-03-23 17:42:50 +0100[diff] [blame]3011 size_t zlen = 0;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3012
Neil Armstrong25400452022-03-23 17:44:07 +0100[diff] [blame]3013 /* Perform ECDH computation after the uint16 reserved for the length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3014 status = psa_raw_key_agreement(PSA_ALG_ECDH,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3015 handshake->xxdh_psa_privkey,
3016 handshake->xxdh_psa_peerkey,
3017 handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3018 pms + zlen_size,
3019 pms_end - (pms + zlen_size),
3020 &zlen);
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3021
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3022 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
3023 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3024
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3025 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3026 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3027 } else if (destruction_status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3028 return PSA_TO_MBEDTLS_ERR(destruction_status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3029 }
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3030
Neil Armstrong25400452022-03-23 17:44:07 +0100[diff] [blame]3031 /* Write the ECDH computation length before the ECDH computation */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3032 MBEDTLS_PUT_UINT16_BE(zlen, pms, 0);
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]3033 pms += zlen_size + zlen;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3034 } else
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3035#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3036 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3037#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3038 if (mbedtls_ssl_ciphersuite_uses_psk(ciphersuite_info)) {
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3039 /*
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3040 * opaque psk_identity<0..2^16-1>;
3041 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3042 if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]3043 /* We don't offer PSK suites if we don't have a PSK,
3044 * and we check that the server's choice is among the
3045 * ciphersuites we offered, so this should never happen. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3046 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3047 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3048
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3049 header_len = 4;
3050 content_len = ssl->conf->psk_identity_len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3051
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3052 if (header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
3053 MBEDTLS_SSL_DEBUG_MSG(1,
3054 ("psk identity too long or SSL buffer too short"));
3055 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3056 }
3057
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3058 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
3059 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3060
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3061 memcpy(ssl->out_msg + header_len,
3062 ssl->conf->psk_identity,
3063 ssl->conf->psk_identity_len);
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3064 header_len += ssl->conf->psk_identity_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3065
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3066#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3067 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3068 content_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3069 } else
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3070#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3071#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3072 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
3073 if ((ret = ssl_write_encrypted_pms(ssl, header_len,
3074 &content_len, 2)) != 0) {
3075 return ret;
3076 }
3077 } else
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3078#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3079#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3080 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3081 /*
3082 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3083 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3084 content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3085
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3086 if (header_len + 2 + content_len >
3087 MBEDTLS_SSL_OUT_CONTENT_LEN) {
3088 MBEDTLS_SSL_DEBUG_MSG(1,
3089 ("psk identity or DHM size too long or SSL buffer too short"));
3090 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3091 }
3092
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3093 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
3094 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3095
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3096 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
3097 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
3098 &ssl->out_msg[header_len], content_len,
3099 ssl->conf->f_rng, ssl->conf->p_rng);
3100 if (ret != 0) {
3101 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
3102 return ret;
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3103 }
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3104
3105#if defined(MBEDTLS_USE_PSA_CRYPTO)
3106 unsigned char *pms = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3107 unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3108 size_t pms_len;
3109
3110 /* Write length only when we know the actual value */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3111 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3112 pms + 2, pms_end - (pms + 2), &pms_len,
3113 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3114 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3115 return ret;
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3116 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3117 MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3118 pms += 2 + pms_len;
3119
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3120 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3121#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3122 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3123#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]3124#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3125 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3126 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3127 /*
3128 * ClientECDiffieHellmanPublic public;
3129 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3130 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
3131 &content_len,
3132 &ssl->out_msg[header_len],
3133 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3134 ssl->conf->f_rng, ssl->conf->p_rng);
3135 if (ret != 0) {
3136 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
3137 return ret;
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3138 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3139
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3140 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3141 MBEDTLS_DEBUG_ECDH_Q);
3142 } else
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]3143#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3144 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3145 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3146 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3147 }
3148
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3149#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3150 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3151 ciphersuite_info->key_exchange)) != 0) {
3152 MBEDTLS_SSL_DEBUG_RET(1,
3153 "mbedtls_ssl_psk_derive_premaster", ret);
3154 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3155 }
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3156#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3157 } else
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3158#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3159#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3160 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3161 header_len = 4;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3162 if ((ret = ssl_write_encrypted_pms(ssl, header_len,
3163 &content_len, 0)) != 0) {
3164 return ret;
3165 }
3166 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3167#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3168#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3169 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3170 header_len = 4;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3171
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3172#if defined(MBEDTLS_USE_PSA_CRYPTO)
3173 unsigned char *out_p = ssl->out_msg + header_len;
3174 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
3175 header_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3176 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
3177 out_p, end_p - out_p, &content_len,
3178 MBEDTLS_ECJPAKE_ROUND_TWO);
3179 if (ret != 0) {
3180 psa_destroy_key(ssl->handshake->psa_pake_password);
3181 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
3182 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
3183 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3184 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3185#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3186 ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx,
3187 ssl->out_msg + header_len,
3188 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3189 &content_len,
3190 ssl->conf->f_rng, ssl->conf->p_rng);
3191 if (ret != 0) {
3192 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
3193 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3194 }
3195
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3196 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
3197 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3198 ssl->conf->f_rng, ssl->conf->p_rng);
3199 if (ret != 0) {
3200 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
3201 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3202 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3203#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3204 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3205#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3206 {
3207 ((void) ciphersuite_info);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3208 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3209 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3210 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3211
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3212 ssl->out_msglen = header_len + content_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3213 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3214 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3215
3216 ssl->state++;
3217
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3218 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3219 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3220 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3221 }
3222
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3223 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3224
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3225 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3226}
3227
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3228#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3229MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3230static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3231{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3232 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3233 ssl->handshake->ciphersuite_info;
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3234 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3235
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3236 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3237
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3238 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3239 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3240 return ret;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3241 }
3242
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3243 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3244 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3245 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3246 return 0;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3247 }
3248
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3249 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3250 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3251}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3252#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3253MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3254static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3255{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3256 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3257 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3258 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3259 size_t n = 0, offset = 0;
3260 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3261 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3262 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]3263 size_t hashlen;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3264 void *rs_ctx = NULL;
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]3265#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3266 size_t out_buf_len = ssl->out_buf_len - (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]3267#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3268 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]3269#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3270
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3271 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3272
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3273#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3274 if (ssl->handshake->ecrs_enabled &&
3275 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3276 goto sign;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3277 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3278#endif
3279
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3280 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3281 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3282 return ret;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3283 }
3284
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3285 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3286 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3287 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3288 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3289 }
3290
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3291 if (ssl->handshake->client_auth == 0 ||
3292 mbedtls_ssl_own_cert(ssl) == NULL) {
3293 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
Johan Pascala89ca862020-08-25 10:03:19 +0200[diff] [blame]3294 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3295 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3296 }
3297
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3298 if (mbedtls_ssl_own_key(ssl) == NULL) {
3299 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key for certificate"));
3300 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3301 }
3302
3303 /*
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3304 * Make a signature of the handshake digests
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3305 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3306#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3307 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3308 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3309 }
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3310
3311sign:
3312#endif
3313
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]3314 ret = ssl->handshake->calc_verify(ssl, hash, &hashlen);
3315 if (0 != ret) {
3316 MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
3317 return ret;
3318 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3319
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]3320 /*
3321 * digitally-signed struct {
3322 * opaque handshake_messages[handshake_messages_length];
3323 * };
3324 *
3325 * Taking shortcut here. We assume that the server always allows the
3326 * PRF Hash function and has sent it in the allowed signature
3327 * algorithms list received in the Certificate Request message.
3328 *
3329 * Until we encounter a server that does not, we will take this
3330 * shortcut.
3331 *
3332 * Reason: Otherwise we should have running hashes for SHA512 and
3333 * SHA224 in order to satisfy 'weird' needs from the server
3334 * side.
3335 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3336 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]3337 md_alg = MBEDTLS_MD_SHA384;
3338 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3339 } else {
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]3340 md_alg = MBEDTLS_MD_SHA256;
3341 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3342 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3343 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk(mbedtls_ssl_own_key(ssl));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]3344
3345 /* Info from md_alg will be used instead */
3346 hashlen = 0;
3347 offset = 2;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3348
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3349#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3350 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]3351 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3352 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3353#endif
3354
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3355 if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl),
3356 md_alg, hash_start, hashlen,
3357 ssl->out_msg + 6 + offset,
3358 out_buf_len - 6 - offset,
3359 &n,
3360 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx)) != 0) {
3361 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3362#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3363 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3364 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3365 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3366#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3367 return ret;
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]3368 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3369
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3370 MBEDTLS_PUT_UINT16_BE(n, ssl->out_msg, offset + 4);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3371
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3372 ssl->out_msglen = 6 + n + offset;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3373 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3374 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3375
3376 ssl->state++;
3377
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3378 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3379 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3380 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3381 }
3382
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3383 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3384
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3385 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3386}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3387#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3388
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3389#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3390MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3391static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3392{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3393 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3394 uint32_t lifetime;
3395 size_t ticket_len;
3396 unsigned char *ticket;
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3397 const unsigned char *msg;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3398
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3399 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3400
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3401 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3402 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3403 return ret;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3404 }
3405
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3406 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3407 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3408 mbedtls_ssl_send_alert_message(
3409 ssl,
3410 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3411 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
3412 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3413 }
3414
3415 /*
3416 * struct {
3417 * uint32 ticket_lifetime_hint;
3418 * opaque ticket<0..2^16-1>;
3419 * } NewSessionTicket;
3420 *
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3421 * 0 . 3 ticket_lifetime_hint
3422 * 4 . 5 ticket_len (n)
3423 * 6 . 5+n ticket content
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3424 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3425 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3426 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len(ssl)) {
3427 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
3428 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3429 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3430 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3431 }
3432
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3433 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3434
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3435 lifetime = (((uint32_t) msg[0]) << 24) | (msg[1] << 16) |
3436 (msg[2] << 8) | (msg[3]);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3437
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3438 ticket_len = (msg[4] << 8) | (msg[5]);
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3439
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3440 if (ticket_len + 6 + mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_hslen) {
3441 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
3442 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3443 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3444 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3445 }
3446
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3447 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len));
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3448
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3449 /* We're not waiting for a NewSessionTicket message any more */
3450 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3451 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3452
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3453 /*
3454 * Zero-length ticket means the server changed his mind and doesn't want
3455 * to send a ticket after all, so just forget it
3456 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3457 if (ticket_len == 0) {
3458 return 0;
3459 }
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3460
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3461 if (ssl->session != NULL && ssl->session->ticket != NULL) {
Tom Cosgroveca8c61b2023-07-17 15:17:40 +0100[diff] [blame^]3462 mbedtls_zeroize_and_free(ssl->session->ticket,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3463 ssl->session->ticket_len);
Hanno Beckerb2964cb2019-01-30 14:46:35 +0000[diff] [blame]3464 ssl->session->ticket = NULL;
3465 ssl->session->ticket_len = 0;
3466 }
3467
Tom Cosgroveca8c61b2023-07-17 15:17:40 +0100[diff] [blame^]3468 mbedtls_zeroize_and_free(ssl->session_negotiate->ticket,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3469 ssl->session_negotiate->ticket_len);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3470 ssl->session_negotiate->ticket = NULL;
3471 ssl->session_negotiate->ticket_len = 0;
3472
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3473 if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
3474 MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
3475 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3476 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
3477 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3478 }
3479
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3480 memcpy(ticket, msg + 6, ticket_len);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3481
3482 ssl->session_negotiate->ticket = ticket;
3483 ssl->session_negotiate->ticket_len = ticket_len;
3484 ssl->session_negotiate->ticket_lifetime = lifetime;
3485
3486 /*
3487 * RFC 5077 section 3.4:
3488 * "If the client receives a session ticket from the server, then it
3489 * discards any Session ID that was sent in the ServerHello."
3490 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3491 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket in use, discarding session id"));
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]3492 ssl->session_negotiate->id_len = 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3493
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3494 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3495
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3496 return 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3497}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3498#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3499
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3500/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3501 * SSL handshake -- client side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3502 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3503int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3504{
3505 int ret = 0;
3506
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3507 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3508 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3509#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3510 if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
3511 ssl->handshake->new_session_ticket != 0) {
Jerry Yua357cf42022-07-12 05:36:45 +0000[diff] [blame]3512 ssl->state = MBEDTLS_SSL_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3513 }
3514#endif
3515
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3516 switch (ssl->state) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3517 case MBEDTLS_SSL_HELLO_REQUEST:
3518 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3519 break;
3520
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3521 /*
3522 * ==> ClientHello
3523 */
3524 case MBEDTLS_SSL_CLIENT_HELLO:
3525 ret = mbedtls_ssl_write_client_hello(ssl);
3526 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3527
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3528 /*
3529 * <== ServerHello
3530 * Certificate
3531 * ( ServerKeyExchange )
3532 * ( CertificateRequest )
3533 * ServerHelloDone
3534 */
3535 case MBEDTLS_SSL_SERVER_HELLO:
3536 ret = ssl_parse_server_hello(ssl);
3537 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3538
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3539 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3540 ret = mbedtls_ssl_parse_certificate(ssl);
3541 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3542
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3543 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
3544 ret = ssl_parse_server_key_exchange(ssl);
3545 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3546
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3547 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3548 ret = ssl_parse_certificate_request(ssl);
3549 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3550
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3551 case MBEDTLS_SSL_SERVER_HELLO_DONE:
3552 ret = ssl_parse_server_hello_done(ssl);
3553 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3554
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3555 /*
3556 * ==> ( Certificate/Alert )
3557 * ClientKeyExchange
3558 * ( CertificateVerify )
3559 * ChangeCipherSpec
3560 * Finished
3561 */
3562 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3563 ret = mbedtls_ssl_write_certificate(ssl);
3564 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3565
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3566 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
3567 ret = ssl_write_client_key_exchange(ssl);
3568 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3569
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3570 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3571 ret = ssl_write_certificate_verify(ssl);
3572 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3573
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3574 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3575 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
3576 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3577
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3578 case MBEDTLS_SSL_CLIENT_FINISHED:
3579 ret = mbedtls_ssl_write_finished(ssl);
3580 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3581
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3582 /*
3583 * <== ( NewSessionTicket )
3584 * ChangeCipherSpec
3585 * Finished
3586 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3587#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3588 case MBEDTLS_SSL_NEW_SESSION_TICKET:
3589 ret = ssl_parse_new_session_ticket(ssl);
3590 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]3591#endif
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3592
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3593 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3594 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
3595 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3596
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3597 case MBEDTLS_SSL_SERVER_FINISHED:
3598 ret = mbedtls_ssl_parse_finished(ssl);
3599 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3600
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3601 case MBEDTLS_SSL_FLUSH_BUFFERS:
3602 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
3603 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
3604 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3605
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3606 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3607 mbedtls_ssl_handshake_wrapup(ssl);
3608 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3609
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3610 default:
3611 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
3612 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3613 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3614
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3615 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3616}
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]3617
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]3618#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_2 */