TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ccb03449692e42f4da45fb20cd46e08b648bca26 / . / library / ssl_tls12_client.c
blob: 519ed613b1d5c7e7e36e0fb6435889ba3b8eac3a [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]2 * TLS client-side functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]20#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]23
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]24#include "mbedtls/platform.h"
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]25
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]26#include "mbedtls/ssl.h"
Ronald Cron7320e642022-03-08 13:34:49 +0100[diff] [blame]27#include "ssl_client.h"
Chris Jones84a773f2021-03-05 18:38:47 +0000[diff] [blame]28#include "ssl_misc.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]29#include "mbedtls/debug.h"
30#include "mbedtls/error.h"
Gabor Mezei765862c2021-10-19 12:22:25 +0200[diff] [blame]31#include "mbedtls/constant_time.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]32
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]33#if defined(MBEDTLS_USE_PSA_CRYPTO)
Manuel Pégourié-Gonnard2be8c632023-06-07 13:07:21 +0200[diff] [blame]34#include "psa_util_internal.h"
Ronald Cron69a63422021-10-18 09:47:58 +0200[diff] [blame]35#include "psa/crypto.h"
Andrzej Kurek1c7a9982023-05-30 09:21:20 -0400[diff] [blame]36#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]37/* Define a local translating function to save code size by not using too many
38 * arguments in each translating place. */
39static int local_err_translation(psa_status_t status)
40{
41 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -0400[diff] [blame]42 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]43 psa_generic_status_to_mbedtls);
44}
45#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kurek1c7a9982023-05-30 09:21:20 -0400[diff] [blame]46#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]47#endif /* MBEDTLS_USE_PSA_CRYPTO */
48
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]49#include <string.h>
50
Manuel Pégourié-Gonnard93866642015-06-22 19:21:23 +0200[diff] [blame]51#include <stdint.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]52
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]54#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]55#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]58#include "mbedtls/platform_util.h"
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]59#endif
60
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]61#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]62MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]63static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
64 unsigned char *buf,
65 const unsigned char *end,
66 size_t *olen)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]67{
68 unsigned char *p = buf;
69
70 *olen = 0;
71
Tom Cosgrovece7f18c2022-07-28 05:50:56 +0100[diff] [blame]72 /* We're always including a TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
Hanno Becker40f8b512017-10-12 14:58:55 +0100[diff] [blame]73 * initial ClientHello, in which case also adding the renegotiation
74 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]75 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
76 return 0;
77 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]78
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]79 MBEDTLS_SSL_DEBUG_MSG(3,
80 ("client hello, adding renegotiation extension"));
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]81
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]82 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + ssl->verify_data_len);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]83
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]84 /*
85 * Secure renegotiation
86 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]87 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]88 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]89
90 *p++ = 0x00;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]91 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len + 1);
92 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len);
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]93
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]94 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]95
96 *olen = 5 + ssl->verify_data_len;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]97
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]98 return 0;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]99}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]100#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]101
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]102#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]103 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]104
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]105MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]106static int ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
107 unsigned char *buf,
108 const unsigned char *end,
109 size_t *olen)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]110{
111 unsigned char *p = buf;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]112 (void) ssl; /* ssl used for debugging only */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]113
114 *olen = 0;
115
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]116 MBEDTLS_SSL_DEBUG_MSG(3,
117 ("client hello, adding supported_point_formats extension"));
118 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]119
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]120 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]121 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]122
123 *p++ = 0x00;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]124 *p++ = 2;
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]125
126 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]127 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]128
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]129 *olen = 6;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]130
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]131 return 0;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]132}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]133#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]134 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]135
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]136#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]137MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]138static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
139 unsigned char *buf,
140 const unsigned char *end,
141 size_t *olen)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]142{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]143 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]144 unsigned char *p = buf;
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]145 size_t kkpp_len = 0;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]146
147 *olen = 0;
148
149 /* Skip costly extension if we can't use EC J-PAKE anyway */
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]150#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]151 if (ssl->handshake->psa_pake_ctx_is_ok != 1) {
152 return 0;
153 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]154#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]155 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
156 return 0;
157 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]158#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]159
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]160 MBEDTLS_SSL_DEBUG_MSG(3,
161 ("client hello, adding ecjpake_kkpp extension"));
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]162
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]163 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]164
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]165 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]166 p += 2;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]167
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]168 /*
169 * We may need to send ClientHello multiple times for Hello verification.
170 * We don't want to compute fresh values every time (both for performance
171 * and consistency reasons), so cache the extension content.
172 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]173 if (ssl->handshake->ecjpake_cache == NULL ||
174 ssl->handshake->ecjpake_cache_len == 0) {
175 MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters"));
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]176
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]177#if defined(MBEDTLS_USE_PSA_CRYPTO)
Valerio Setti6b3dab02022-11-17 17:14:54 +0100[diff] [blame]178 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]179 p + 2, end - p - 2, &kkpp_len,
180 MBEDTLS_ECJPAKE_ROUND_ONE);
181 if (ret != 0) {
182 psa_destroy_key(ssl->handshake->psa_pake_password);
183 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
184 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
185 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]186 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]187#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]188 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
189 p + 2, end - p - 2, &kkpp_len,
190 ssl->conf->f_rng, ssl->conf->p_rng);
191 if (ret != 0) {
192 MBEDTLS_SSL_DEBUG_RET(1,
193 "mbedtls_ecjpake_write_round_one", ret);
194 return ret;
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]195 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]196#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]197
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]198 ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len);
199 if (ssl->handshake->ecjpake_cache == NULL) {
200 MBEDTLS_SSL_DEBUG_MSG(1, ("allocation failed"));
201 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]202 }
203
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]204 memcpy(ssl->handshake->ecjpake_cache, p + 2, kkpp_len);
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]205 ssl->handshake->ecjpake_cache_len = kkpp_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]206 } else {
207 MBEDTLS_SSL_DEBUG_MSG(3, ("re-using cached ecjpake parameters"));
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]208
209 kkpp_len = ssl->handshake->ecjpake_cache_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]210 MBEDTLS_SSL_CHK_BUF_PTR(p + 2, end, kkpp_len);
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]211
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]212 memcpy(p + 2, ssl->handshake->ecjpake_cache, kkpp_len);
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]213 }
214
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]215 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]216 p += 2;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]217
218 *olen = kkpp_len + 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]219
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]220 return 0;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]221}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]222#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]223
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]224#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]225MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]226static int ssl_write_cid_ext(mbedtls_ssl_context *ssl,
227 unsigned char *buf,
228 const unsigned char *end,
229 size_t *olen)
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]230{
231 unsigned char *p = buf;
232 size_t ext_len;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]233
234 /*
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]235 * struct {
236 * opaque cid<0..2^8-1>;
237 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]238 */
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]239
240 *olen = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]241 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
242 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
243 return 0;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]244 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]245 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding CID extension"));
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]246
247 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
248 * which is at most 255, so the increment cannot overflow. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]249 MBEDTLS_SSL_CHK_BUF_PTR(p, end, (unsigned) (ssl->own_cid_len + 5));
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]250
251 /* Add extension ID + size */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]252 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]253 p += 2;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]254 ext_len = (size_t) ssl->own_cid_len + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]255 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]256 p += 2;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]257
258 *p++ = (uint8_t) ssl->own_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]259 memcpy(p, ssl->own_cid, ssl->own_cid_len);
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]260
261 *olen = ssl->own_cid_len + 5;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]262
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]263 return 0;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]264}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]265#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]266
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]267#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]268MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]269static int ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
270 unsigned char *buf,
271 const unsigned char *end,
272 size_t *olen)
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]273{
274 unsigned char *p = buf;
275
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]276 *olen = 0;
277
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]278 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
279 return 0;
280 }
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]281
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]282 MBEDTLS_SSL_DEBUG_MSG(3,
283 ("client hello, adding max_fragment_length extension"));
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]284
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]285 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]286
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]287 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]288 p += 2;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]289
290 *p++ = 0x00;
291 *p++ = 1;
292
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]293 *p++ = ssl->conf->mfl_code;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]294
295 *olen = 5;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]296
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]297 return 0;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]298}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]299#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]300
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]301#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]302MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]303static int ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
304 unsigned char *buf,
305 const unsigned char *end,
306 size_t *olen)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]307{
308 unsigned char *p = buf;
309
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]310 *olen = 0;
311
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]312 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
313 return 0;
314 }
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]315
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]316 MBEDTLS_SSL_DEBUG_MSG(3,
317 ("client hello, adding encrypt_then_mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]318
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]319 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]320
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]321 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]322 p += 2;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]323
324 *p++ = 0x00;
325 *p++ = 0x00;
326
327 *olen = 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]328
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]329 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]330}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]331#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]332
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]333#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]334MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]335static int ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
336 unsigned char *buf,
337 const unsigned char *end,
338 size_t *olen)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]339{
340 unsigned char *p = buf;
341
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]342 *olen = 0;
343
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]344 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
345 return 0;
346 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]347
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]348 MBEDTLS_SSL_DEBUG_MSG(3,
349 ("client hello, adding extended_master_secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]350
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]351 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]352
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]353 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]354 p += 2;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]355
356 *p++ = 0x00;
357 *p++ = 0x00;
358
359 *olen = 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]360
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]361 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]362}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]363#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]364
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]365#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]366MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]367static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
368 unsigned char *buf,
369 const unsigned char *end,
370 size_t *olen)
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]371{
372 unsigned char *p = buf;
373 size_t tlen = ssl->session_negotiate->ticket_len;
374
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]375 *olen = 0;
376
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]377 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
378 return 0;
379 }
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]380
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]381 MBEDTLS_SSL_DEBUG_MSG(3,
382 ("client hello, adding session ticket extension"));
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]383
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]384 /* The addition is safe here since the ticket length is 16 bit. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]385 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + tlen);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]386
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]387 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]388 p += 2;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]390 MBEDTLS_PUT_UINT16_BE(tlen, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]391 p += 2;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]392
393 *olen = 4;
394
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]395 if (ssl->session_negotiate->ticket == NULL || tlen == 0) {
396 return 0;
397 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]398
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]399 MBEDTLS_SSL_DEBUG_MSG(3,
400 ("sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen));
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]401
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]402 memcpy(p, ssl->session_negotiate->ticket, tlen);
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]403
404 *olen += tlen;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]405
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]406 return 0;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]407}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]408#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]409
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]410#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]411MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]412static int ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
413 unsigned char *buf,
414 const unsigned char *end,
415 size_t *olen)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]416{
417 unsigned char *p = buf;
Johan Pascalf6417ec2020-09-22 15:15:19 +0200[diff] [blame]418 size_t protection_profiles_index = 0, ext_len = 0;
419 uint16_t mki_len = 0, profile_value = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]420
421 *olen = 0;
422
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]423 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
424 (ssl->conf->dtls_srtp_profile_list == NULL) ||
425 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
426 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]427 }
428
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]429 /* RFC 5764 section 4.1.1
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]430 * uint8 SRTPProtectionProfile[2];
431 *
432 * struct {
433 * SRTPProtectionProfiles SRTPProtectionProfiles;
434 * opaque srtp_mki<0..255>;
435 * } UseSRTPData;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]436 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]437 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]438 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]439 mki_len = ssl->dtls_srtp_info.mki_len;
440 }
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]441 /* Extension length = 2 bytes for profiles length,
442 * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ),
443 * 1 byte for srtp_mki vector length and the mki_len value
444 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]445 ext_len = 2 + 2 * (ssl->conf->dtls_srtp_profile_list_len) + 1 + mki_len;
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]446
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]447 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding use_srtp extension"));
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]448
449 /* Check there is room in the buffer for the extension + 4 bytes
450 * - the extension tag (2 bytes)
451 * - the extension length (2 bytes)
452 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]453 MBEDTLS_SSL_CHK_BUF_PTR(p, end, ext_len + 4);
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]454
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]455 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]456 p += 2;
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]457
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]458 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]459 p += 2;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]460
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]461 /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */
Johan Pascalaae4d222020-09-22 21:21:39 +0200[diff] [blame]462 /* micro-optimization:
463 * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH
464 * which is lower than 127, so the upper byte of the length is always 0
465 * For the documentation, the more generic code is left in comments
466 * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len )
467 * >> 8 ) & 0xFF );
468 */
469 *p++ = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]470 *p++ = MBEDTLS_BYTE_0(2 * ssl->conf->dtls_srtp_profile_list_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]471
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]472 for (protection_profiles_index = 0;
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]473 protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]474 protection_profiles_index++) {
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]475 profile_value = mbedtls_ssl_check_srtp_profile_value
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]476 (ssl->conf->dtls_srtp_profile_list[protection_profiles_index]);
477 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
478 MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_write_use_srtp_ext, add profile: %04x",
479 profile_value));
480 MBEDTLS_PUT_UINT16_BE(profile_value, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]481 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]482 } else {
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]483 /*
484 * Note: we shall never arrive here as protection profiles
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]485 * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]486 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]487 MBEDTLS_SSL_DEBUG_MSG(3,
488 ("client hello, "
489 "illegal DTLS-SRTP protection profile %d",
490 ssl->conf->dtls_srtp_profile_list[protection_profiles_index]
491 ));
492 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]493 }
494 }
495
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]496 *p++ = mki_len & 0xFF;
497
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]498 if (mki_len != 0) {
499 memcpy(p, ssl->dtls_srtp_info.mki_value, mki_len);
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]500 /*
501 * Increment p to point to the current position.
502 */
503 p += mki_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]504 MBEDTLS_SSL_DEBUG_BUF(3, "sending mki", ssl->dtls_srtp_info.mki_value,
505 ssl->dtls_srtp_info.mki_len);
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]506 }
507
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]508 /*
509 * total extension length: extension type (2 bytes)
510 * + extension length (2 bytes)
511 * + protection profile length (2 bytes)
512 * + 2 * number of protection profiles
513 * + srtp_mki vector length(1 byte)
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]514 * + mki value
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]515 */
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]516 *olen = p - buf;
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]517
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]518 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]519}
520#endif /* MBEDTLS_SSL_DTLS_SRTP */
521
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]522int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
523 unsigned char *buf,
524 const unsigned char *end,
525 int uses_ec,
526 size_t *out_len)
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]527{
528 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
529 unsigned char *p = buf;
530 size_t ext_len = 0;
531
532 (void) ssl;
533 (void) end;
534 (void) uses_ec;
535 (void) ret;
536 (void) ext_len;
537
538 *out_len = 0;
539
540 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
541 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
542#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]543 if ((ret = ssl_write_renegotiation_ext(ssl, p, end, &ext_len)) != 0) {
544 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_renegotiation_ext", ret);
545 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]546 }
547 p += ext_len;
548#endif
549
550#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
551 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]552 if (uses_ec) {
553 if ((ret = ssl_write_supported_point_formats_ext(ssl, p, end,
554 &ext_len)) != 0) {
555 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_point_formats_ext", ret);
556 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]557 }
558 p += ext_len;
559 }
560#endif
561
562#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]563 if ((ret = ssl_write_ecjpake_kkpp_ext(ssl, p, end, &ext_len)) != 0) {
564 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_ecjpake_kkpp_ext", ret);
565 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]566 }
567 p += ext_len;
568#endif
569
570#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]571 if ((ret = ssl_write_cid_ext(ssl, p, end, &ext_len)) != 0) {
572 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_cid_ext", ret);
573 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]574 }
575 p += ext_len;
576#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
577
578#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]579 if ((ret = ssl_write_max_fragment_length_ext(ssl, p, end,
580 &ext_len)) != 0) {
581 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_max_fragment_length_ext", ret);
582 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]583 }
584 p += ext_len;
585#endif
586
587#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]588 if ((ret = ssl_write_encrypt_then_mac_ext(ssl, p, end, &ext_len)) != 0) {
589 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_encrypt_then_mac_ext", ret);
590 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]591 }
592 p += ext_len;
593#endif
594
595#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]596 if ((ret = ssl_write_extended_ms_ext(ssl, p, end, &ext_len)) != 0) {
597 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_extended_ms_ext", ret);
598 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]599 }
600 p += ext_len;
601#endif
602
603#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]604 if ((ret = ssl_write_use_srtp_ext(ssl, p, end, &ext_len)) != 0) {
605 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_use_srtp_ext", ret);
606 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]607 }
608 p += ext_len;
609#endif
610
611#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]612 if ((ret = ssl_write_session_ticket_ext(ssl, p, end, &ext_len)) != 0) {
613 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_session_ticket_ext", ret);
614 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]615 }
616 p += ext_len;
617#endif
618
619 *out_len = p - buf;
620
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]621 return 0;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]622}
623
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]624MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]625static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
626 const unsigned char *buf,
627 size_t len)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]628{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]629#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]630 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]631 /* Check verify-data in constant-time. The length OTOH is no secret */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]632 if (len != 1 + ssl->verify_data_len * 2 ||
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]633 buf[0] != ssl->verify_data_len * 2 ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634 mbedtls_ct_memcmp(buf + 1,
635 ssl->own_verify_data, ssl->verify_data_len) != 0 ||
636 mbedtls_ct_memcmp(buf + 1 + ssl->verify_data_len,
637 ssl->peer_verify_data, ssl->verify_data_len) != 0) {
638 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]639 mbedtls_ssl_send_alert_message(
640 ssl,
641 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]642 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
643 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]644 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]645 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]646#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]647 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]648 if (len != 1 || buf[0] != 0x00) {
649 MBEDTLS_SSL_DEBUG_MSG(1,
650 ("non-zero length renegotiation info"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]651 mbedtls_ssl_send_alert_message(
652 ssl,
653 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]654 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
655 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]656 }
657
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]658 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]659 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]660
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]661 return 0;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]662}
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]663
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]664#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]665MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]666static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
667 const unsigned char *buf,
668 size_t len)
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]669{
670 /*
671 * server should use the extension only if we did,
672 * and if so the server's value should match ours (and len is always 1)
673 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]674 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]675 len != 1 ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]676 buf[0] != ssl->conf->mfl_code) {
677 MBEDTLS_SSL_DEBUG_MSG(1,
678 ("non-matching max fragment length extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]679 mbedtls_ssl_send_alert_message(
680 ssl,
681 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]682 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
683 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]684 }
685
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]686 return 0;
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]687}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]688#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]689
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]690#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]691MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]692static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
693 const unsigned char *buf,
694 size_t len)
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]695{
696 size_t peer_cid_len;
697
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]698 if ( /* CID extension only makes sense in DTLS */
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]699 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
700 /* The server must only send the CID extension if we have offered it. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]701 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
702 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension unexpected"));
703 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
704 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
705 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Hanno Becker22626482019-05-03 12:46:59 +0100[diff] [blame]706 }
707
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]708 if (len == 0) {
709 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
710 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
711 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
712 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]713 }
714
715 peer_cid_len = *buf++;
716 len--;
717
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]718 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
719 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
720 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
721 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
722 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]723 }
724
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]725 if (len != peer_cid_len) {
726 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
727 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
728 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
729 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]730 }
731
Hanno Becker5a299902019-05-03 12:47:49 +0100[diff] [blame]732 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]733 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]734 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]735
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]736 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
737 MBEDTLS_SSL_DEBUG_BUF(3, "Server CID", buf, peer_cid_len);
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]738
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]739 return 0;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]740}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]741#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]742
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]743#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]744MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]745static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
746 const unsigned char *buf,
747 size_t len)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]748{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]749 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
750 len != 0) {
751 MBEDTLS_SSL_DEBUG_MSG(1,
752 ("non-matching encrypt-then-MAC extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]753 mbedtls_ssl_send_alert_message(
754 ssl,
755 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]756 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
757 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]758 }
759
760 ((void) buf);
761
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]762 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]763
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]764 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]765}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]766#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]767
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]768#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]769MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]770static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
771 const unsigned char *buf,
772 size_t len)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]773{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]774 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
775 len != 0) {
776 MBEDTLS_SSL_DEBUG_MSG(1,
777 ("non-matching extended master secret extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]778 mbedtls_ssl_send_alert_message(
779 ssl,
780 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]781 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
782 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]783 }
784
785 ((void) buf);
786
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]787 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]788
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]789 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]790}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]791#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]792
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]793#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]794MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]795static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
796 const unsigned char *buf,
797 size_t len)
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]798{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]799 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
800 len != 0) {
801 MBEDTLS_SSL_DEBUG_MSG(1,
802 ("non-matching session ticket extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]803 mbedtls_ssl_send_alert_message(
804 ssl,
805 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]806 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
807 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]808 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]809
810 ((void) buf);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]811
812 ssl->handshake->new_session_ticket = 1;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]813
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]814 return 0;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]815}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]816#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]817
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]818#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]819 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]820MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]821static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl,
822 const unsigned char *buf,
823 size_t len)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]824{
825 size_t list_size;
826 const unsigned char *p;
827
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]828 if (len == 0 || (size_t) (buf[0] + 1) != len) {
829 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
830 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
831 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
832 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]833 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]834 list_size = buf[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]835
Manuel Pégourié-Gonnardfd35af12014-06-23 14:10:13 +0200[diff] [blame]836 p = buf + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]837 while (list_size > 0) {
838 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
839 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
Valerio Setti46423162023-03-27 14:33:27 +0200[diff] [blame]840#if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C)
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]841 ssl->handshake->ecdh_ctx.point_format = p[0];
Valerio Setti77a904c2023-03-24 07:28:49 +0100[diff] [blame]842#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_ECDH_C */
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]843#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]844 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
845 mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
846 p[0]);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]847#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]848 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
849 return 0;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]850 }
851
852 list_size--;
853 p++;
854 }
855
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]856 MBEDTLS_SSL_DEBUG_MSG(1, ("no point format in common"));
857 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
858 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
859 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]860}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]861#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]862 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]863
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]864#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]865MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]866static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
867 const unsigned char *buf,
868 size_t len)
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]869{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]870 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]871
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]872 if (ssl->handshake->ciphersuite_info->key_exchange !=
873 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
874 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
875 return 0;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]876 }
877
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]878 /* If we got here, we no longer need our cached extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]879 mbedtls_free(ssl->handshake->ecjpake_cache);
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]880 ssl->handshake->ecjpake_cache = NULL;
881 ssl->handshake->ecjpake_cache_len = 0;
882
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]883#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]884 if ((ret = mbedtls_psa_ecjpake_read_round(
885 &ssl->handshake->psa_pake_ctx, buf, len,
886 MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
887 psa_destroy_key(ssl->handshake->psa_pake_password);
888 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]889
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]890 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]891 mbedtls_ssl_send_alert_message(
892 ssl,
893 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]894 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
895 return ret;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]896 }
897
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]898 return 0;
899#else
900 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
901 buf, len)) != 0) {
902 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
903 mbedtls_ssl_send_alert_message(
904 ssl,
905 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
906 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
907 return ret;
908 }
909
910 return 0;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]911#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]912}
913#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]914
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]915#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]916MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]917static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
918 const unsigned char *buf, size_t len)
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]919{
920 size_t list_len, name_len;
921 const char **p;
922
923 /* If we didn't send it, the server shouldn't send it */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]924 if (ssl->conf->alpn_list == NULL) {
925 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching ALPN extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]926 mbedtls_ssl_send_alert_message(
927 ssl,
928 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]929 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
930 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]931 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]932
933 /*
934 * opaque ProtocolName<1..2^8-1>;
935 *
936 * struct {
937 * ProtocolName protocol_name_list<2..2^16-1>
938 * } ProtocolNameList;
939 *
940 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
941 */
942
943 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]944 if (len < 4) {
945 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
946 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
947 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]948 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]949
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]950 list_len = (buf[0] << 8) | buf[1];
951 if (list_len != len - 2) {
952 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
953 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
954 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]955 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]956
957 name_len = buf[2];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]958 if (name_len != list_len - 1) {
959 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
960 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
961 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]962 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]963
964 /* Check that the server chosen protocol was in our list and save it */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]965 for (p = ssl->conf->alpn_list; *p != NULL; p++) {
966 if (name_len == strlen(*p) &&
967 memcmp(buf + 3, *p, name_len) == 0) {
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]968 ssl->alpn_chosen = *p;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]969 return 0;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]970 }
971 }
972
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]973 MBEDTLS_SSL_DEBUG_MSG(1, ("ALPN extension: no matching protocol"));
974 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
975 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
976 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]977}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]978#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]979
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]980#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]981MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]982static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
983 const unsigned char *buf,
984 size_t len)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]985{
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]986 mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]987 size_t i, mki_len = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]988 uint16_t server_protection_profile_value = 0;
989
990 /* If use_srtp is not configured, just ignore the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]991 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
992 (ssl->conf->dtls_srtp_profile_list == NULL) ||
993 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
994 return 0;
995 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]996
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]997 /* RFC 5764 section 4.1.1
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]998 * uint8 SRTPProtectionProfile[2];
999 *
1000 * struct {
1001 * SRTPProtectionProfiles SRTPProtectionProfiles;
1002 * opaque srtp_mki<0..255>;
1003 * } UseSRTPData;
1004
1005 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
1006 *
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1007 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1008 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1009 mki_len = ssl->dtls_srtp_info.mki_len;
1010 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1011
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1012 /*
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]1013 * Length is 5 + optional mki_value : one protection profile length (2 bytes)
1014 * + protection profile (2 bytes)
1015 * + mki_len(1 byte)
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]1016 * and optional srtp_mki
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1017 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1018 if ((len < 5) || (len != (buf[4] + 5u))) {
1019 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1020 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1021
1022 /*
1023 * get the server protection profile
1024 */
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1025
1026 /*
1027 * protection profile length must be 0x0002 as we must have only
1028 * one protection profile in server Hello
1029 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1030 if ((buf[0] != 0) || (buf[1] != 2)) {
1031 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1032 }
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1033
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1034 server_protection_profile_value = (buf[2] << 8) | buf[3];
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1035 server_protection = mbedtls_ssl_check_srtp_profile_value(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1036 server_protection_profile_value);
1037 if (server_protection != MBEDTLS_TLS_SRTP_UNSET) {
1038 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
1039 mbedtls_ssl_get_srtp_profile_as_string(
1040 server_protection)));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1041 }
1042
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1043 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1044
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1045 /*
1046 * Check we have the server profile in our list
1047 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1048 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
1049 if (server_protection == ssl->conf->dtls_srtp_profile_list[i]) {
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]1050 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1051 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1052 mbedtls_ssl_get_srtp_profile_as_string(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1053 server_protection)));
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1054 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1055 }
1056 }
1057
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1058 /* If no match was found : server problem, it shall never answer with incompatible profile */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1059 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
1060 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1061 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1062 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1063 }
Johan Pascal20c7db32020-10-26 22:45:58 +0100[diff] [blame]1064
1065 /* If server does not use mki in its reply, make sure the client won't keep
1066 * one as negotiated */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1067 if (len == 5) {
Johan Pascal20c7db32020-10-26 22:45:58 +0100[diff] [blame]1068 ssl->dtls_srtp_info.mki_len = 0;
1069 }
1070
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1071 /*
1072 * RFC5764:
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1073 * If the client detects a nonzero-length MKI in the server's response
1074 * that is different than the one the client offered, then the client
1075 * MUST abort the handshake and SHOULD send an invalid_parameter alert.
1076 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1077 if (len > 5 && (buf[4] != mki_len ||
1078 (memcmp(ssl->dtls_srtp_info.mki_value, &buf[5], mki_len)))) {
1079 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1080 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1081 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1082 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1083#if defined(MBEDTLS_DEBUG_C)
1084 if (len > 5) {
1085 MBEDTLS_SSL_DEBUG_BUF(3, "received mki", ssl->dtls_srtp_info.mki_value,
1086 ssl->dtls_srtp_info.mki_len);
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]1087 }
1088#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1089 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1090}
1091#endif /* MBEDTLS_SSL_DTLS_SRTP */
1092
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1093/*
1094 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1095 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1096#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1097MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1098static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1099{
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]1100 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1101 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Glenn Strauss83158112022-04-13 14:59:34 -0400[diff] [blame]1102 uint16_t dtls_legacy_version;
Jerry Yue01304f2022-04-07 10:51:55 +0800[diff] [blame]1103
1104#if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
1105 uint8_t cookie_len;
1106#else
1107 uint16_t cookie_len;
1108#endif
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1109
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1110 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse hello verify request"));
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1111
Gilles Peskineb64bf062019-09-27 14:02:44 +0200[diff] [blame]1112 /* Check that there is enough room for:
1113 * - 2 bytes of version
1114 * - 1 byte of cookie_len
1115 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1116 if (mbedtls_ssl_hs_hdr_len(ssl) + 3 > ssl->in_msglen) {
1117 MBEDTLS_SSL_DEBUG_MSG(1,
1118 ("incoming HelloVerifyRequest message is too short"));
1119 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1120 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1121 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Gilles Peskineb64bf062019-09-27 14:02:44 +0200[diff] [blame]1122 }
1123
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1124 /*
1125 * struct {
1126 * ProtocolVersion server_version;
1127 * opaque cookie<0..2^8-1>;
1128 * } HelloVerifyRequest;
1129 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1130 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
1131 dtls_legacy_version = MBEDTLS_GET_UINT16_BE(p, 0);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1132 p += 2;
1133
TRodziewicz2d8800e2021-05-13 19:14:19 +0200[diff] [blame]1134 /*
Glenn Strauss83158112022-04-13 14:59:34 -0400[diff] [blame]1135 * Since the RFC is not clear on this point, accept DTLS 1.0 (0xfeff)
1136 * The DTLS 1.3 (current draft) renames ProtocolVersion server_version to
1137 * legacy_version and locks the value of legacy_version to 0xfefd (DTLS 1.2)
TRodziewicz2d8800e2021-05-13 19:14:19 +0200[diff] [blame]1138 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1139 if (dtls_legacy_version != 0xfefd && dtls_legacy_version != 0xfeff) {
1140 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server version"));
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1141
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1142 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1143 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1144
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1145 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1146 }
1147
1148 cookie_len = *p++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1149 if ((ssl->in_msg + ssl->in_msglen) - p < cookie_len) {
1150 MBEDTLS_SSL_DEBUG_MSG(1,
1151 ("cookie length does not match incoming message size"));
1152 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1153 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1154 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1155 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1156 MBEDTLS_SSL_DEBUG_BUF(3, "cookie", p, cookie_len);
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1157
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1158 mbedtls_free(ssl->handshake->cookie);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1159
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1160 ssl->handshake->cookie = mbedtls_calloc(1, cookie_len);
1161 if (ssl->handshake->cookie == NULL) {
1162 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc failed (%d bytes)", cookie_len));
1163 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1164 }
1165
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1166 memcpy(ssl->handshake->cookie, p, cookie_len);
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1167 ssl->handshake->cookie_len = cookie_len;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1168
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]1169 /* Start over at ClientHello */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1170 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]1171 ret = mbedtls_ssl_reset_checksum(ssl);
1172 if (0 != ret) {
1173 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_reset_checksum"), ret);
1174 return ret;
1175 }
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1176
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1177 mbedtls_ssl_recv_flight_completed(ssl);
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1178
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1179 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse hello verify request"));
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1180
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1181 return 0;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1182}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1183#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1184
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1185MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1186static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1187{
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1188 int ret, i;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1189 size_t n;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1190 size_t ext_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1191 unsigned char *buf, *ext;
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1192 unsigned char comp;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1193#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1194 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1195#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1196 int handshake_failure = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1197 const mbedtls_ssl_ciphersuite_t *suite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1198
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1199 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1200
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1201 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1202 /* No alert on a read error. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1203 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
1204 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1205 }
1206
Hanno Becker79594fd2019-05-08 09:38:41 +0100[diff] [blame]1207 buf = ssl->in_msg;
1208
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1209 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1210#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1211 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1212 ssl->renego_records_seen++;
1213
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1214 if (ssl->conf->renego_max_records >= 0 &&
1215 ssl->renego_records_seen > ssl->conf->renego_max_records) {
1216 MBEDTLS_SSL_DEBUG_MSG(1,
1217 ("renegotiation requested, but not honored by server"));
1218 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1219 }
1220
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1221 MBEDTLS_SSL_DEBUG_MSG(1,
1222 ("non-handshake message during renegotiation"));
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]1223
1224 ssl->keep_current_message = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1225 return MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO;
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1226 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1227#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1228
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1229 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1230 mbedtls_ssl_send_alert_message(
1231 ssl,
1232 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1233 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
1234 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1235 }
1236
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1237#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1238 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1239 if (buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST) {
1240 MBEDTLS_SSL_DEBUG_MSG(2, ("received hello verify request"));
1241 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
1242 return ssl_parse_hello_verify_request(ssl);
1243 } else {
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1244 /* We made it through the verification process */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1245 mbedtls_free(ssl->handshake->cookie);
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]1246 ssl->handshake->cookie = NULL;
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1247 ssl->handshake->cookie_len = 0;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1248 }
1249 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1250#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1251
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1252 if (ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len(ssl) ||
1253 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO) {
1254 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1255 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1256 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1257 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1258 }
1259
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1260 /*
1261 * 0 . 1 server_version
1262 * 2 . 33 random (maybe including 4 bytes of Unix time)
1263 * 34 . 34 session_id length = n
1264 * 35 . 34+n session_id
1265 * 35+n . 36+n cipher_suite
1266 * 37+n . 37+n compression_method
1267 *
1268 * 38+n . 39+n extensions length (optional)
1269 * 40+n . .. extensions
1270 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1271 buf += mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1272
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1273 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", buf, 2);
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]1274 ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
1275 ssl->conf->transport);
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1276 ssl->session_negotiate->tls_version = ssl->tls_version;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1277
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1278 if (ssl->tls_version < ssl->conf->min_tls_version ||
1279 ssl->tls_version > ssl->conf->max_tls_version) {
1280 MBEDTLS_SSL_DEBUG_MSG(1,
1281 (
1282 "server version out of bounds - min: [0x%x], server: [0x%x], max: [0x%x]",
1283 (unsigned) ssl->conf->min_tls_version,
1284 (unsigned) ssl->tls_version,
1285 (unsigned) ssl->conf->max_tls_version));
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1286
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1287 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1288 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1289
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1290 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1291 }
1292
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1293 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %lu",
1294 ((unsigned long) buf[2] << 24) |
1295 ((unsigned long) buf[3] << 16) |
1296 ((unsigned long) buf[4] << 8) |
1297 ((unsigned long) buf[5])));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1298
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1299 memcpy(ssl->handshake->randbytes + 32, buf + 2, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1300
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1301 n = buf[34];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1302
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1303 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 2, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1304
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1305 if (n > 32) {
1306 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1307 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1308 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1309 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1310 }
1311
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1312 if (ssl->in_hslen > mbedtls_ssl_hs_hdr_len(ssl) + 39 + n) {
1313 ext_len = ((buf[38 + n] << 8)
1314 | (buf[39 + n]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1315
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1316 if ((ext_len > 0 && ext_len < 4) ||
1317 ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 40 + n + ext_len) {
1318 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1319 mbedtls_ssl_send_alert_message(
1320 ssl,
1321 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1322 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1323 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1324 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1325 } else if (ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl) + 38 + n) {
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1326 ext_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1327 } else {
1328 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1329 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1330 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1331 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1332 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1333
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1334 /* ciphersuite (used later) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1335 i = (buf[35 + n] << 8) | buf[36 + n];
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1336
1337 /*
1338 * Read and check compression
1339 */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1340 comp = buf[37 + n];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1341
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1342 if (comp != MBEDTLS_SSL_COMPRESS_NULL) {
1343 MBEDTLS_SSL_DEBUG_MSG(1,
1344 ("server hello, bad compression: %d", comp));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1345 mbedtls_ssl_send_alert_message(
1346 ssl,
1347 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1348 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1349 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1350 }
1351
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1352 /*
1353 * Initialize update checksum functions
1354 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1355 ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(i);
1356 if (ssl->handshake->ciphersuite_info == NULL) {
1357 MBEDTLS_SSL_DEBUG_MSG(1,
1358 ("ciphersuite info for %04x not found", (unsigned int) i));
1359 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1360 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
1361 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1362 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1363
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1364 mbedtls_ssl_optimize_checksum(ssl, ssl->handshake->ciphersuite_info);
Manuel Pégourié-Gonnard3c599f12014-03-10 13:25:07 +0100[diff] [blame]1365
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1366 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
1367 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 35, n);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1368
1369 /*
1370 * Check if the session can be resumed
1371 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1372 if (ssl->handshake->resume == 0 || n == 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1373#if defined(MBEDTLS_SSL_RENEGOTIATION)
1374 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1375#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1376 ssl->session_negotiate->ciphersuite != i ||
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1377 ssl->session_negotiate->id_len != n ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1378 memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1379 ssl->state++;
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1380 ssl->handshake->resume = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1381#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1382 ssl->session_negotiate->start = mbedtls_time(NULL);
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1383#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1384 ssl->session_negotiate->ciphersuite = i;
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1385 ssl->session_negotiate->id_len = n;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1386 memcpy(ssl->session_negotiate->id, buf + 35, n);
1387 } else {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1388 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1389 }
1390
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1391 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
1392 ssl->handshake->resume ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1393
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1394 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %04x", (unsigned) i));
1395 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: %d",
1396 buf[37 + n]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1397
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]1398 /*
1399 * Perform cipher suite validation in same way as in ssl_write_client_hello.
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1400 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1401 i = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1402 while (1) {
1403 if (ssl->conf->ciphersuite_list[i] == 0) {
1404 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1405 mbedtls_ssl_send_alert_message(
1406 ssl,
1407 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1408 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1409 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1410 }
1411
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1412 if (ssl->conf->ciphersuite_list[i++] ==
1413 ssl->session_negotiate->ciphersuite) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1414 break;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1415 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1416 }
1417
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1418 suite_info = mbedtls_ssl_ciphersuite_from_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1419 ssl->session_negotiate->ciphersuite);
1420 if (mbedtls_ssl_validate_ciphersuite(ssl, suite_info, ssl->tls_version,
1421 ssl->tls_version) != 0) {
1422 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1423 mbedtls_ssl_send_alert_message(
1424 ssl,
1425 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1426 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1427 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1428 }
1429
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1430 MBEDTLS_SSL_DEBUG_MSG(3,
1431 ("server hello, chosen ciphersuite: %s", suite_info->name));
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1432
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1433#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1434 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
1435 ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
Manuel Pégourié-Gonnardda19f4c2018-06-12 12:40:54 +0200[diff] [blame]1436 ssl->handshake->ecrs_enabled = 1;
1437 }
1438#endif
1439
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1440 if (comp != MBEDTLS_SSL_COMPRESS_NULL) {
1441 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1442 mbedtls_ssl_send_alert_message(
1443 ssl,
1444 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1445 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1446 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1447 }
1448
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1449 ext = buf + 40 + n;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1450
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1451 MBEDTLS_SSL_DEBUG_MSG(2,
1452 ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
1453 ext_len));
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1454
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1455 while (ext_len) {
1456 unsigned int ext_id = ((ext[0] << 8)
1457 | (ext[1]));
1458 unsigned int ext_size = ((ext[2] << 8)
1459 | (ext[3]));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1460
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1461 if (ext_size + 4 > ext_len) {
1462 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1463 mbedtls_ssl_send_alert_message(
1464 ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1465 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1466 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1467 }
1468
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1469 switch (ext_id) {
1470 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1471 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1472#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1473 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1474#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1475
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1476 if ((ret = ssl_parse_renegotiation_info(ssl, ext + 4,
1477 ext_size)) != 0) {
1478 return ret;
1479 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1480
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1481 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1482
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1483#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1484 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1485 MBEDTLS_SSL_DEBUG_MSG(3,
1486 ("found max_fragment_length extension"));
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1487
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1488 if ((ret = ssl_parse_max_fragment_length_ext(ssl,
1489 ext + 4, ext_size)) != 0) {
1490 return ret;
1491 }
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1492
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1493 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1494#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1495
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1496#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1497 case MBEDTLS_TLS_EXT_CID:
1498 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1499
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1500 if ((ret = ssl_parse_cid_ext(ssl,
1501 ext + 4,
1502 ext_size)) != 0) {
1503 return ret;
1504 }
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1505
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1506 break;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1507#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1508
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1509#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1510 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1511 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt_then_mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1512
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1513 if ((ret = ssl_parse_encrypt_then_mac_ext(ssl,
1514 ext + 4, ext_size)) != 0) {
1515 return ret;
1516 }
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1517
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1518 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1519#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1520
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1521#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1522 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1523 MBEDTLS_SSL_DEBUG_MSG(3,
1524 ("found extended_master_secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1525
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1526 if ((ret = ssl_parse_extended_ms_ext(ssl,
1527 ext + 4, ext_size)) != 0) {
1528 return ret;
1529 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1530
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1531 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1532#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1533
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1534#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1535 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1536 MBEDTLS_SSL_DEBUG_MSG(3, ("found session_ticket extension"));
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1537
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1538 if ((ret = ssl_parse_session_ticket_ext(ssl,
1539 ext + 4, ext_size)) != 0) {
1540 return ret;
1541 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1542
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1543 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1544#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1545
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1546#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1547 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1548 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1549 MBEDTLS_SSL_DEBUG_MSG(3,
1550 ("found supported_point_formats extension"));
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1551
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1552 if ((ret = ssl_parse_supported_point_formats_ext(ssl,
1553 ext + 4, ext_size)) != 0) {
1554 return ret;
1555 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1556
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1557 break;
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1558#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1559 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1560
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1561#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1562 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1563 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake_kkpp extension"));
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1564
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1565 if ((ret = ssl_parse_ecjpake_kkpp(ssl,
1566 ext + 4, ext_size)) != 0) {
1567 return ret;
1568 }
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1569
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1570 break;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1571#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1572
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1573#if defined(MBEDTLS_SSL_ALPN)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1574 case MBEDTLS_TLS_EXT_ALPN:
1575 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1576
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1577 if ((ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size)) != 0) {
1578 return ret;
1579 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1580
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1581 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1582#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1583
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1584#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1585 case MBEDTLS_TLS_EXT_USE_SRTP:
1586 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1587
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1588 if ((ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size)) != 0) {
1589 return ret;
1590 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1591
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1592 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1593#endif /* MBEDTLS_SSL_DTLS_SRTP */
1594
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1595 default:
1596 MBEDTLS_SSL_DEBUG_MSG(3,
1597 ("unknown extension found: %u (ignoring)", ext_id));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1598 }
1599
1600 ext_len -= 4 + ext_size;
1601 ext += 4 + ext_size;
1602
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1603 if (ext_len > 0 && ext_len < 4) {
1604 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1605 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1606 }
1607 }
1608
1609 /*
Andrzej Kurek21b50802022-07-06 03:26:55 -0400[diff] [blame]1610 * mbedtls_ssl_derive_keys() has to be called after the parsing of the
1611 * extensions. It sets the transform data for the resumed session which in
1612 * case of DTLS includes the server CID extracted from the CID extension.
1613 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1614 if (ssl->handshake->resume) {
1615 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
1616 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
Andrzej Kurek7cf87252022-06-14 07:12:33 -0400[diff] [blame]1617 mbedtls_ssl_send_alert_message(
1618 ssl,
1619 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1620 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
1621 return ret;
Andrzej Kurek7cf87252022-06-14 07:12:33 -0400[diff] [blame]1622 }
1623 }
1624
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1625 /*
1626 * Renegotiation security checks
1627 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1628 if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1629 ssl->conf->allow_legacy_renegotiation ==
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1630 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1631 MBEDTLS_SSL_DEBUG_MSG(1,
1632 ("legacy renegotiation, breaking off handshake"));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1633 handshake_failure = 1;
1634 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1635#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1636 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1637 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1638 renegotiation_info_seen == 0) {
1639 MBEDTLS_SSL_DEBUG_MSG(1,
1640 ("renegotiation_info extension missing (secure)"));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1641 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1642 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1643 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1644 ssl->conf->allow_legacy_renegotiation ==
1645 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1646 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1647 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1648 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1649 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1650 renegotiation_info_seen == 1) {
1651 MBEDTLS_SSL_DEBUG_MSG(1,
1652 ("renegotiation_info extension present (legacy)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1653 handshake_failure = 1;
1654 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1655#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1656
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1657 if (handshake_failure == 1) {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1658 mbedtls_ssl_send_alert_message(
1659 ssl,
1660 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1661 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1662 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1663 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1664
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1665 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1666
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1667 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1668}
1669
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1670#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1671 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1672MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1673static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl,
1674 unsigned char **p,
1675 unsigned char *end)
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1676{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1677 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Gilles Peskinee8a2fc82020-12-08 22:46:11 +0100[diff] [blame]1678 size_t dhm_actual_bitlen;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1679
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1680 /*
1681 * Ephemeral DH parameters:
1682 *
1683 * struct {
1684 * opaque dh_p<1..2^16-1>;
1685 * opaque dh_g<1..2^16-1>;
1686 * opaque dh_Ys<1..2^16-1>;
1687 * } ServerDHParams;
1688 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1689 if ((ret = mbedtls_dhm_read_params(&ssl->handshake->dhm_ctx,
1690 p, end)) != 0) {
1691 MBEDTLS_SSL_DEBUG_RET(2, ("mbedtls_dhm_read_params"), ret);
1692 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1693 }
1694
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1695 dhm_actual_bitlen = mbedtls_dhm_get_bitlen(&ssl->handshake->dhm_ctx);
1696 if (dhm_actual_bitlen < ssl->conf->dhm_min_bitlen) {
1697 MBEDTLS_SSL_DEBUG_MSG(1, ("DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u",
1698 dhm_actual_bitlen,
1699 ssl->conf->dhm_min_bitlen));
1700 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1701 }
1702
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1703 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
1704 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
1705 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1706
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1707 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1708}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1709#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1710 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1711
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]1712#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1713#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1714 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1715 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1716MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1717static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
1718 unsigned char **p,
1719 unsigned char *end)
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1720{
1721 uint16_t tls_id;
1722 uint8_t ecpoint_len;
1723 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]1724 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]1725 size_t ec_bits = 0;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1726
1727 /*
Manuel Pégourié-Gonnarde5119892021-12-09 11:45:03 +0100[diff] [blame]1728 * struct {
1729 * ECParameters curve_params;
1730 * ECPoint public;
1731 * } ServerECDHParams;
1732 *
Manuel Pégourié-Gonnard422370d2022-02-07 11:55:21 +0100[diff] [blame]1733 * 1 curve_type (must be "named_curve")
Manuel Pégourié-Gonnarde5119892021-12-09 11:45:03 +0100[diff] [blame]1734 * 2..3 NamedCurve
1735 * 4 ECPoint.len
1736 * 5+ ECPoint contents
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1737 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1738 if (end - *p < 4) {
1739 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1740 }
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1741
1742 /* First byte is curve_type; only named_curve is handled */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1743 if (*(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) {
1744 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1745 }
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1746
1747 /* Next two bytes are the namedcurve value */
1748 tls_id = *(*p)++;
1749 tls_id <<= 8;
1750 tls_id |= *(*p)++;
1751
Manuel Pégourié-Gonnard141be6c2022-01-25 11:46:19 +0100[diff] [blame]1752 /* Check it's a curve we offered */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1753 if (mbedtls_ssl_check_curve_tls_id(ssl, tls_id) != 0) {
1754 MBEDTLS_SSL_DEBUG_MSG(2,
1755 ("bad server key exchange message (ECDHE curve): %u",
1756 (unsigned) tls_id));
1757 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnardff229cf2022-02-07 12:00:32 +0100[diff] [blame]1758 }
Manuel Pégourié-Gonnard141be6c2022-01-25 11:46:19 +0100[diff] [blame]1759
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]1760 /* Convert EC's TLS ID to PSA key type. */
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]1761 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1762 &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
1763 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1764 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]1765 handshake->xxdh_psa_type = key_type;
1766 handshake->xxdh_bits = ec_bits;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1767
Manuel Pégourié-Gonnard4a0ac1f2022-01-18 12:30:40 +0100[diff] [blame]1768 /* Keep a copy of the peer's public key */
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1769 ecpoint_len = *(*p)++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1770 if ((size_t) (end - *p) < ecpoint_len) {
1771 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1772 }
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1773
Przemek Stekiel615cbcd2023-07-06 11:08:39 +0200[diff] [blame]1774 /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
1775 the sizes of the FFDH keys which are at least 2048 bits.
1776 The size of the array is thus greater than 256 bytes which is greater than any
1777 possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]1778#if !defined(PSA_WANT_ALG_FFDH)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]1779 if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1780 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1781 }
Przemek Stekiel615cbcd2023-07-06 11:08:39 +0200[diff] [blame]1782#else
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]1783 MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
1784 "peer key buffer too small");
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]1785#endif
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1786
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]1787 memcpy(handshake->xxdh_psa_peerkey, *p, ecpoint_len);
1788 handshake->xxdh_psa_peerkey_len = ecpoint_len;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1789 *p += ecpoint_len;
Manuel Pégourié-Gonnard4a0ac1f2022-01-18 12:30:40 +0100[diff] [blame]1790
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1791 return 0;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1792}
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1793#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1794 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1795 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]1796#else
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1797#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1798 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1799 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1800 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1801 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1802MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1803static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl)
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1804{
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]1805 uint16_t tls_id;
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1806 mbedtls_ecp_group_id grp_id;
1807#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
1808 grp_id = ssl->handshake->ecdh_ctx.grp.id;
1809#else
1810 grp_id = ssl->handshake->ecdh_ctx.grp_id;
1811#endif
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1812
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1813 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
1814 if (tls_id == 0) {
1815 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1816 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1817 }
1818
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1819 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s",
1820 mbedtls_ssl_get_curve_name_from_tls_id(tls_id)));
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1821
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1822 if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
1823 return -1;
1824 }
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1825
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1826 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
1827 MBEDTLS_DEBUG_ECDH_QP);
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1828
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1829 return 0;
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1830}
1831
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1832#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1833 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
1834 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1835 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1836 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1837
1838#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1839 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1840 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1841MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1842static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
1843 unsigned char **p,
1844 unsigned char *end)
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1845{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1846 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1847
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1848 /*
1849 * Ephemeral ECDH parameters:
1850 *
1851 * struct {
1852 * ECParameters curve_params;
1853 * ECPoint public;
1854 * } ServerECDHParams;
1855 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1856 if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx,
1857 (const unsigned char **) p, end)) != 0) {
1858 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1859#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1860 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard1c1c20e2018-09-12 10:34:43 +0200[diff] [blame]1861 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1862 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]1863#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1864 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1865 }
1866
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1867 if (ssl_check_server_ecdh_params(ssl) != 0) {
1868 MBEDTLS_SSL_DEBUG_MSG(1,
1869 ("bad server key exchange message (ECDHE curve)"));
1870 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1871 }
1872
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1873 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1874}
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1875#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \
1876 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1877 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1878#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1879#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1880MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1881static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
1882 unsigned char **p,
1883 unsigned char *end)
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1884{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1885 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
irwir6527bd62019-09-21 18:51:25 +0300[diff] [blame]1886 uint16_t len;
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]1887 ((void) ssl);
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1888
1889 /*
1890 * PSK parameters:
1891 *
1892 * opaque psk_identity_hint<0..2^16-1>;
1893 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1894 if (end - (*p) < 2) {
1895 MBEDTLS_SSL_DEBUG_MSG(1,
1896 ("bad server key exchange message (psk_identity_hint length)"));
1897 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Krzysztof Stachowiak740b2182018-03-13 11:31:14 +0100[diff] [blame]1898 }
Manuel Pégourié-Gonnard59b9fe22013-10-15 11:55:33 +0200[diff] [blame]1899 len = (*p)[0] << 8 | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1900 *p += 2;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1901
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1902 if (end - (*p) < len) {
1903 MBEDTLS_SSL_DEBUG_MSG(1,
1904 ("bad server key exchange message (psk_identity_hint length)"));
1905 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1906 }
1907
Manuel Pégourié-Gonnard9d624122016-02-22 11:10:14 +0100[diff] [blame]1908 /*
Tom Cosgroveed4f59e2022-12-05 12:07:50 +0000[diff] [blame]1909 * Note: we currently ignore the PSK identity hint, as we only allow one
Tom Cosgrove1797b052022-12-04 17:19:59 +0000[diff] [blame]1910 * PSK to be provisioned on the client. This could be changed later if
Manuel Pégourié-Gonnard9d624122016-02-22 11:10:14 +0100[diff] [blame]1911 * someone needs that feature.
1912 */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1913 *p += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1914 ret = 0;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1915
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1916 return ret;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1917}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1918#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1919
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1920#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
1921 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1922/*
1923 * Generate a pre-master secret and encrypt it with the server's RSA key
1924 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1925MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1926static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl,
1927 size_t offset, size_t *olen,
1928 size_t pms_offset)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1929{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1930 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]1931 size_t len_bytes = 2;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1932 unsigned char *p = ssl->handshake->premaster + pms_offset;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1933 mbedtls_pk_context *peer_pk;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1934
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1935 if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) {
1936 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms"));
1937 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]1938 }
1939
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1940 /*
1941 * Generate (part of) the pre-master as
1942 * struct {
1943 * ProtocolVersion client_version;
1944 * opaque random[46];
1945 * } PreMasterSecret;
1946 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1947 mbedtls_ssl_write_version(p, ssl->conf->transport,
1948 MBEDTLS_SSL_VERSION_TLS1_2);
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1949
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1950 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) {
1951 MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
1952 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1953 }
1954
1955 ssl->handshake->pmslen = 48;
1956
Hanno Beckerc7d7e292019-02-06 16:49:54 +0000[diff] [blame]1957#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1958 peer_pk = &ssl->handshake->peer_pubkey;
1959#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1960 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Becker8273df82019-02-06 17:37:32 +0000[diff] [blame]1961 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1962 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1963 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]1964 }
Hanno Beckerc7d7e292019-02-06 16:49:54 +0000[diff] [blame]1965 peer_pk = &ssl->session_negotiate->peer_cert->pk;
1966#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]1967
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1968 /*
1969 * Now write it out, encrypted
1970 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1971 if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) {
1972 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch"));
1973 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1974 }
1975
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1976 if ((ret = mbedtls_pk_encrypt(peer_pk,
1977 p, ssl->handshake->pmslen,
1978 ssl->out_msg + offset + len_bytes, olen,
1979 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
1980 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
1981 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret);
1982 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1983 }
1984
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1985 if (len_bytes == 2) {
1986 MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset);
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1987 *olen += 2;
1988 }
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1989
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]1990#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1991 /* We don't need the peer's public key anymore. Free it. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1992 mbedtls_pk_free(peer_pk);
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]1993#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1994 return 0;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1995}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1996#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
1997 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1998
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1999#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2000 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2001MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2002static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2003{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2004 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2005 mbedtls_pk_context *peer_pk;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2006
Hanno Beckerbe7f5082019-02-06 17:44:07 +0000[diff] [blame]2007#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2008 peer_pk = &ssl->handshake->peer_pubkey;
2009#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2010 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Becker8273df82019-02-06 17:37:32 +0000[diff] [blame]2011 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2012 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2013 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2014 }
Hanno Beckerbe7f5082019-02-06 17:44:07 +0000[diff] [blame]2015 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2016#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2017
Manuel Pégourié-Gonnard66b0d612022-06-17 10:49:29 +0200[diff] [blame]2018 /* This is a public key, so it can't be opaque, so can_do() is a good
2019 * enough check to ensure pk_ec() is safe to use below. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2020 if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECKEY)) {
2021 MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
2022 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2023 }
2024
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2025#if defined(MBEDTLS_ECP_C)
2026 const mbedtls_ecp_keypair *peer_key = mbedtls_pk_ec_ro(*peer_pk);
2027#endif /* MBEDTLS_ECP_C */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2028
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2029#if defined(MBEDTLS_USE_PSA_CRYPTO)
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2030 uint16_t tls_id = 0;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2031 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2032 mbedtls_ecp_group_id grp_id = mbedtls_pk_get_group_id(peer_pk);
Przemek Stekiel561a4232022-03-16 13:16:24 +0100[diff] [blame]2033
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2034 if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2035 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
2036 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
Przemek Stekiel561a4232022-03-16 13:16:24 +0100[diff] [blame]2037 }
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2038
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2039 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2040 if (tls_id == 0) {
2041 MBEDTLS_SSL_DEBUG_MSG(1, ("ECC group %u not suported",
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2042 grp_id));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2043 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2044 }
2045
Valerio Setti1e868cc2023-01-09 17:30:01 +0100[diff] [blame]2046 /* If the above conversion to TLS ID was fine, then also this one will be,
2047 so there is no need to check the return value here */
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2048 mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2049 &ssl->handshake->xxdh_bits);
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2050
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2051 ssl->handshake->xxdh_psa_type = key_type;
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2052
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2053 /* Store peer's public key in psa format. */
Valerio Settid7ca3952023-05-17 15:36:18 +0200[diff] [blame]2054#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2055 memcpy(ssl->handshake->xxdh_psa_peerkey, peer_pk->pub_raw, peer_pk->pub_raw_len);
2056 ssl->handshake->xxdh_psa_peerkey_len = peer_pk->pub_raw_len;
Valerio Settid7ca3952023-05-17 15:36:18 +0200[diff] [blame]2057 ret = 0;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2058#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
Valerio Settid7ca3952023-05-17 15:36:18 +0200[diff] [blame]2059 size_t olen = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2060 ret = mbedtls_ecp_point_write_binary(&peer_key->grp, &peer_key->Q,
2061 MBEDTLS_ECP_PF_UNCOMPRESSED, &olen,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2062 ssl->handshake->xxdh_psa_peerkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2063 MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH);
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2064
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2065 if (ret != 0) {
2066 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecp_point_write_binary"), ret);
2067 return ret;
Przemek Stekiel561a4232022-03-16 13:16:24 +0100[diff] [blame]2068 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2069 ssl->handshake->xxdh_psa_peerkey_len = olen;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2070#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
2071#else /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2072 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key,
2073 MBEDTLS_ECDH_THEIRS)) != 0) {
2074 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
2075 return ret;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2076 }
2077
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2078 if (ssl_check_server_ecdh_params(ssl) != 0) {
2079 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
2080 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2081 }
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2082#endif /* MBEDTLS_USE_PSA_CRYPTO */
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2083#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2084 /* We don't need the peer's public key anymore. Free it,
2085 * so that more RAM is available for upcoming expensive
2086 * operations like ECDHE. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2087 mbedtls_pk_free(peer_pk);
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2088#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2089
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2090 return ret;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2091}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2092#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2093 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2094
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2095MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2096static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2097{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2098 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2099 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2100 ssl->handshake->ciphersuite_info;
Andres Amaya Garcia53c77cc2017-06-27 16:15:06 +0100[diff] [blame]2101 unsigned char *p = NULL, *end = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2102
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2103 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2104
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2105#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2106 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
2107 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2108 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2109 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2110 }
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +0200[diff] [blame]2111 ((void) p);
2112 ((void) end);
2113#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2114
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2115#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2116 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2117 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2118 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
2119 if ((ret = ssl_get_ecdh_params_from_cert(ssl)) != 0) {
2120 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2121 mbedtls_ssl_send_alert_message(
2122 ssl,
2123 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2124 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2125 return ret;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2126 }
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2127
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2128 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2129 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2130 return 0;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2131 }
2132 ((void) p);
2133 ((void) end);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2134#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2135 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2136
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2137#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2138 if (ssl->handshake->ecrs_enabled &&
2139 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2140 goto start_processing;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2141 }
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2142#endif
2143
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2144 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2145 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2146 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2147 }
2148
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2149 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2150 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2151 mbedtls_ssl_send_alert_message(
2152 ssl,
2153 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2154 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
2155 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2156 }
2157
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2158 /*
2159 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2160 * doesn't use a psk_identity_hint
2161 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2162 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE) {
2163 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2164 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2165 /* Current message is probably either
2166 * CertificateRequest or ServerHelloDone */
2167 ssl->keep_current_message = 1;
Paul Bakker188c8de2013-04-19 09:13:37 +0200[diff] [blame]2168 goto exit;
2169 }
2170
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2171 MBEDTLS_SSL_DEBUG_MSG(1,
2172 ("server key exchange message must not be skipped"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2173 mbedtls_ssl_send_alert_message(
2174 ssl,
2175 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2176 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2177
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2178 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2179 }
2180
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2181#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2182 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2183 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2184 }
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2185
2186start_processing:
2187#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2188 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2189 end = ssl->in_msg + ssl->in_hslen;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2190 MBEDTLS_SSL_DEBUG_BUF(3, "server key exchange", p, end - p);
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2191
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2192#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2193 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2194 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2195 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2196 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
2197 if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) {
2198 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2199 mbedtls_ssl_send_alert_message(
2200 ssl,
2201 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2202 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2203 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2204 }
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]2205 } /* FALLTHROUGH */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2206#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2207
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2208#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2209 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2210 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2211 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2212 ; /* nothing more to do */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2213 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2214#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2215 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2216#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2217 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2218 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2219 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
2220 if (ssl_parse_server_dh_params(ssl, &p, end) != 0) {
2221 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2222 mbedtls_ssl_send_alert_message(
2223 ssl,
2224 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2225 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2226 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2227 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2228 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2229#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2230 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]2231#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2232 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2233 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2234 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2235 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2236 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
2237 if (ssl_parse_server_ecdh_params(ssl, &p, end) != 0) {
2238 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2239 mbedtls_ssl_send_alert_message(
2240 ssl,
2241 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2242 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2243 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2244 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2245 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2246#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2247 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2248 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2249#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2250 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2251#if defined(MBEDTLS_USE_PSA_CRYPTO)
Valerio Setti9bed8ec2022-11-17 16:36:19 +0100[diff] [blame]2252 /*
2253 * The first 3 bytes are:
2254 * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
2255 * [1, 2] elliptic curve's TLS ID
2256 *
2257 * However since we only support secp256r1 for now, we check only
2258 * that TLS ID here
2259 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2260 uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE(p, 1);
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2261 uint16_t exp_tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2262 MBEDTLS_ECP_DP_SECP256R1);
Valerio Setti9bed8ec2022-11-17 16:36:19 +0100[diff] [blame]2263
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2264 if (exp_tls_id == 0) {
2265 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Valerio Setti9bed8ec2022-11-17 16:36:19 +0100[diff] [blame]2266 }
2267
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2268 if ((*p != MBEDTLS_ECP_TLS_NAMED_CURVE) ||
2269 (read_tls_id != exp_tls_id)) {
2270 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Valerio Setti5151bdf2022-11-21 14:30:02 +0100[diff] [blame]2271 }
Valerio Setti9bed8ec2022-11-17 16:36:19 +0100[diff] [blame]2272
2273 p += 3;
2274
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2275 if ((ret = mbedtls_psa_ecjpake_read_round(
2276 &ssl->handshake->psa_pake_ctx, p, end - p,
2277 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
2278 psa_destroy_key(ssl->handshake->psa_pake_password);
2279 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2280
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2281 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2282 mbedtls_ssl_send_alert_message(
2283 ssl,
2284 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2285 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2286 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2287 }
2288#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2289 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
2290 p, end - p);
2291 if (ret != 0) {
2292 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2293 mbedtls_ssl_send_alert_message(
2294 ssl,
2295 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2296 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2297 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2298 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2299#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2300 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2301#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2302 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2303 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2304 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2305 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2306
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2307#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2308 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2309 size_t sig_len, hashlen;
Manuel Pégourié-Gonnard88579842023-03-28 11:20:23 +0200[diff] [blame]2310 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
Przemek Stekiel40afdd22022-09-06 13:08:28 +0200[diff] [blame]2311
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2312 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2313 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2314 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2315 size_t params_len = p - params;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2316 void *rs_ctx = NULL;
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2317 uint16_t sig_alg;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2318
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2319 mbedtls_pk_context *peer_pk;
Hanno Beckera6899bb2019-02-06 18:26:03 +0000[diff] [blame]2320
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2321#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2322 peer_pk = &ssl->handshake->peer_pubkey;
2323#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2324 if (ssl->session_negotiate->peer_cert == NULL) {
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2325 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2326 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2327 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2328 }
2329 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2330#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2331
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2332 /*
2333 * Handle the digitally-signed structure
2334 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2335 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2336 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
2337 if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
2338 sig_alg, &pk_alg, &md_alg) != 0 &&
2339 !mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg) &&
2340 !mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg)) {
2341 MBEDTLS_SSL_DEBUG_MSG(1,
2342 ("bad server key exchange message"));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2343 mbedtls_ssl_send_alert_message(
2344 ssl,
2345 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2346 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2347 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2348 }
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2349 p += 2;
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2350
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2351 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
2352 MBEDTLS_SSL_DEBUG_MSG(1,
2353 ("bad server key exchange message"));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2354 mbedtls_ssl_send_alert_message(
2355 ssl,
2356 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2357 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2358 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2359 }
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2360
2361 /*
2362 * Read signature
2363 */
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +0100[diff] [blame]2364
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2365 if (p > end - 2) {
2366 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2367 mbedtls_ssl_send_alert_message(
2368 ssl,
2369 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2370 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2371 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +0100[diff] [blame]2372 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2373 sig_len = (p[0] << 8) | p[1];
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2374 p += 2;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2375
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2376 if (p != end - sig_len) {
2377 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2378 mbedtls_ssl_send_alert_message(
2379 ssl,
2380 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2381 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2382 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2383 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2384
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2385 MBEDTLS_SSL_DEBUG_BUF(3, "signature", p, sig_len);
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2386
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2387 /*
2388 * Compute the hash that has been signed
2389 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2390 if (md_alg != MBEDTLS_MD_NONE) {
2391 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
2392 params, params_len,
2393 md_alg);
2394 if (ret != 0) {
2395 return ret;
2396 }
2397 } else {
2398 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2399 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2400 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2401
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2402 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2403
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2404 /*
2405 * Verify signature
2406 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2407 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
2408 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2409 mbedtls_ssl_send_alert_message(
2410 ssl,
2411 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2412 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2413 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2414 }
2415
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2416#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2417 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]2418 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2419 }
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2420#endif
2421
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2422#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2423 if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2424 mbedtls_pk_rsassa_pss_options rsassa_pss_options;
2425 rsassa_pss_options.mgf1_hash_id = md_alg;
Andrzej Kurek0ce59212022-08-17 07:54:34 -0400[diff] [blame]2426 rsassa_pss_options.expected_salt_len =
Manuel Pégourié-Gonnard9b41eb82023-03-28 11:14:24 +0200[diff] [blame]2427 mbedtls_md_get_size_from_type(md_alg);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2428 if (rsassa_pss_options.expected_salt_len == 0) {
2429 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2430 }
Andrzej Kurek0ce59212022-08-17 07:54:34 -0400[diff] [blame]2431
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2432 ret = mbedtls_pk_verify_ext(pk_alg, &rsassa_pss_options,
2433 peer_pk,
2434 md_alg, hash, hashlen,
2435 p, sig_len);
2436 } else
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2437#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2438 ret = mbedtls_pk_verify_restartable(peer_pk,
2439 md_alg, hash, hashlen, p, sig_len, rs_ctx);
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2440
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2441 if (ret != 0) {
David Horstmannb21bbef2022-10-06 17:49:31 +0100[diff] [blame]2442 int send_alert_msg = 1;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2443#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2444 send_alert_msg = (ret != MBEDTLS_ERR_ECP_IN_PROGRESS);
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2445#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2446 if (send_alert_msg) {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2447 mbedtls_ssl_send_alert_message(
2448 ssl,
2449 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2450 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
2451 }
2452 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2453#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2454 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2455 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2456 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2457#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2458 return ret;
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]2459 }
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2460
2461#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2462 /* We don't need the peer's public key anymore. Free it,
2463 * so that more RAM is available for upcoming expensive
2464 * operations like ECDHE. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2465 mbedtls_pk_free(peer_pk);
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2466#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2467 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2468#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2469
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2470exit:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2471 ssl->state++;
2472
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2473 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2474
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2475 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2476}
2477
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2478#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2479MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2480static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2481{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2482 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2483 ssl->handshake->ciphersuite_info;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2484
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2485 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2486
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2487 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2488 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2489 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2490 return 0;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2491 }
2492
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2493 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2494 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2495}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2496#else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2497MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2498static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2499{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2500 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2501 unsigned char *buf;
2502 size_t n = 0;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2503 size_t cert_type_len = 0, dn_len = 0;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2504 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2505 ssl->handshake->ciphersuite_info;
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2506 size_t sig_alg_len;
2507#if defined(MBEDTLS_DEBUG_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2508 unsigned char *sig_alg;
2509 unsigned char *dn;
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2510#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2511
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2512 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2513
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2514 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2515 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2516 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2517 return 0;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2518 }
2519
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2520 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2521 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2522 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2523 }
2524
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2525 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2526 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2527 mbedtls_ssl_send_alert_message(
2528 ssl,
2529 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2530 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
2531 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2532 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2533
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2534 ssl->state++;
Jerry Yufb28b882022-01-28 11:05:58 +0800[diff] [blame]2535 ssl->handshake->client_auth =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2536 (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2537
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2538 MBEDTLS_SSL_DEBUG_MSG(3, ("got %s certificate request",
2539 ssl->handshake->client_auth ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2540
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2541 if (ssl->handshake->client_auth == 0) {
Johan Pascala89ca862020-08-25 10:03:19 +0200[diff] [blame]2542 /* Current message is probably the ServerHelloDone */
2543 ssl->keep_current_message = 1;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2544 goto exit;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2545 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2546
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]2547 /*
2548 * struct {
2549 * ClientCertificateType certificate_types<1..2^8-1>;
2550 * SignatureAndHashAlgorithm
2551 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
2552 * DistinguishedName certificate_authorities<0..2^16-1>;
2553 * } CertificateRequest;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2554 *
2555 * Since we only support a single certificate on clients, let's just
2556 * ignore all the information that's supposed to help us pick a
2557 * certificate.
2558 *
2559 * We could check that our certificate matches the request, and bail out
2560 * if it doesn't, but it's simpler to just send the certificate anyway,
2561 * and give the server the opportunity to decide if it should terminate
2562 * the connection when it doesn't like our certificate.
2563 *
2564 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
2565 * point we only have one hash available (see comments in
Simon Butcherc0957bd2016-03-01 13:16:57 +0000[diff] [blame]2566 * write_certificate_verify), so let's just use what we have.
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2567 *
2568 * However, we still minimally parse the message to check it is at least
2569 * superficially sane.
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]2570 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2571 buf = ssl->in_msg;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]2572
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2573 /* certificate_types */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2574 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)) {
2575 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2576 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2577 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2578 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Krzysztof Stachowiak73b183c2018-04-05 10:20:09 +0200[diff] [blame]2579 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2580 cert_type_len = buf[mbedtls_ssl_hs_hdr_len(ssl)];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2581 n = cert_type_len;
2582
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]2583 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]2584 * In the subsequent code there are two paths that read from buf:
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]2585 * * the length of the signature algorithms field (if minor version of
2586 * SSL is 3),
2587 * * distinguished name length otherwise.
2588 * Both reach at most the index:
2589 * ...hdr_len + 2 + n,
2590 * therefore the buffer length at this point must be greater than that
2591 * regardless of the actual code path.
2592 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2593 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 2 + n) {
2594 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2595 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2596 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2597 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2598 }
2599
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2600 /* supported_signature_algorithms */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2601 sig_alg_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8)
2602 | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n]));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2603
2604 /*
2605 * The furthest access in buf is in the loop few lines below:
2606 * sig_alg[i + 1],
2607 * where:
2608 * sig_alg = buf + ...hdr_len + 3 + n,
2609 * max(i) = sig_alg_len - 1.
2610 * Therefore the furthest access is:
2611 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
2612 * which reduces to:
2613 * buf[...hdr_len + 3 + n + sig_alg_len],
2614 * which is one less than we need the buf to be.
2615 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2616 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 3 + n + sig_alg_len) {
2617 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2618 mbedtls_ssl_send_alert_message(
2619 ssl,
2620 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2621 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2622 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]2623 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2624
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2625#if defined(MBEDTLS_DEBUG_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2626 sig_alg = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n;
2627 for (size_t i = 0; i < sig_alg_len; i += 2) {
2628 MBEDTLS_SSL_DEBUG_MSG(3,
2629 ("Supported Signature Algorithm found: %02x %02x",
2630 sig_alg[i], sig_alg[i + 1]));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2631 }
2632#endif
2633
2634 n += 2 + sig_alg_len;
2635
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2636 /* certificate_authorities */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2637 dn_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8)
2638 | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n]));
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2639
2640 n += dn_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2641 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 3 + n) {
2642 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2643 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2644 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2645 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2646 }
2647
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2648#if defined(MBEDTLS_DEBUG_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2649 dn = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n - dn_len;
2650 for (size_t i = 0, dni_len = 0; i < dn_len; i += 2 + dni_len) {
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2651 unsigned char *p = dn + i + 2;
2652 mbedtls_x509_name name;
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2653 size_t asn1_len;
2654 char s[MBEDTLS_X509_MAX_DN_NAME_SIZE];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2655 memset(&name, 0, sizeof(name));
2656 dni_len = MBEDTLS_GET_UINT16_BE(dn + i, 0);
2657 if (dni_len > dn_len - i - 2 ||
2658 mbedtls_asn1_get_tag(&p, p + dni_len, &asn1_len,
2659 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) != 0 ||
2660 mbedtls_x509_get_name(&p, p + asn1_len, &name) != 0) {
2661 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2662 mbedtls_ssl_send_alert_message(
2663 ssl,
2664 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2665 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2666 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2667 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2668 MBEDTLS_SSL_DEBUG_MSG(3,
2669 ("DN hint: %.*s",
2670 mbedtls_x509_dn_gets(s, sizeof(s), &name), s));
2671 mbedtls_asn1_free_named_data_list_shallow(name.next);
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2672 }
2673#endif
2674
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2675exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2676 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2677
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2678 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2679}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2680#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2681
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2682MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2683static int ssl_parse_server_hello_done(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2684{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2685 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2686
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2687 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2688
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2689 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2690 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2691 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2692 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2693
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2694 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2695 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
2696 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2697 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2698
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2699 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) ||
2700 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE) {
2701 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
2702 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2703 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2704 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2705 }
2706
2707 ssl->state++;
2708
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2709#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2710 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
2711 mbedtls_ssl_recv_flight_completed(ssl);
2712 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2713#endif
2714
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2715 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2716
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2717 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2718}
2719
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2720MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2721static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2722{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2723 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2724
2725 size_t header_len;
2726 size_t content_len;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2727 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2728 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2729
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2730 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2731
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2732#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2733 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2734 /*
2735 * DHM key exchange -- send G^X mod P
2736 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2737 content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2738
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2739 MBEDTLS_PUT_UINT16_BE(content_len, ssl->out_msg, 4);
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2740 header_len = 6;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2741
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2742 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
2743 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
2744 &ssl->out_msg[header_len], content_len,
2745 ssl->conf->f_rng, ssl->conf->p_rng);
2746 if (ret != 0) {
2747 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
2748 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2749 }
2750
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2751 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
2752 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2753
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2754 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
2755 ssl->handshake->premaster,
2756 MBEDTLS_PREMASTER_SIZE,
2757 &ssl->handshake->pmslen,
2758 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2759 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
2760 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2761 }
2762
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2763 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
2764 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2765#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]2766#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2767 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2768 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2769 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2770 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Przemek Stekield905d332022-03-16 09:50:56 +0100[diff] [blame]2771 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
2772 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2773 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
Neil Armstrong11d49452022-04-13 15:03:43 +0200[diff] [blame]2774#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kureka0237f82022-02-24 13:24:52 -0500[diff] [blame]2775 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2776 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
Janos Follath53b8ec22019-08-08 10:28:27 +0100[diff] [blame]2777 psa_key_attributes_t key_attributes;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2778
2779 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2780
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2781 header_len = 4;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2782
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2783 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Hanno Becker0a94a642019-01-11 14:35:30 +0000[diff] [blame]2784
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2785 /*
2786 * Generate EC private key for ECDHE exchange.
2787 */
2788
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2789 /* The master secret is obtained from the shared ECDH secret by
2790 * applying the TLS 1.2 PRF with a specific salt and label. While
2791 * the PSA Crypto API encourages combining key agreement schemes
2792 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
2793 * yet support the provisioning of salt + label to the KDF.
2794 * For the time being, we therefore need to split the computation
2795 * of the ECDH secret and the application of the TLS 1.2 PRF. */
Janos Follath53b8ec22019-08-08 10:28:27 +0100[diff] [blame]2796 key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2797 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2798 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2799 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
2800 psa_set_key_bits(&key_attributes, handshake->xxdh_bits);
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2801
2802 /* Generate ECDH private key. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2803 status = psa_generate_key(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2804 &handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2805 if (status != PSA_SUCCESS) {
2806 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2807 }
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2808
Manuel Pégourié-Gonnard58d23832022-01-18 12:17:15 +0100[diff] [blame]2809 /* Export the public part of the ECDH private key from PSA.
Manuel Pégourié-Gonnard5d6053f2022-02-08 10:26:19 +0100[diff] [blame]2810 * The export format is an ECPoint structure as expected by TLS,
Manuel Pégourié-Gonnard58d23832022-01-18 12:17:15 +0100[diff] [blame]2811 * but we just need to add a length byte before that. */
2812 unsigned char *own_pubkey = ssl->out_msg + header_len + 1;
2813 unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2814 size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
Manuel Pégourié-Gonnard58d23832022-01-18 12:17:15 +0100[diff] [blame]2815 size_t own_pubkey_len;
2816
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2817 status = psa_export_public_key(handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2818 own_pubkey, own_pubkey_max_len,
2819 &own_pubkey_len);
2820 if (status != PSA_SUCCESS) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2821 psa_destroy_key(handshake->xxdh_psa_privkey);
2822 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2823 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Andrzej Kureka0237f82022-02-24 13:24:52 -0500[diff] [blame]2824 }
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2825
Manuel Pégourié-Gonnard58d23832022-01-18 12:17:15 +0100[diff] [blame]2826 ssl->out_msg[header_len] = (unsigned char) own_pubkey_len;
2827 content_len = own_pubkey_len + 1;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2828
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2829 /* The ECDH secret is the premaster secret used for key derivation. */
2830
Janos Follathdf3b0892019-08-08 11:12:24 +0100[diff] [blame]2831 /* Compute ECDH shared secret. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2832 status = psa_raw_key_agreement(PSA_ALG_ECDH,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2833 handshake->xxdh_psa_privkey,
2834 handshake->xxdh_psa_peerkey,
2835 handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2836 ssl->handshake->premaster,
2837 sizeof(ssl->handshake->premaster),
2838 &ssl->handshake->pmslen);
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2839
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2840 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
2841 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Andrzej Kureka0237f82022-02-24 13:24:52 -0500[diff] [blame]2842
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2843 if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) {
2844 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2845 }
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]2846#else
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2847 /*
2848 * ECDH key exchange -- send client public value
2849 */
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2850 header_len = 4;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2851
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2852#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2853 if (ssl->handshake->ecrs_enabled) {
2854 if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret) {
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2855 goto ecdh_calc_secret;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2856 }
Manuel Pégourié-Gonnard23e41622017-05-18 12:35:37 +0200[diff] [blame]2857
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2858 mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx);
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2859 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]2860#endif
2861
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2862 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
2863 &content_len,
2864 &ssl->out_msg[header_len], 1000,
2865 ssl->conf->f_rng, ssl->conf->p_rng);
2866 if (ret != 0) {
2867 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2868#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2869 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2870 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2871 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2872#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2873 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2874 }
2875
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2876 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
2877 MBEDTLS_DEBUG_ECDH_Q);
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2878
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2879#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2880 if (ssl->handshake->ecrs_enabled) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2881 ssl->handshake->ecrs_n = content_len;
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200[diff] [blame]2882 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2883 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]2884
2885ecdh_calc_secret:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2886 if (ssl->handshake->ecrs_enabled) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2887 content_len = ssl->handshake->ecrs_n;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2888 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]2889#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2890 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
2891 &ssl->handshake->pmslen,
2892 ssl->handshake->premaster,
2893 MBEDTLS_MPI_MAX_SIZE,
2894 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2895 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2896#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2897 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2898 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2899 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2900#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2901 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2902 }
2903
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2904 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
2905 MBEDTLS_DEBUG_ECDH_Z);
Neil Armstrong11d49452022-04-13 15:03:43 +0200[diff] [blame]2906#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2907 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2908#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2909 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2910 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2911 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2912#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
2913 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2914 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2915 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2916 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
2917 psa_key_attributes_t key_attributes;
2918
2919 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2920
2921 /*
2922 * opaque psk_identity<0..2^16-1>;
2923 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2924 if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2925 /* We don't offer PSK suites if we don't have a PSK,
2926 * and we check that the server's choice is among the
2927 * ciphersuites we offered, so this should never happen. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2928 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2929 }
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2930
Neil Armstrongfc834f22022-03-23 17:54:38 +0100[diff] [blame]2931 /* uint16 to store content length */
2932 const size_t content_len_size = 2;
2933
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2934 header_len = 4;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2935
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2936 if (header_len + content_len_size + ssl->conf->psk_identity_len
2937 > MBEDTLS_SSL_OUT_CONTENT_LEN) {
2938 MBEDTLS_SSL_DEBUG_MSG(1,
2939 ("psk identity too long or SSL buffer too short"));
2940 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2941 }
2942
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2943 unsigned char *p = ssl->out_msg + header_len;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2944
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2945 *p++ = MBEDTLS_BYTE_1(ssl->conf->psk_identity_len);
2946 *p++ = MBEDTLS_BYTE_0(ssl->conf->psk_identity_len);
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2947 header_len += content_len_size;
2948
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2949 memcpy(p, ssl->conf->psk_identity,
2950 ssl->conf->psk_identity_len);
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2951 p += ssl->conf->psk_identity_len;
2952
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2953 header_len += ssl->conf->psk_identity_len;
2954
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2955 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2956
2957 /*
2958 * Generate EC private key for ECDHE exchange.
2959 */
2960
2961 /* The master secret is obtained from the shared ECDH secret by
2962 * applying the TLS 1.2 PRF with a specific salt and label. While
2963 * the PSA Crypto API encourages combining key agreement schemes
2964 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
2965 * yet support the provisioning of salt + label to the KDF.
2966 * For the time being, we therefore need to split the computation
2967 * of the ECDH secret and the application of the TLS 1.2 PRF. */
2968 key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2969 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2970 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2971 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
2972 psa_set_key_bits(&key_attributes, handshake->xxdh_bits);
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2973
2974 /* Generate ECDH private key. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2975 status = psa_generate_key(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2976 &handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2977 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2978 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2979 }
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2980
2981 /* Export the public part of the ECDH private key from PSA.
2982 * The export format is an ECPoint structure as expected by TLS,
2983 * but we just need to add a length byte before that. */
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2984 unsigned char *own_pubkey = p + 1;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2985 unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2986 size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
Neil Armstrongbc5e8f92022-03-23 17:42:50 +0100[diff] [blame]2987 size_t own_pubkey_len = 0;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2988
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2989 status = psa_export_public_key(handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2990 own_pubkey, own_pubkey_max_len,
2991 &own_pubkey_len);
2992 if (status != PSA_SUCCESS) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2993 psa_destroy_key(handshake->xxdh_psa_privkey);
2994 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2995 return PSA_TO_MBEDTLS_ERR(status);
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2996 }
2997
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2998 *p = (unsigned char) own_pubkey_len;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2999 content_len = own_pubkey_len + 1;
3000
Neil Armstrong25400452022-03-23 17:44:07 +0100[diff] [blame]3001 /* As RFC 5489 section 2, the premaster secret is formed as follows:
3002 * - a uint16 containing the length (in octets) of the ECDH computation
3003 * - the octet string produced by the ECDH computation
3004 * - a uint16 containing the length (in octets) of the PSK
3005 * - the PSK itself
3006 */
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]3007 unsigned char *pms = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3008 const unsigned char * const pms_end = pms +
3009 sizeof(ssl->handshake->premaster);
Neil Armstrong0bdb68a2022-03-23 17:46:32 +0100[diff] [blame]3010 /* uint16 to store length (in octets) of the ECDH computation */
3011 const size_t zlen_size = 2;
Neil Armstrongbc5e8f92022-03-23 17:42:50 +0100[diff] [blame]3012 size_t zlen = 0;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3013
Neil Armstrong25400452022-03-23 17:44:07 +0100[diff] [blame]3014 /* Perform ECDH computation after the uint16 reserved for the length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3015 status = psa_raw_key_agreement(PSA_ALG_ECDH,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3016 handshake->xxdh_psa_privkey,
3017 handshake->xxdh_psa_peerkey,
3018 handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3019 pms + zlen_size,
3020 pms_end - (pms + zlen_size),
3021 &zlen);
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3022
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3023 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
3024 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3025
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3026 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3027 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3028 } else if (destruction_status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3029 return PSA_TO_MBEDTLS_ERR(destruction_status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3030 }
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3031
Neil Armstrong25400452022-03-23 17:44:07 +0100[diff] [blame]3032 /* Write the ECDH computation length before the ECDH computation */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3033 MBEDTLS_PUT_UINT16_BE(zlen, pms, 0);
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]3034 pms += zlen_size + zlen;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3035 } else
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3036#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3037 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3038#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3039 if (mbedtls_ssl_ciphersuite_uses_psk(ciphersuite_info)) {
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3040 /*
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3041 * opaque psk_identity<0..2^16-1>;
3042 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3043 if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]3044 /* We don't offer PSK suites if we don't have a PSK,
3045 * and we check that the server's choice is among the
3046 * ciphersuites we offered, so this should never happen. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3047 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3048 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3049
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3050 header_len = 4;
3051 content_len = ssl->conf->psk_identity_len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3052
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3053 if (header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
3054 MBEDTLS_SSL_DEBUG_MSG(1,
3055 ("psk identity too long or SSL buffer too short"));
3056 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3057 }
3058
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3059 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
3060 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3061
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3062 memcpy(ssl->out_msg + header_len,
3063 ssl->conf->psk_identity,
3064 ssl->conf->psk_identity_len);
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3065 header_len += ssl->conf->psk_identity_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3066
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3067#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3068 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3069 content_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3070 } else
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3071#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3072#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3073 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
3074 if ((ret = ssl_write_encrypted_pms(ssl, header_len,
3075 &content_len, 2)) != 0) {
3076 return ret;
3077 }
3078 } else
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3079#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3080#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3081 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3082 /*
3083 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3084 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3085 content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3086
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3087 if (header_len + 2 + content_len >
3088 MBEDTLS_SSL_OUT_CONTENT_LEN) {
3089 MBEDTLS_SSL_DEBUG_MSG(1,
3090 ("psk identity or DHM size too long or SSL buffer too short"));
3091 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3092 }
3093
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3094 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
3095 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3096
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3097 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
3098 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
3099 &ssl->out_msg[header_len], content_len,
3100 ssl->conf->f_rng, ssl->conf->p_rng);
3101 if (ret != 0) {
3102 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
3103 return ret;
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3104 }
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3105
3106#if defined(MBEDTLS_USE_PSA_CRYPTO)
3107 unsigned char *pms = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3108 unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3109 size_t pms_len;
3110
3111 /* Write length only when we know the actual value */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3112 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3113 pms + 2, pms_end - (pms + 2), &pms_len,
3114 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3115 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3116 return ret;
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3117 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3118 MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3119 pms += 2 + pms_len;
3120
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3121 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3122#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3123 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3124#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]3125#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3126 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3127 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3128 /*
3129 * ClientECDiffieHellmanPublic public;
3130 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3131 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
3132 &content_len,
3133 &ssl->out_msg[header_len],
3134 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3135 ssl->conf->f_rng, ssl->conf->p_rng);
3136 if (ret != 0) {
3137 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
3138 return ret;
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3139 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3140
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3141 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3142 MBEDTLS_DEBUG_ECDH_Q);
3143 } else
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]3144#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3145 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3146 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3147 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3148 }
3149
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3150#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3151 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]3152 (mbedtls_key_exchange_type_t) ciphersuite_info->
3153 key_exchange)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3154 MBEDTLS_SSL_DEBUG_RET(1,
3155 "mbedtls_ssl_psk_derive_premaster", ret);
3156 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3157 }
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3158#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3159 } else
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3160#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3161#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3162 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3163 header_len = 4;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3164 if ((ret = ssl_write_encrypted_pms(ssl, header_len,
3165 &content_len, 0)) != 0) {
3166 return ret;
3167 }
3168 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3169#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3170#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3171 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3172 header_len = 4;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3173
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3174#if defined(MBEDTLS_USE_PSA_CRYPTO)
3175 unsigned char *out_p = ssl->out_msg + header_len;
3176 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
3177 header_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3178 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
3179 out_p, end_p - out_p, &content_len,
3180 MBEDTLS_ECJPAKE_ROUND_TWO);
3181 if (ret != 0) {
3182 psa_destroy_key(ssl->handshake->psa_pake_password);
3183 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
3184 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
3185 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3186 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3187#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3188 ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx,
3189 ssl->out_msg + header_len,
3190 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3191 &content_len,
3192 ssl->conf->f_rng, ssl->conf->p_rng);
3193 if (ret != 0) {
3194 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
3195 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3196 }
3197
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3198 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
3199 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3200 ssl->conf->f_rng, ssl->conf->p_rng);
3201 if (ret != 0) {
3202 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
3203 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3204 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3205#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3206 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3207#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3208 {
3209 ((void) ciphersuite_info);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3210 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3211 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3212 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3213
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3214 ssl->out_msglen = header_len + content_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3215 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3216 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3217
3218 ssl->state++;
3219
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3220 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3221 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3222 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3223 }
3224
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3225 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3226
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3227 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3228}
3229
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3230#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3231MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3232static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3233{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3234 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3235 ssl->handshake->ciphersuite_info;
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3236 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3237
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3238 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3239
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3240 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3241 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3242 return ret;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3243 }
3244
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3245 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3246 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3247 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3248 return 0;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3249 }
3250
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3251 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3252 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3253}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3254#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3255MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3256static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3257{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3258 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3259 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3260 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3261 size_t n = 0, offset = 0;
3262 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3263 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3264 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]3265 size_t hashlen;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3266 void *rs_ctx = NULL;
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]3267#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3268 size_t out_buf_len = ssl->out_buf_len - (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]3269#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3270 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]3271#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3272
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3273 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3274
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3275#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3276 if (ssl->handshake->ecrs_enabled &&
3277 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3278 goto sign;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3279 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3280#endif
3281
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3282 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3283 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3284 return ret;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3285 }
3286
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3287 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3288 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3289 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3290 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3291 }
3292
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3293 if (ssl->handshake->client_auth == 0 ||
3294 mbedtls_ssl_own_cert(ssl) == NULL) {
3295 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
Johan Pascala89ca862020-08-25 10:03:19 +0200[diff] [blame]3296 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3297 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3298 }
3299
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3300 if (mbedtls_ssl_own_key(ssl) == NULL) {
3301 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key for certificate"));
3302 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3303 }
3304
3305 /*
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3306 * Make a signature of the handshake digests
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3307 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3308#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3309 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3310 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3311 }
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3312
3313sign:
3314#endif
3315
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]3316 ret = ssl->handshake->calc_verify(ssl, hash, &hashlen);
3317 if (0 != ret) {
3318 MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
3319 return ret;
3320 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3321
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]3322 /*
3323 * digitally-signed struct {
3324 * opaque handshake_messages[handshake_messages_length];
3325 * };
3326 *
3327 * Taking shortcut here. We assume that the server always allows the
3328 * PRF Hash function and has sent it in the allowed signature
3329 * algorithms list received in the Certificate Request message.
3330 *
3331 * Until we encounter a server that does not, we will take this
3332 * shortcut.
3333 *
3334 * Reason: Otherwise we should have running hashes for SHA512 and
3335 * SHA224 in order to satisfy 'weird' needs from the server
3336 * side.
3337 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3338 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]3339 md_alg = MBEDTLS_MD_SHA384;
3340 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3341 } else {
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]3342 md_alg = MBEDTLS_MD_SHA256;
3343 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3344 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3345 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk(mbedtls_ssl_own_key(ssl));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]3346
3347 /* Info from md_alg will be used instead */
3348 hashlen = 0;
3349 offset = 2;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3350
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3351#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3352 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]3353 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3354 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3355#endif
3356
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3357 if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl),
3358 md_alg, hash_start, hashlen,
3359 ssl->out_msg + 6 + offset,
3360 out_buf_len - 6 - offset,
3361 &n,
3362 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx)) != 0) {
3363 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3364#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3365 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3366 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3367 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3368#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3369 return ret;
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]3370 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3371
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3372 MBEDTLS_PUT_UINT16_BE(n, ssl->out_msg, offset + 4);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3373
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3374 ssl->out_msglen = 6 + n + offset;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3375 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3376 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3377
3378 ssl->state++;
3379
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3380 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3381 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3382 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3383 }
3384
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3385 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3386
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3387 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3388}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3389#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3390
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3391#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3392MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3393static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3394{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3395 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3396 uint32_t lifetime;
3397 size_t ticket_len;
3398 unsigned char *ticket;
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3399 const unsigned char *msg;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3400
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3401 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3402
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3403 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3404 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3405 return ret;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3406 }
3407
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3408 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3409 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3410 mbedtls_ssl_send_alert_message(
3411 ssl,
3412 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3413 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
3414 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3415 }
3416
3417 /*
3418 * struct {
3419 * uint32 ticket_lifetime_hint;
3420 * opaque ticket<0..2^16-1>;
3421 * } NewSessionTicket;
3422 *
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3423 * 0 . 3 ticket_lifetime_hint
3424 * 4 . 5 ticket_len (n)
3425 * 6 . 5+n ticket content
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3426 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3427 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3428 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len(ssl)) {
3429 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
3430 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3431 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3432 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3433 }
3434
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3435 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3436
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3437 lifetime = (((uint32_t) msg[0]) << 24) | (msg[1] << 16) |
3438 (msg[2] << 8) | (msg[3]);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3439
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3440 ticket_len = (msg[4] << 8) | (msg[5]);
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3441
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3442 if (ticket_len + 6 + mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_hslen) {
3443 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
3444 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3445 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3446 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3447 }
3448
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3449 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len));
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3450
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3451 /* We're not waiting for a NewSessionTicket message any more */
3452 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3453 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3454
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3455 /*
3456 * Zero-length ticket means the server changed his mind and doesn't want
3457 * to send a ticket after all, so just forget it
3458 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3459 if (ticket_len == 0) {
3460 return 0;
3461 }
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3462
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3463 if (ssl->session != NULL && ssl->session->ticket != NULL) {
3464 mbedtls_platform_zeroize(ssl->session->ticket,
3465 ssl->session->ticket_len);
3466 mbedtls_free(ssl->session->ticket);
Hanno Beckerb2964cb2019-01-30 14:46:35 +0000[diff] [blame]3467 ssl->session->ticket = NULL;
3468 ssl->session->ticket_len = 0;
3469 }
3470
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3471 mbedtls_platform_zeroize(ssl->session_negotiate->ticket,
3472 ssl->session_negotiate->ticket_len);
3473 mbedtls_free(ssl->session_negotiate->ticket);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3474 ssl->session_negotiate->ticket = NULL;
3475 ssl->session_negotiate->ticket_len = 0;
3476
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3477 if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
3478 MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
3479 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3480 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
3481 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3482 }
3483
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3484 memcpy(ticket, msg + 6, ticket_len);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3485
3486 ssl->session_negotiate->ticket = ticket;
3487 ssl->session_negotiate->ticket_len = ticket_len;
3488 ssl->session_negotiate->ticket_lifetime = lifetime;
3489
3490 /*
3491 * RFC 5077 section 3.4:
3492 * "If the client receives a session ticket from the server, then it
3493 * discards any Session ID that was sent in the ServerHello."
3494 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3495 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket in use, discarding session id"));
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]3496 ssl->session_negotiate->id_len = 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3497
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3498 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3499
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3500 return 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3501}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3502#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3503
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3504/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3505 * SSL handshake -- client side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3506 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3507int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3508{
3509 int ret = 0;
3510
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3511 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3512 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3513#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3514 if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
3515 ssl->handshake->new_session_ticket != 0) {
Jerry Yua357cf42022-07-12 05:36:45 +0000[diff] [blame]3516 ssl->state = MBEDTLS_SSL_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3517 }
3518#endif
3519
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3520 switch (ssl->state) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3521 case MBEDTLS_SSL_HELLO_REQUEST:
3522 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3523 break;
3524
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3525 /*
3526 * ==> ClientHello
3527 */
3528 case MBEDTLS_SSL_CLIENT_HELLO:
3529 ret = mbedtls_ssl_write_client_hello(ssl);
3530 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3531
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3532 /*
3533 * <== ServerHello
3534 * Certificate
3535 * ( ServerKeyExchange )
3536 * ( CertificateRequest )
3537 * ServerHelloDone
3538 */
3539 case MBEDTLS_SSL_SERVER_HELLO:
3540 ret = ssl_parse_server_hello(ssl);
3541 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3542
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3543 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3544 ret = mbedtls_ssl_parse_certificate(ssl);
3545 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3546
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3547 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
3548 ret = ssl_parse_server_key_exchange(ssl);
3549 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3550
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3551 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3552 ret = ssl_parse_certificate_request(ssl);
3553 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3554
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3555 case MBEDTLS_SSL_SERVER_HELLO_DONE:
3556 ret = ssl_parse_server_hello_done(ssl);
3557 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3558
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3559 /*
3560 * ==> ( Certificate/Alert )
3561 * ClientKeyExchange
3562 * ( CertificateVerify )
3563 * ChangeCipherSpec
3564 * Finished
3565 */
3566 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3567 ret = mbedtls_ssl_write_certificate(ssl);
3568 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3569
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3570 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
3571 ret = ssl_write_client_key_exchange(ssl);
3572 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3573
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3574 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3575 ret = ssl_write_certificate_verify(ssl);
3576 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3577
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3578 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3579 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
3580 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3581
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3582 case MBEDTLS_SSL_CLIENT_FINISHED:
3583 ret = mbedtls_ssl_write_finished(ssl);
3584 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3585
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3586 /*
3587 * <== ( NewSessionTicket )
3588 * ChangeCipherSpec
3589 * Finished
3590 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3591#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3592 case MBEDTLS_SSL_NEW_SESSION_TICKET:
3593 ret = ssl_parse_new_session_ticket(ssl);
3594 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]3595#endif
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3596
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3597 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3598 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
3599 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3600
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3601 case MBEDTLS_SSL_SERVER_FINISHED:
3602 ret = mbedtls_ssl_parse_finished(ssl);
3603 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3604
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3605 case MBEDTLS_SSL_FLUSH_BUFFERS:
3606 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
3607 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
3608 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3609
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3610 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3611 mbedtls_ssl_handshake_wrapup(ssl);
3612 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3613
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3614 default:
3615 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
3616 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3617 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3618
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3619 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3620}
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]3621
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]3622#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_2 */