TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ccb03449692e42f4da45fb20cd46e08b648bca26 / . / library / ssl_tls12_server.c
blob: 38afc7d87902772f5257985b750f00de2a89e131 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]2 * TLS server-side functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]20#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]23
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]24#include "mbedtls/platform.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]25
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]26#include "mbedtls/ssl.h"
Chris Jones84a773f2021-03-05 18:38:47 +0000[diff] [blame]27#include "ssl_misc.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]28#include "mbedtls/debug.h"
29#include "mbedtls/error.h"
Andres Amaya Garcia84914062018-04-24 08:40:46 -0500[diff] [blame]30#include "mbedtls/platform_util.h"
Gabor Mezei22c9a6f2021-10-20 12:09:35 +0200[diff] [blame]31#include "constant_time_internal.h"
Gabor Mezei765862c2021-10-19 12:22:25 +0200[diff] [blame]32#include "mbedtls/constant_time.h"
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]33
34#include <string.h>
35
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]36#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]37/* Define a local translating function to save code size by not using too many
38 * arguments in each translating place. */
Andrzej Kurek1c7a9982023-05-30 09:21:20 -0400[diff] [blame]39#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \
40 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]41static int local_err_translation(psa_status_t status)
42{
43 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -0400[diff] [blame]44 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]45 psa_generic_status_to_mbedtls);
46}
47#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]48#endif
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]49#endif
50
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]51#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]52#include "mbedtls/ecp.h"
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]53#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]54
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]55#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]56#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]57#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]59#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]60int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
61 const unsigned char *info,
62 size_t ilen)
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]63{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]64 if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) {
65 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
66 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]67
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]68 mbedtls_free(ssl->cli_id);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]69
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]70 if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) {
71 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
72 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]73
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]74 memcpy(ssl->cli_id, info, ilen);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]75 ssl->cli_id_len = ilen;
76
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]77 return 0;
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]78}
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]79
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]80void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf,
81 mbedtls_ssl_cookie_write_t *f_cookie_write,
82 mbedtls_ssl_cookie_check_t *f_cookie_check,
83 void *p_cookie)
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]84{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]85 conf->f_cookie_write = f_cookie_write;
86 conf->f_cookie_check = f_cookie_check;
87 conf->p_cookie = p_cookie;
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]88}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]89#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]90
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]91#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]92MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]93static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf)
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]94{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]95 if (conf->f_psk != NULL) {
96 return 1;
97 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]98
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]99 if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) {
100 return 0;
101 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]102
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]103
104#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]105 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
106 return 1;
107 }
Neil Armstrong8ecd6682022-05-05 11:40:35 +0200[diff] [blame]108#endif /* MBEDTLS_USE_PSA_CRYPTO */
109
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]110 if (conf->psk != NULL && conf->psk_len != 0) {
111 return 1;
112 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]113
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]114 return 0;
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]115}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]116#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]117
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]118MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]119static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
120 const unsigned char *buf,
121 size_t len)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]122{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]123#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]124 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]125 /* Check verify-data in constant-time. The length OTOH is no secret */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]126 if (len != 1 + ssl->verify_data_len ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]127 buf[0] != ssl->verify_data_len ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]128 mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data,
129 ssl->verify_data_len) != 0) {
130 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
131 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
132 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
133 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]134 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]135 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]136#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]137 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]138 if (len != 1 || buf[0] != 0x0) {
139 MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info"));
140 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
141 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
142 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]143 }
144
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]145 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]146 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]147
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]148 return 0;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]149}
150
Valerio Setti1fa5c562023-03-20 13:56:38 +0100[diff] [blame]151#if defined(MBEDTLS_PK_CAN_ECDH) || defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]152 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]153/*
Jerry Yud491ea42022-01-13 16:15:25 +0800[diff] [blame]154 * Function for parsing a supported groups (TLS 1.3) or supported elliptic
155 * curves (TLS 1.2) extension.
156 *
157 * The "extension_data" field of a supported groups extension contains a
158 * "NamedGroupList" value (TLS 1.3 RFC8446):
159 * enum {
160 * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
161 * x25519(0x001D), x448(0x001E),
162 * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
163 * ffdhe6144(0x0103), ffdhe8192(0x0104),
164 * ffdhe_private_use(0x01FC..0x01FF),
165 * ecdhe_private_use(0xFE00..0xFEFF),
166 * (0xFFFF)
167 * } NamedGroup;
168 * struct {
169 * NamedGroup named_group_list<2..2^16-1>;
170 * } NamedGroupList;
171 *
172 * The "extension_data" field of a supported elliptic curves extension contains
173 * a "NamedCurveList" value (TLS 1.2 RFC 8422):
174 * enum {
175 * deprecated(1..22),
176 * secp256r1 (23), secp384r1 (24), secp521r1 (25),
177 * x25519(29), x448(30),
178 * reserved (0xFE00..0xFEFF),
179 * deprecated(0xFF01..0xFF02),
180 * (0xFFFF)
181 * } NamedCurve;
182 * struct {
183 * NamedCurve named_curve_list<2..2^16-1>
184 * } NamedCurveList;
185 *
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]186 * The TLS 1.3 supported groups extension was defined to be a compatible
187 * generalization of the TLS 1.2 supported elliptic curves extension. They both
188 * share the same extension identifier.
Jerry Yud491ea42022-01-13 16:15:25 +0800[diff] [blame]189 *
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]190 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]191MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]192static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
193 const unsigned char *buf,
194 size_t len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]195{
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]196 size_t list_size, our_size;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]197 const unsigned char *p;
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]198 uint16_t *curves_tls_id;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]199
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]200 if (len < 2) {
201 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
202 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
203 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
204 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]205 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]206 list_size = ((buf[0] << 8) | (buf[1]));
207 if (list_size + 2 != len ||
208 list_size % 2 != 0) {
209 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
210 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
211 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
212 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]213 }
214
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]215 /* Should never happen unless client duplicates the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]216 if (ssl->handshake->curves_tls_id != NULL) {
217 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
218 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
219 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
220 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]221 }
222
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]223 /* Don't allow our peer to make us allocate too much memory,
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]224 * and leave room for a final 0 */
225 our_size = list_size / 2 + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]226 if (our_size > MBEDTLS_ECP_DP_MAX) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]227 our_size = MBEDTLS_ECP_DP_MAX;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]228 }
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]229
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]230 if ((curves_tls_id = mbedtls_calloc(our_size,
231 sizeof(*curves_tls_id))) == NULL) {
232 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
233 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
234 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]235 }
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]236
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]237 ssl->handshake->curves_tls_id = curves_tls_id;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]238
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]239 p = buf + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]240 while (list_size > 0 && our_size > 1) {
241 uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0);
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200[diff] [blame]242
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]243 if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) !=
244 MBEDTLS_ECP_DP_NONE) {
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]245 *curves_tls_id++ = curr_tls_id;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]246 our_size--;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]247 }
248
249 list_size -= 2;
250 p += 2;
251 }
252
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]253 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]254}
255
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]256MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]257static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
258 const unsigned char *buf,
259 size_t len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]260{
261 size_t list_size;
262 const unsigned char *p;
263
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]264 if (len == 0 || (size_t) (buf[0] + 1) != len) {
265 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
266 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
267 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
268 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]269 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]270 list_size = buf[0];
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]271
Manuel Pégourié-Gonnardc1b46d02015-09-16 11:18:32 +0200[diff] [blame]272 p = buf + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]273 while (list_size > 0) {
274 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
275 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
Valerio Setti77a904c2023-03-24 07:28:49 +0100[diff] [blame]276#if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C)
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]277 ssl->handshake->ecdh_ctx.point_format = p[0];
Valerio Setti77a904c2023-03-24 07:28:49 +0100[diff] [blame]278#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_ECDH_C */
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]279#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]280 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
281 mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
282 p[0]);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]283#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]284 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
285 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]286 }
287
288 list_size--;
289 p++;
290 }
291
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]292 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]293}
Valerio Setti1fa5c562023-03-20 13:56:38 +0100[diff] [blame]294#endif /* MBEDTLS_PK_CAN_ECDH || MBEDTLS_PK_CAN_ECDSA_SOME ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]295 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]296
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]297#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]298MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]299static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
300 const unsigned char *buf,
301 size_t len)
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]302{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]303 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]304
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]305#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]306 if (ssl->handshake->psa_pake_ctx_is_ok != 1)
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]307#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]308 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]309#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]310 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]311 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
312 return 0;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]313 }
314
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]315#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]316 if ((ret = mbedtls_psa_ecjpake_read_round(
317 &ssl->handshake->psa_pake_ctx, buf, len,
318 MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
319 psa_destroy_key(ssl->handshake->psa_pake_password);
320 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]321
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]322 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]323 mbedtls_ssl_send_alert_message(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]324 ssl,
325 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
326 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]327
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]328 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]329 }
330#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]331 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
332 buf, len)) != 0) {
333 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
334 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
335 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
336 return ret;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]337 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]338#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]339
340 /* Only mark the extension as OK when we're sure it is */
341 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
342
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]343 return 0;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]344}
345#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
346
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]347#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]348MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]349static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
350 const unsigned char *buf,
351 size_t len)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]352{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]353 if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) {
354 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
355 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
356 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
357 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]358 }
359
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]360 ssl->session_negotiate->mfl_code = buf[0];
361
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]362 return 0;
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]363}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]364#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]365
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]366#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]367MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]368static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
369 const unsigned char *buf,
370 size_t len)
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]371{
372 size_t peer_cid_len;
373
374 /* CID extension only makes sense in DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]375 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
376 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
377 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
378 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
379 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]380 }
381
382 /*
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]383 * struct {
384 * opaque cid<0..2^8-1>;
385 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]386 */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]387
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]388 if (len < 1) {
389 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
390 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
391 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
392 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]393 }
394
395 peer_cid_len = *buf++;
396 len--;
397
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]398 if (len != peer_cid_len) {
399 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
400 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
401 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
402 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]403 }
404
405 /* Ignore CID if the user has disabled its use. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]406 if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]407 /* Leave ssl->handshake->cid_in_use in its default
408 * value of MBEDTLS_SSL_CID_DISABLED. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]409 MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled"));
410 return 0;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]411 }
412
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]413 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
414 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
415 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
416 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
417 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]418 }
419
Hanno Becker08556bf2019-05-03 12:43:44 +0100[diff] [blame]420 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]421 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]422 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]423
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]424 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
425 MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len);
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]426
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]427 return 0;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]428}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]429#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]430
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]431#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]432MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]433static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
434 const unsigned char *buf,
435 size_t len)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]436{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]437 if (len != 0) {
438 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
439 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
440 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
441 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]442 }
443
444 ((void) buf);
445
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]446 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]447 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]448 }
449
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]450 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]451}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]452#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]453
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]454#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]455MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]456static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
457 const unsigned char *buf,
458 size_t len)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]459{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]460 if (len != 0) {
461 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
462 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
463 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
464 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]465 }
466
467 ((void) buf);
468
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]469 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]470 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]471 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]472
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]473 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]474}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]475#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]476
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]477#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]478MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]479static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
480 unsigned char *buf,
481 size_t len)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]482{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]483 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]484 mbedtls_ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]485
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]486 mbedtls_ssl_session_init(&session);
Manuel Pégourié-Gonnardbae389b2015-06-24 10:45:58 +0200[diff] [blame]487
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]488 if (ssl->conf->f_ticket_parse == NULL ||
489 ssl->conf->f_ticket_write == NULL) {
490 return 0;
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]491 }
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]492
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]493 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]494 ssl->handshake->new_session_ticket = 1;
495
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]496 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len));
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]497
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]498 if (len == 0) {
499 return 0;
500 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]501
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]502#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]503 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
504 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating"));
505 return 0;
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]506 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]507#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]508
509 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]510 * Failures are ok: just ignore the ticket and proceed.
511 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]512 if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session,
513 buf, len)) != 0) {
514 mbedtls_ssl_session_free(&session);
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]515
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]516 if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
517 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
518 } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
519 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
520 } else {
521 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret);
522 }
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]523
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]524 return 0;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]525 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]526
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]527 /*
528 * Keep the session ID sent by the client, since we MUST send it back to
529 * inform them we're accepting the ticket (RFC 5077 section 3.4)
530 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]531 session.id_len = ssl->session_negotiate->id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]532 memcpy(&session.id, ssl->session_negotiate->id, session.id_len);
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]533
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]534 mbedtls_ssl_session_free(ssl->session_negotiate);
535 memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session));
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]536
537 /* Zeroize instead of free as we copied the content */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]538 mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session));
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]539
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]540 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket"));
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]541
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]542 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]543
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]544 /* Don't send a new ticket after all, this one is OK */
545 ssl->handshake->new_session_ticket = 0;
546
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]547 return 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]548}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]549#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]550
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]551#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]552MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]553static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
554 const unsigned char *buf,
555 size_t len)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]556{
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]557 mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]558 size_t i, j;
Johan Pascalf6417ec2020-09-22 15:15:19 +0200[diff] [blame]559 size_t profile_length;
560 uint16_t mki_length;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]561 /*! 2 bytes for profile length and 1 byte for mki len */
562 const size_t size_of_lengths = 3;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]563
564 /* If use_srtp is not configured, just ignore the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]565 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
566 (ssl->conf->dtls_srtp_profile_list == NULL) ||
567 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
568 return 0;
Johan Pascal85269572020-08-25 10:01:54 +0200[diff] [blame]569 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]570
571 /* RFC5764 section 4.1.1
572 * uint8 SRTPProtectionProfile[2];
573 *
574 * struct {
575 * SRTPProtectionProfiles SRTPProtectionProfiles;
576 * opaque srtp_mki<0..255>;
577 * } UseSRTPData;
578
579 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]580 */
581
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]582 /*
583 * Min length is 5: at least one protection profile(2 bytes)
584 * and length(2 bytes) + srtp_mki length(1 byte)
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]585 * Check here that we have at least 2 bytes of protection profiles length
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]586 * and one of srtp_mki length
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]587 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]588 if (len < size_of_lengths) {
589 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
590 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
591 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]592 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]593
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]594 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]595
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]596 /* first 2 bytes are protection profile length(in bytes) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]597 profile_length = (buf[0] << 8) | buf[1];
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]598 buf += 2;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]599
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]600 /* The profile length cannot be bigger than input buffer size - lengths fields */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]601 if (profile_length > len - size_of_lengths ||
602 profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */
603 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
604 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
605 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]606 }
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]607 /*
608 * parse the extension list values are defined in
609 * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
610 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]611 for (j = 0; j < profile_length; j += 2) {
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]612 uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]613 client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]614
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]615 if (client_protection != MBEDTLS_TLS_SRTP_UNSET) {
616 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
617 mbedtls_ssl_get_srtp_profile_as_string(
618 client_protection)));
619 } else {
Johan Pascal85269572020-08-25 10:01:54 +0200[diff] [blame]620 continue;
621 }
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]622 /* check if suggested profile is in our list */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]623 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
624 if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) {
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]625 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]626 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
627 mbedtls_ssl_get_srtp_profile_as_string(
628 client_protection)));
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]629 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]630 }
631 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]632 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]633 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634 }
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]635 }
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]636 buf += profile_length; /* buf points to the mki length */
637 mki_length = *buf;
638 buf++;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]639
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]640 if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH ||
641 mki_length + profile_length + size_of_lengths != len) {
642 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
643 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
644 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]645 }
646
647 /* Parse the mki only if present and mki is supported locally */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]648 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
649 mki_length > 0) {
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]650 ssl->dtls_srtp_info.mki_len = mki_length;
651
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]652 memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length);
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]653
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]654 MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value,
655 ssl->dtls_srtp_info.mki_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]656 }
657
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]658 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]659}
660#endif /* MBEDTLS_SSL_DTLS_SRTP */
661
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]662/*
663 * Auxiliary functions for ServerHello parsing and related actions
664 */
665
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]666#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]667/*
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100[diff] [blame]668 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]669 */
Valerio Setti1fa5c562023-03-20 13:56:38 +0100[diff] [blame]670#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]671MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]672static int ssl_check_key_curve(mbedtls_pk_context *pk,
673 uint16_t *curves_tls_id)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]674{
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]675 uint16_t *curr_tls_id = curves_tls_id;
Valerio Setti77a75682023-05-15 11:18:46 +0200[diff] [blame]676 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec_ro(*pk)->grp.id;
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]677 mbedtls_ecp_group_id curr_grp_id;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]678
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]679 while (*curr_tls_id != 0) {
680 curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
681 if (curr_grp_id == grp_id) {
682 return 0;
683 }
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]684 curr_tls_id++;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]685 }
686
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]687 return -1;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]688}
Valerio Setti1fa5c562023-03-20 13:56:38 +0100[diff] [blame]689#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]690
691/*
692 * Try picking a certificate for this ciphersuite,
693 * return 0 on success and -1 on failure.
694 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]695MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]696static int ssl_pick_cert(mbedtls_ssl_context *ssl,
697 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]698{
Glenn Strauss041a3762022-03-15 06:08:29 -0400[diff] [blame]699 mbedtls_ssl_key_cert *cur, *list;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]700#if defined(MBEDTLS_USE_PSA_CRYPTO)
701 psa_algorithm_t pk_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]702 mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]703 psa_key_usage_t pk_usage =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]704 mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]705#else
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]706 mbedtls_pk_type_t pk_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]707 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]708#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +0200[diff] [blame]709 uint32_t flags;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]710
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]711#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]712 if (ssl->handshake->sni_key_cert != NULL) {
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]713 list = ssl->handshake->sni_key_cert;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]714 } else
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]715#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]716 list = ssl->conf->key_cert;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]717
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]718 int pk_alg_is_none = 0;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]719#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]720 pk_alg_is_none = (pk_alg == PSA_ALG_NONE);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]721#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]722 pk_alg_is_none = (pk_alg == MBEDTLS_PK_NONE);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]723#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]724 if (pk_alg_is_none) {
725 return 0;
Manuel Pégourié-Gonnarde540b492015-07-07 12:44:38 +0200[diff] [blame]726 }
727
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]728 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate"));
729
730 if (list == NULL) {
731 MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
732 return -1;
733 }
734
735 for (cur = list; cur != NULL; cur = cur->next) {
Andrzej Kurek7ed01e82020-03-18 11:51:59 -0400[diff] [blame]736 flags = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]737 MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate",
738 cur->cert);
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]739
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]740 int key_type_matches = 0;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]741#if defined(MBEDTLS_USE_PSA_CRYPTO)
742#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]743 key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
744 ssl->conf->f_async_decrypt_start != NULL ||
745 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
746 mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]747#else
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]748 key_type_matches = (
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]749 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]750#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
751#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]752 key_type_matches = mbedtls_pk_can_do(&cur->cert->pk, pk_alg);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]753#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]754 if (!key_type_matches) {
755 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]756 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]757 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]758
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]759 /*
760 * This avoids sending the client a cert it'll reject based on
761 * keyUsage or other extensions.
762 *
763 * It also allows the user to provision different certificates for
764 * different uses based on keyUsage, eg if they want to avoid signing
765 * and decrypting with the same RSA key.
766 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]767 if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
768 MBEDTLS_SSL_IS_SERVER, &flags) != 0) {
769 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
770 "(extended) key usage extension"));
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]771 continue;
772 }
773
Valerio Setti1fa5c562023-03-20 13:56:38 +0100[diff] [blame]774#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]775 if (pk_alg == MBEDTLS_PK_ECDSA &&
776 ssl_check_key_curve(&cur->cert->pk,
777 ssl->handshake->curves_tls_id) != 0) {
778 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve"));
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]779 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]780 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]781#endif
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]782
783 /* If we get there, we got a winner */
784 break;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]785 }
786
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]787 /* Do not update ssl->handshake->key_cert unless there is a match */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]788 if (cur != NULL) {
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]789 ssl->handshake->key_cert = cur;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]790 MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate",
791 ssl->handshake->key_cert->cert);
792 return 0;
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]793 }
794
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]795 return -1;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]796}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]797#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]798
799/*
800 * Check if a given ciphersuite is suitable for use with our config/keys/etc
801 * Sets ciphersuite_info only if the suite matches.
802 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]803MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]804static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
805 const mbedtls_ssl_ciphersuite_t **ciphersuite_info)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]806{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]807 const mbedtls_ssl_ciphersuite_t *suite_info;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]808
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]809#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]810 mbedtls_pk_type_t sig_type;
811#endif
812
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]813 suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
814 if (suite_info == NULL) {
815 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
816 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]817 }
818
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]819 MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)",
820 (unsigned int) suite_id, suite_info->name));
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]821
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]822 if (suite_info->min_tls_version > ssl->tls_version ||
823 suite_info->max_tls_version < ssl->tls_version) {
824 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version"));
825 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]826 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]827
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]828#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]829 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
830 (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) {
831 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake "
832 "not configured or ext missing"));
833 return 0;
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]834 }
835#endif
836
837
Valerio Setti1fa5c562023-03-20 13:56:38 +0100[diff] [blame]838#if defined(MBEDTLS_PK_CAN_ECDH) || defined(MBEDTLS_PK_CAN_ECDSA_SOME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]839 if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
840 (ssl->handshake->curves_tls_id == NULL ||
841 ssl->handshake->curves_tls_id[0] == 0)) {
842 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
843 "no common elliptic curve"));
844 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]845 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]846#endif
847
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]848#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]849 /* If the ciphersuite requires a pre-shared key and we don't
850 * have one, skip it now rather than failing later */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]851 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
852 ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
853 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key"));
854 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]855 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]856#endif
857
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]858#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]859 /*
860 * Final check: if ciphersuite requires us to have a
861 * certificate/key of a particular type:
862 * - select the appropriate certificate if we have one, or
863 * - try the next ciphersuite if we don't
864 * This must be done last since we modify the key_cert list.
865 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]866 if (ssl_pick_cert(ssl, suite_info) != 0) {
867 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
868 "no suitable certificate"));
869 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]870 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]871#endif
872
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]873#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
874 /* If the ciphersuite requires signing, check whether
875 * a suitable hash algorithm is present. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]876 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
877 if (sig_type != MBEDTLS_PK_NONE &&
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]878 mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]879 ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) {
880 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm "
881 "for signature algorithm %u", (unsigned) sig_type));
882 return 0;
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]883 }
884
885#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
886
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]887 *ciphersuite_info = suite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]888 return 0;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]889}
890
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]891/* This function doesn't alert on errors that happen early during
892 ClientHello parsing because they might indicate that the client is
893 not talking SSL/TLS at all and would not understand our alert. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]894MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]895static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]896{
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]897 int ret, got_common_suite;
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]898 size_t i, j;
899 size_t ciph_offset, comp_offset, ext_offset;
900 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]901#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]902 size_t cookie_offset, cookie_len;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]903#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]904 unsigned char *buf, *p, *ext;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]905#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]906 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]907#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]908 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]909 const int *ciphersuites;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]910 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]911
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]912 /* If there is no signature-algorithm extension present,
913 * we need to fall back to the default values for allowed
914 * signature-hash pairs. */
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]915#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]916 int sig_hash_alg_ext_present = 0;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]917#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]918
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]919 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]920
David Horstmanne0af39a2022-10-06 18:19:18 +0100[diff] [blame]921 int renegotiating;
922
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]923#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]924read_record_header:
925#endif
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]926 /*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]927 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]928 * otherwise read it ourselves manually in order to support SSLv2
929 * ClientHello, which doesn't use the same record layer format.
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]930 * Otherwise in a scenario of TLS 1.3/TLS 1.2 version negotiation, the
931 * ClientHello has been already fully fetched by the TLS 1.3 code and the
932 * flag ssl->keep_current_message is raised.
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]933 */
David Horstmanne0af39a2022-10-06 18:19:18 +0100[diff] [blame]934 renegotiating = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]935#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]936 renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]937#endif
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]938 if (!renegotiating && !ssl->keep_current_message) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]939 if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]940 /* No alert on a read error. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]941 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
942 return ret;
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]943 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]944 }
945
946 buf = ssl->in_hdr;
947
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]948 MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl));
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]949
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]950 /*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]951 * TLS Client Hello
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]952 *
953 * Record layer:
954 * 0 . 0 message type
955 * 1 . 2 protocol version
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]956 * 3 . 11 DTLS: epoch + record sequence number
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]957 * 3 . 4 message length
958 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]959 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message type: %d",
960 buf[0]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]961
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]962 if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
963 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
964 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]965 }
966
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]967 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d",
968 (ssl->in_len[0] << 8) | ssl->in_len[1]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]969
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]970 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, protocol version: [%d:%d]",
971 buf[1], buf[2]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]972
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]973 /* For DTLS if this is the initial handshake, remember the client sequence
974 * number to use it in our next message (RFC 6347 4.2.1) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]975#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]976 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]977#if defined(MBEDTLS_SSL_RENEGOTIATION)
978 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
Manuel Pégourié-Gonnard3a173f42015-01-22 13:30:33 +0000[diff] [blame]979#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]980 ) {
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]981 /* Epoch should be 0 for initial handshakes */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]982 if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
983 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
984 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]985 }
986
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]987 memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2,
988 sizeof(ssl->cur_out_ctr) - 2);
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]989
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]990#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]991 if (mbedtls_ssl_dtls_replay_check(ssl) != 0) {
992 MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding"));
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]993 ssl->next_record_offset = 0;
994 ssl->in_left = 0;
995 goto read_record_header;
996 }
997
998 /* No MAC to check yet, so we can update right now */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]999 mbedtls_ssl_dtls_replay_update(ssl);
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]1000#endif
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1001 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1002#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1003
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1004 msg_len = (ssl->in_len[0] << 8) | ssl->in_len[1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1005
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1006#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1007 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1008 /* Set by mbedtls_ssl_read_record() */
Manuel Pégourié-Gonnardb89c4f32015-01-21 13:24:10 +0000[diff] [blame]1009 msg_len = ssl->in_hslen;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1010 } else
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1011#endif
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1012 {
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1013 if (ssl->keep_current_message) {
1014 ssl->keep_current_message = 0;
1015 } else {
1016 if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
1017 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1018 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1019 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1020
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1021 if ((ret = mbedtls_ssl_fetch_input(ssl,
1022 mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) {
1023 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
1024 return ret;
1025 }
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1026
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1027 /* Done reading this record, get ready for the next one */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1028#if defined(MBEDTLS_SSL_PROTO_DTLS)
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1029 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1030 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl);
1031 } else
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1032#endif
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1033 ssl->in_left = 0;
1034 }
Manuel Pégourié-Gonnardd6b721c2014-03-24 12:13:54 +0100[diff] [blame]1035 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1036
1037 buf = ssl->in_msg;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1038
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1039 MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len);
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1040
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]1041 ret = ssl->handshake->update_checksum(ssl, buf, msg_len);
1042 if (0 != ret) {
1043 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
1044 return ret;
1045 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1046
1047 /*
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1048 * Handshake layer:
1049 * 0 . 0 handshake type
1050 * 1 . 3 handshake length
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1051 * 4 . 5 DTLS only: message sequence number
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1052 * 6 . 8 DTLS only: fragment offset
1053 * 9 . 11 DTLS only: fragment length
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1054 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1055 if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) {
1056 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1057 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1058 }
1059
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1060 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0]));
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1061
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1062 if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
1063 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1064 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1065 }
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1066 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1067 size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1);
1068 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u",
1069 (unsigned) handshake_len));
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1070
1071 /* The record layer has a record size limit of 2^14 - 1 and
1072 * fragmentation is not supported, so buf[1] should be zero. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1073 if (buf[1] != 0) {
1074 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0",
1075 (unsigned) buf[1]));
1076 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1077 }
1078
1079 /* We don't support fragmentation of ClientHello (yet?) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1080 if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) {
1081 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u",
1082 (unsigned) msg_len,
1083 (unsigned) mbedtls_ssl_hs_hdr_len(ssl),
1084 (unsigned) handshake_len));
1085 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1086 }
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1087 }
1088
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1089#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1090 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1091 /*
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1092 * Copy the client's handshake message_seq on initial handshakes,
1093 * check sequence number on renego.
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1094 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1095#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1096 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]1097 /* This couldn't be done in ssl_prepare_handshake_record() */
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +0100[diff] [blame]1098 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1099 if (cli_msg_seq != ssl->handshake->in_msg_seq) {
1100 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
1101 "%u (expected %u)", cli_msg_seq,
1102 ssl->handshake->in_msg_seq));
1103 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]1104 }
1105
1106 ssl->handshake->in_msg_seq++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1107 } else
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1108#endif
1109 {
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +0100[diff] [blame]1110 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1111 ssl->handshake->out_msg_seq = cli_msg_seq;
1112 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
1113 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1114 {
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1115 /*
1116 * For now we don't support fragmentation, so make sure
1117 * fragment_offset == 0 and fragment_length == length
1118 */
1119 size_t fragment_offset, fragment_length, length;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1120 fragment_offset = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6);
1121 fragment_length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9);
1122 length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1);
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1123 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1124 4, ("fragment_offset=%u fragment_length=%u length=%u",
1125 (unsigned) fragment_offset, (unsigned) fragment_length,
1126 (unsigned) length));
1127 if (fragment_offset != 0 || length != fragment_length) {
1128 MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported"));
1129 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1130 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1131 }
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1132 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1133#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1134
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1135 buf += mbedtls_ssl_hs_hdr_len(ssl);
1136 msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1137
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1138 /*
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1139 * ClientHello layer:
1140 * 0 . 1 protocol version
1141 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
1142 * 34 . 35 session id length (1 byte)
1143 * 35 . 34+x session id
1144 * 35+x . 35+x DTLS only: cookie length (1 byte)
1145 * 36+x . .. DTLS only: cookie
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1146 * .. . .. ciphersuite list length (2 bytes)
1147 * .. . .. ciphersuite list
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1148 * .. . .. compression alg. list length (1 byte)
1149 * .. . .. compression alg. list
1150 * .. . .. extensions length (2 bytes, optional)
1151 * .. . .. extensions (optional)
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1152 */
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1153
1154 /*
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]1155 * Minimal length (with everything empty and extensions omitted) is
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1156 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1157 * read at least up to session id length without worrying.
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1158 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1159 if (msg_len < 38) {
1160 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1161 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1162 }
1163
1164 /*
1165 * Check and save the protocol version
1166 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1167 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1168
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]1169 ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
1170 ssl->conf->transport);
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1171 ssl->session_negotiate->tls_version = ssl->tls_version;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1172
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1173 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
1174 MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2"));
1175 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1176 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1177 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1178 }
1179
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1180 /*
1181 * Save client random (inc. Unix time)
1182 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1183 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1184
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1185 memcpy(ssl->handshake->randbytes, buf + 2, 32);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1186
1187 /*
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1188 * Check the session ID length and save session ID
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1189 */
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1190 sess_len = buf[34];
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1191
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1192 if (sess_len > sizeof(ssl->session_negotiate->id) ||
1193 sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */
1194 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1195 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1196 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1197 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1198 }
1199
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1200 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1201
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1202 ssl->session_negotiate->id_len = sess_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1203 memset(ssl->session_negotiate->id, 0,
1204 sizeof(ssl->session_negotiate->id));
1205 memcpy(ssl->session_negotiate->id, buf + 35,
1206 ssl->session_negotiate->id_len);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1207
1208 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1209 * Check the cookie length and content
1210 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1211#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1212 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1213 cookie_offset = 35 + sess_len;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1214 cookie_len = buf[cookie_offset];
1215
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1216 if (cookie_offset + 1 + cookie_len + 2 > msg_len) {
1217 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1218 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1219 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1220 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1221 }
1222
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1223 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
1224 buf + cookie_offset + 1, cookie_len);
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1225
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1226#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1227 if (ssl->conf->f_cookie_check != NULL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1228#if defined(MBEDTLS_SSL_RENEGOTIATION)
1229 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1230#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1231 ) {
1232 if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
1233 buf + cookie_offset + 1, cookie_len,
1234 ssl->cli_id, ssl->cli_id_len) != 0) {
1235 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed"));
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1236 ssl->handshake->cookie_verify_result = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1237 } else {
1238 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed"));
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1239 ssl->handshake->cookie_verify_result = 0;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1240 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1241 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1242#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1243 {
1244 /* We know we didn't send a cookie, so it should be empty */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1245 if (cookie_len != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1246 /* This may be an attacker's probe, so don't send an alert */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1247 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1248 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1249 }
1250
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1251 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped"));
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1252 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1253
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1254 /*
1255 * Check the ciphersuitelist length (will be parsed later)
1256 */
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1257 ciph_offset = cookie_offset + 1 + cookie_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1258 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1259#endif /* MBEDTLS_SSL_PROTO_DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1260 ciph_offset = 35 + sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1261
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1262 ciph_len = (buf[ciph_offset + 0] << 8)
1263 | (buf[ciph_offset + 1]);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1264
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1265 if (ciph_len < 2 ||
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1266 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1267 (ciph_len % 2) != 0) {
1268 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1269 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1270 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1271 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1272 }
1273
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1274 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
1275 buf + ciph_offset + 2, ciph_len);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1276
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1277 /*
Thomas Daubney20f89a92022-06-20 15:12:19 +0100[diff] [blame]1278 * Check the compression algorithm's length.
1279 * The list contents are ignored because implementing
1280 * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only
1281 * option supported by Mbed TLS.
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1282 */
1283 comp_offset = ciph_offset + 2 + ciph_len;
1284
1285 comp_len = buf[comp_offset];
1286
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1287 if (comp_len < 1 ||
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1288 comp_len > 16 ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1289 comp_len + comp_offset + 1 > msg_len) {
1290 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1291 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1292 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1293 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1294 }
1295
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1296 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression",
1297 buf + comp_offset + 1, comp_len);
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1298
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1299 /*
1300 * Check the extension length
1301 */
1302 ext_offset = comp_offset + 1 + comp_len;
1303 if (msg_len > ext_offset) {
1304 if (msg_len < ext_offset + 2) {
1305 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1306 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1307 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1308 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1309 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1310
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1311 ext_len = (buf[ext_offset + 0] << 8)
1312 | (buf[ext_offset + 1]);
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1313
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1314 if (msg_len != ext_offset + 2 + ext_len) {
1315 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1316 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1317 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1318 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1319 }
1320 } else {
1321 ext_len = 0;
1322 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1323
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1324 ext = buf + ext_offset + 2;
1325 MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len);
1326
1327 while (ext_len != 0) {
1328 unsigned int ext_id;
1329 unsigned int ext_size;
1330 if (ext_len < 4) {
1331 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1332 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1333 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1334 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1335 }
1336 ext_id = ((ext[0] << 8) | (ext[1]));
1337 ext_size = ((ext[2] << 8) | (ext[3]));
1338
1339 if (ext_size + 4 > ext_len) {
1340 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1341 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1342 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1343 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1344 }
1345 switch (ext_id) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1346#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1347 case MBEDTLS_TLS_EXT_SERVERNAME:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1348 MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1349 ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4,
1350 ext + 4 + ext_size);
1351 if (ret != 0) {
1352 return ret;
1353 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1354 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1355#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]1356
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1357 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1358 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1359#if defined(MBEDTLS_SSL_RENEGOTIATION)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1360 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1361#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1362
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1363 ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size);
1364 if (ret != 0) {
1365 return ret;
1366 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1367 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1368
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1369#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1370 case MBEDTLS_TLS_EXT_SIG_ALG:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1371 MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
Ron Eldor73a38172017-10-03 15:58:26 +0300[diff] [blame]1372
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1373 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size);
1374 if (ret != 0) {
1375 return ret;
1376 }
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1377
1378 sig_hash_alg_ext_present = 1;
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1379 break;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1380#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1381
Valerio Setti1fa5c562023-03-20 13:56:38 +0100[diff] [blame]1382#if defined(MBEDTLS_PK_CAN_ECDH) || defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1383 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yub47d0f82021-12-20 17:34:40 +0800[diff] [blame]1384 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1385 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1386
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1387 ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size);
1388 if (ret != 0) {
1389 return ret;
1390 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1391 break;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1392
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1393 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1394 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension"));
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1395 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1396
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1397 ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size);
1398 if (ret != 0) {
1399 return ret;
1400 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1401 break;
Valerio Setti1fa5c562023-03-20 13:56:38 +0100[diff] [blame]1402#endif /* MBEDTLS_PK_CAN_ECDH || MBEDTLS_PK_CAN_ECDSA_SOME ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1403 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1404
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1405#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1406 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1407 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension"));
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1408
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1409 ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size);
1410 if (ret != 0) {
1411 return ret;
1412 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1413 break;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1414#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1415
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1416#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1417 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1418 MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension"));
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1419
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1420 ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size);
1421 if (ret != 0) {
1422 return ret;
1423 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1424 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1425#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1426
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1427#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1428 case MBEDTLS_TLS_EXT_CID:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1429 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1430
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1431 ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size);
1432 if (ret != 0) {
1433 return ret;
1434 }
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1435 break;
Thomas Daubneye1c9a402021-06-15 11:26:43 +0100[diff] [blame]1436#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1437
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1438#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1439 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1440 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1441
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1442 ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size);
1443 if (ret != 0) {
1444 return ret;
1445 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1446 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1447#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1448
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1449#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1450 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1451 MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1452
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1453 ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size);
1454 if (ret != 0) {
1455 return ret;
1456 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1457 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1458#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1459
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1460#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1461 case MBEDTLS_TLS_EXT_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1462 MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1463
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1464 ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size);
1465 if (ret != 0) {
1466 return ret;
1467 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1468 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1469#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1470
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1471#if defined(MBEDTLS_SSL_ALPN)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1472 case MBEDTLS_TLS_EXT_ALPN:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1473 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1474
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1475 ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4,
1476 ext + 4 + ext_size);
1477 if (ret != 0) {
1478 return ret;
1479 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1480 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1481#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1482
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1483#if defined(MBEDTLS_SSL_DTLS_SRTP)
1484 case MBEDTLS_TLS_EXT_USE_SRTP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1485 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
Johan Pascald576fdb2020-09-22 10:39:53 +0200[diff] [blame]1486
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1487 ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size);
1488 if (ret != 0) {
1489 return ret;
1490 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1491 break;
1492#endif /* MBEDTLS_SSL_DTLS_SRTP */
1493
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1494 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1495 MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)",
1496 ext_id));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1497 }
Janos Follathc6dab2b2016-05-23 14:27:02 +0100[diff] [blame]1498
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1499 ext_len -= 4 + ext_size;
1500 ext += 4 + ext_size;
1501 }
1502
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1503#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1504
1505 /*
1506 * Try to fall back to default hash SHA1 if the client
1507 * hasn't provided any preferred signature-hash combinations.
1508 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1509 if (!sig_hash_alg_ext_present) {
Gabor Mezei86acf052022-05-10 13:29:02 +0200[diff] [blame]1510 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
1511 const uint16_t default_sig_algs[] = {
Valerio Setti1fa5c562023-03-20 13:56:38 +0100[diff] [blame]1512#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1513 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA,
1514 MBEDTLS_SSL_HASH_SHA1),
Gabor Mezeic1051b62022-05-10 13:13:58 +0200[diff] [blame]1515#endif
1516#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1517 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA,
1518 MBEDTLS_SSL_HASH_SHA1),
Gabor Mezeic1051b62022-05-10 13:13:58 +0200[diff] [blame]1519#endif
Gabor Mezei86acf052022-05-10 13:29:02 +0200[diff] [blame]1520 MBEDTLS_TLS_SIG_NONE
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1521 };
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1522
Tom Cosgrove6ef9bb32023-03-08 14:19:51 +0000[diff] [blame]1523 MBEDTLS_STATIC_ASSERT(sizeof(default_sig_algs) / sizeof(default_sig_algs[0])
1524 <= MBEDTLS_RECEIVED_SIG_ALGS_SIZE,
1525 "default_sig_algs is too big");
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1526
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1527 memcpy(received_sig_algs, default_sig_algs, sizeof(default_sig_algs));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1528 }
1529
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1530#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1531
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1532 /*
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1533 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1534 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1535 for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
1536 if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
1537 MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1538#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1539 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1540 MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
1541 "during renegotiation"));
1542 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1543 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1544 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1545 }
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1546#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1547 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1548 break;
1549 }
1550 }
1551
1552 /*
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1553 * Renegotiation security checks
1554 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1555 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1556 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1557 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1558 handshake_failure = 1;
1559 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1560#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1561 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1562 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1563 renegotiation_info_seen == 0) {
1564 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1565 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1566 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1567 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1568 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1569 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1570 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1571 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1572 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1573 renegotiation_info_seen == 1) {
1574 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1575 handshake_failure = 1;
1576 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1577#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1578
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1579 if (handshake_failure == 1) {
1580 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1581 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1582 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1583 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1584
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1585 /*
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1586 * Server certification selection (after processing TLS extensions)
1587 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1588 if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
1589 MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
1590 return ret;
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1591 }
Glenn Strauss69894072022-01-24 12:58:00 -0500[diff] [blame]1592#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1593 ssl->handshake->sni_name = NULL;
1594 ssl->handshake->sni_name_len = 0;
1595#endif
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1596
1597 /*
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1598 * Search for a matching ciphersuite
Manuel Pégourié-Gonnard3ebb2cd2013-09-23 17:00:18 +0200[diff] [blame]1599 * (At the end because we need information from the EC-based extensions
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1600 * and certificate from the SNI callback triggered by the SNI extension
1601 * or certificate from server certificate selection callback.)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1602 */
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1603 got_common_suite = 0;
Hanno Beckerd60b6c62021-04-29 12:04:11 +0100[diff] [blame]1604 ciphersuites = ssl->conf->ciphersuite_list;
Manuel Pégourié-Gonnard59b81d72013-11-30 17:46:04 +0100[diff] [blame]1605 ciphersuite_info = NULL;
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1606
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1607 if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) {
1608 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1609 for (i = 0; ciphersuites[i] != 0; i++) {
1610 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1611 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1612 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1613
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1614 got_common_suite = 1;
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1615
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1616 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1617 &ciphersuite_info)) != 0) {
1618 return ret;
1619 }
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +0100[diff] [blame]1620
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1621 if (ciphersuite_info != NULL) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1622 goto have_ciphersuite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1623 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1624 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1625 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1626 } else {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1627 for (i = 0; ciphersuites[i] != 0; i++) {
1628 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1629 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1630 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1631 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1632
1633 got_common_suite = 1;
1634
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1635 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1636 &ciphersuite_info)) != 0) {
1637 return ret;
1638 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1639
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1640 if (ciphersuite_info != NULL) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1641 goto have_ciphersuite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1642 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1643 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1644 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1645 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1646
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1647 if (got_common_suite) {
1648 MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
1649 "but none of them usable"));
1650 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1651 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1652 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1653 } else {
1654 MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
1655 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1656 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1657 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1658 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1659
1660have_ciphersuite:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1661 MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]1662
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1663 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]1664 ssl->handshake->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1665
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1666 ssl->state++;
1667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1668#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1669 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1670 mbedtls_ssl_recv_flight_completed(ssl);
1671 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1672#endif
1673
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1674 /* Debugging-only output for testsuite */
1675#if defined(MBEDTLS_DEBUG_C) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1676 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1677 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
1678 if (sig_alg != MBEDTLS_PK_NONE) {
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]1679 unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1680 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
1681 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u",
1682 sig_hash));
1683 } else {
1684 MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm "
1685 "%u - should not happen", (unsigned) sig_alg));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1686 }
1687#endif
1688
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1689 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1690
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1691 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1692}
1693
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1694#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1695static void ssl_write_cid_ext(mbedtls_ssl_context *ssl,
1696 unsigned char *buf,
1697 size_t *olen)
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1698{
1699 unsigned char *p = buf;
1700 size_t ext_len;
1701 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1702
1703 *olen = 0;
1704
1705 /* Skip writing the extension if we don't want to use it or if
1706 * the client hasn't offered it. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1707 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) {
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1708 return;
1709 }
1710
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1711 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
1712 * which is at most 255, so the increment cannot overflow. */
1713 if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) {
1714 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1715 return;
1716 }
1717
1718 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension"));
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1719
1720 /*
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1721 * struct {
1722 * opaque cid<0..2^8-1>;
1723 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1724 */
1725 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1726 p += 2;
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1727 ext_len = (size_t) ssl->own_cid_len + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1728 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1729 p += 2;
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1730
1731 *p++ = (uint8_t) ssl->own_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1732 memcpy(p, ssl->own_cid, ssl->own_cid_len);
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1733
1734 *olen = ssl->own_cid_len + 5;
1735}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1736#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1737
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]1738#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1739static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
1740 unsigned char *buf,
1741 size_t *olen)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1742{
1743 unsigned char *p = buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1744 const mbedtls_ssl_ciphersuite_t *suite = NULL;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1745
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1746 /*
1747 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
1748 * from a client and then selects a stream or Authenticated Encryption
1749 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
1750 * encrypt-then-MAC response extension back to the client."
1751 */
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1752 suite = mbedtls_ssl_ciphersuite_from_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1753 ssl->session_negotiate->ciphersuite);
1754 if (suite == NULL) {
Ronald Cron862902d2022-03-24 14:15:28 +0100[diff] [blame]1755 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1756 } else {
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1757 mbedtls_ssl_mode_t ssl_mode =
Neil Armstrongab555e02022-04-04 11:07:59 +0200[diff] [blame]1758 mbedtls_ssl_get_mode_from_ciphersuite(
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1759 ssl->session_negotiate->encrypt_then_mac,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1760 suite);
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1761
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1762 if (ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM) {
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1763 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1764 }
Ronald Cron862902d2022-03-24 14:15:28 +0100[diff] [blame]1765 }
1766
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1767 if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1768 *olen = 0;
1769 return;
1770 }
1771
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1772 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1773
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1774 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1775 p += 2;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1776
1777 *p++ = 0x00;
1778 *p++ = 0x00;
1779
1780 *olen = 4;
1781}
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]1782#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1783
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1784#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1785static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
1786 unsigned char *buf,
1787 size_t *olen)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1788{
1789 unsigned char *p = buf;
1790
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1791 if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1792 *olen = 0;
1793 return;
1794 }
1795
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1796 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret "
1797 "extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1798
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1799 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1800 p += 2;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1801
1802 *p++ = 0x00;
1803 *p++ = 0x00;
1804
1805 *olen = 4;
1806}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1807#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1808
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1809#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1810static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
1811 unsigned char *buf,
1812 size_t *olen)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1813{
1814 unsigned char *p = buf;
1815
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1816 if (ssl->handshake->new_session_ticket == 0) {
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1817 *olen = 0;
1818 return;
1819 }
1820
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1821 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1822
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1823 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1824 p += 2;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1825
1826 *p++ = 0x00;
1827 *p++ = 0x00;
1828
1829 *olen = 4;
1830}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1831#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1832
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1833static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
1834 unsigned char *buf,
1835 size_t *olen)
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1836{
1837 unsigned char *p = buf;
1838
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1839 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) {
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1840 *olen = 0;
1841 return;
1842 }
1843
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1844 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension"));
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1845
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1846 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1847 p += 2;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1848
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1849#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1850 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1851 *p++ = 0x00;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1852 *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1853 *p++ = ssl->verify_data_len * 2 & 0xFF;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1854
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1855 memcpy(p, ssl->peer_verify_data, ssl->verify_data_len);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1856 p += ssl->verify_data_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1857 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1858 p += ssl->verify_data_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1859 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1860#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1861 {
1862 *p++ = 0x00;
1863 *p++ = 0x01;
1864 *p++ = 0x00;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1865 }
Manuel Pégourié-Gonnard19389752015-06-23 13:46:44 +0200[diff] [blame]1866
1867 *olen = p - buf;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1868}
1869
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1870#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1871static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
1872 unsigned char *buf,
1873 size_t *olen)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1874{
1875 unsigned char *p = buf;
1876
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1877 if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1878 *olen = 0;
1879 return;
1880 }
1881
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1882 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension"));
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1883
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1884 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1885 p += 2;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1886
1887 *p++ = 0x00;
1888 *p++ = 1;
1889
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]1890 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1891
1892 *olen = 5;
1893}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1894#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1895
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]1896#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]1897 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1898static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
1899 unsigned char *buf,
1900 size_t *olen)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1901{
1902 unsigned char *p = buf;
1903 ((void) ssl);
1904
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1905 if ((ssl->handshake->cli_exts &
1906 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) {
Paul Bakker677377f2013-10-28 12:54:26 +0100[diff] [blame]1907 *olen = 0;
1908 return;
1909 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1910
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1911 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension"));
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1912
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1913 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1914 p += 2;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1915
1916 *p++ = 0x00;
1917 *p++ = 2;
1918
1919 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1920 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1921
1922 *olen = 6;
1923}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]1924#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1925
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1926#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1927static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
1928 unsigned char *buf,
1929 size_t *olen)
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1930{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1931 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1932 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]1933 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1934 size_t kkpp_len;
1935
1936 *olen = 0;
1937
1938 /* Skip costly computation if not needed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1939 if (ssl->handshake->ciphersuite_info->key_exchange !=
1940 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1941 return;
1942 }
1943
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1944 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension"));
1945
1946 if (end - p < 4) {
1947 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1948 return;
1949 }
1950
1951 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1952 p += 2;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1953
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1954#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1955 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
1956 p + 2, end - p - 2, &kkpp_len,
1957 MBEDTLS_ECJPAKE_ROUND_ONE);
1958 if (ret != 0) {
1959 psa_destroy_key(ssl->handshake->psa_pake_password);
1960 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
1961 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
Valerio Settia9883642022-11-17 15:34:59 +0100[diff] [blame]1962 return;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1963 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1964#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1965 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
1966 p + 2, end - p - 2, &kkpp_len,
1967 ssl->conf->f_rng, ssl->conf->p_rng);
1968 if (ret != 0) {
1969 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret);
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1970 return;
1971 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1972#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1973
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1974 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1975 p += 2;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1976
1977 *olen = kkpp_len + 4;
1978}
1979#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1980
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1981#if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS)
1982static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
1983 unsigned char *buf,
1984 size_t *olen)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1985{
Ron Eldor75870ec2018-12-06 17:31:55 +0200[diff] [blame]1986 size_t mki_len = 0, ext_len = 0;
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1987 uint16_t profile_value = 0;
Johan Pascal8f70fba2020-09-02 10:32:06 +0200[diff] [blame]1988 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1989
1990 *olen = 0;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1991
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1992 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
1993 (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) {
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1994 return;
1995 }
1996
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1997 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension"));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1998
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1999 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]2000 mki_len = ssl->dtls_srtp_info.mki_len;
2001 }
2002
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]2003 /* The extension total size is 9 bytes :
2004 * - 2 bytes for the extension tag
2005 * - 2 bytes for the total size
2006 * - 2 bytes for the protection profile length
2007 * - 2 bytes for the protection profile
2008 * - 1 byte for the mki length
2009 * + the actual mki length
2010 * Check we have enough room in the output buffer */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2011 if ((size_t) (end - buf) < mki_len + 9) {
2012 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
Johan Pascal8f70fba2020-09-02 10:32:06 +0200[diff] [blame]2013 return;
2014 }
2015
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2016 /* extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2017 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0);
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]2018 /*
2019 * total length 5 and mki value: only one profile(2 bytes)
2020 * and length(2 bytes) and srtp_mki )
2021 */
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]2022 ext_len = 5 + mki_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2023 MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2024
2025 /* protection profile length: 2 */
2026 buf[4] = 0x00;
2027 buf[5] = 0x02;
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]2028 profile_value = mbedtls_ssl_check_srtp_profile_value(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2029 ssl->dtls_srtp_info.chosen_dtls_srtp_profile);
2030 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
2031 MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6);
2032 } else {
2033 MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile"));
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]2034 return;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2035 }
2036
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]2037 buf[8] = mki_len & 0xFF;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2038 memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2039
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]2040 *olen = 9 + mki_len;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2041}
2042#endif /* MBEDTLS_SSL_DTLS_SRTP */
2043
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2044#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2045MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2046static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2047{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2048 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2049 unsigned char *p = ssl->out_msg + 4;
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2050 unsigned char *cookie_len_byte;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2051
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2052 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2053
2054 /*
2055 * struct {
2056 * ProtocolVersion server_version;
2057 * opaque cookie<0..2^8-1>;
2058 * } HelloVerifyRequest;
2059 */
2060
Manuel Pégourié-Gonnardb35fe562014-08-09 17:00:46 +0200[diff] [blame]2061 /* The RFC is not clear on this point, but sending the actual negotiated
2062 * version looks like the most interoperable thing to do. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2063 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
2064 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2065 p += 2;
2066
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]2067 /* If we get here, f_cookie_check is not null */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2068 if (ssl->conf->f_cookie_write == NULL) {
2069 MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks"));
2070 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]2071 }
2072
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2073 /* Skip length byte until we know the length */
2074 cookie_len_byte = p++;
2075
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2076 if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie,
2077 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2078 ssl->cli_id, ssl->cli_id_len)) != 0) {
2079 MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret);
2080 return ret;
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2081 }
2082
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2083 *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1));
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2084
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2085 MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2086
2087 ssl->out_msglen = p - ssl->out_msg;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2088 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2089 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2090
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2091 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2092
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2093 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
2094 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
2095 return ret;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2096 }
2097
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2098#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2099 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2100 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
2101 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
2102 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2103 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]2104#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2105
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2106 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2107
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2108 return 0;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2109}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2110#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2111
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2112static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl)
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2113{
2114 int ret;
Hanno Beckera5b1a392021-04-15 16:48:01 +0100[diff] [blame]2115 mbedtls_ssl_session session_tmp;
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2116 mbedtls_ssl_session * const session = ssl->session_negotiate;
2117
2118 /* Resume is 0 by default, see ssl_handshake_init().
2119 * It may be already set to 1 by ssl_parse_session_ticket_ext(). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2120 if (ssl->handshake->resume == 1) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2121 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2122 }
2123 if (session->id_len == 0) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2124 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2125 }
2126 if (ssl->conf->f_get_cache == NULL) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2127 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2128 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2129#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2130 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2131 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2132 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2133#endif
2134
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2135 mbedtls_ssl_session_init(&session_tmp);
Hanno Beckera5b1a392021-04-15 16:48:01 +0100[diff] [blame]2136
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2137 ret = ssl->conf->f_get_cache(ssl->conf->p_cache,
2138 session->id,
2139 session->id_len,
2140 &session_tmp);
2141 if (ret != 0) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2142 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2143 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2144
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2145 if (session->ciphersuite != session_tmp.ciphersuite) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2146 /* Mismatch between cached and negotiated session */
2147 goto exit;
2148 }
2149
2150 /* Move semantics */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2151 mbedtls_ssl_session_free(session);
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2152 *session = session_tmp;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2153 memset(&session_tmp, 0, sizeof(session_tmp));
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2154
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2155 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache"));
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2156 ssl->handshake->resume = 1;
2157
2158exit:
2159
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2160 mbedtls_ssl_session_free(&session_tmp);
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2161}
2162
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2163MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2164static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2165{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2166#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]2167 mbedtls_time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2168#endif
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2169 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2170 size_t olen, ext_len = 0, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2171 unsigned char *buf, *p;
2172
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2173 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2174
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2175#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2176 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2177 ssl->handshake->cookie_verify_result != 0) {
2178 MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated"));
2179 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2180
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2181 return ssl_write_hello_verify_request(ssl);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2182 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2183#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2184
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2185 if (ssl->conf->f_rng == NULL) {
2186 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
2187 return MBEDTLS_ERR_SSL_NO_RNG;
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]2188 }
2189
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2190 /*
2191 * 0 . 0 handshake type
2192 * 1 . 3 handshake length
2193 * 4 . 5 protocol version
2194 * 6 . 9 UNIX time()
2195 * 10 . 37 random bytes
2196 */
2197 buf = ssl->out_msg;
2198 p = buf + 4;
2199
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2200 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]2201 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2202
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2203 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]",
2204 buf[4], buf[5]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2205
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2206#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2207 t = mbedtls_time(NULL);
2208 MBEDTLS_PUT_UINT32_BE(t, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2209 p += 4;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2210
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2211 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
2212 (long long) t));
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2213#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2214 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) {
2215 return ret;
2216 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2217
2218 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2219#endif /* MBEDTLS_HAVE_TIME */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2220
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2221 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2222 return ret;
2223 }
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2224 p += 20;
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2225
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2226#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2227 /*
2228 * RFC 8446
2229 * TLS 1.3 has a downgrade protection mechanism embedded in the server's
2230 * random value. TLS 1.3 servers which negotiate TLS 1.2 or below in
2231 * response to a ClientHello MUST set the last 8 bytes of their Random
2232 * value specially in their ServerHello.
2233 */
2234 if (mbedtls_ssl_conf_is_tls13_enabled(ssl->conf)) {
2235 static const unsigned char magic_tls12_downgrade_string[] =
2236 { 'D', 'O', 'W', 'N', 'G', 'R', 'D', 1 };
2237
2238 MBEDTLS_STATIC_ASSERT(
2239 sizeof(magic_tls12_downgrade_string) == 8,
2240 "magic_tls12_downgrade_string does not have the expected size");
2241
Ronald Cronfe01ec22023-04-06 09:56:53 +0200[diff] [blame]2242 memcpy(p, magic_tls12_downgrade_string,
2243 sizeof(magic_tls12_downgrade_string));
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2244 } else
2245#endif
2246 {
2247 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) {
2248 return ret;
2249 }
2250 }
2251 p += 8;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2252
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2253 memcpy(ssl->handshake->randbytes + 32, buf + 6, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2254
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2255 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2256
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2257 ssl_handle_id_based_session_resumption(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2258
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2259 if (ssl->handshake->resume == 0) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2260 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2261 * New session, create a new session id,
2262 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2263 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2264 ssl->state++;
2265
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2266#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2267 ssl->session_negotiate->start = mbedtls_time(NULL);
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]2268#endif
2269
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2270#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2271 if (ssl->handshake->new_session_ticket != 0) {
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2272 ssl->session_negotiate->id_len = n = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2273 memset(ssl->session_negotiate->id, 0, 32);
2274 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2275#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2276 {
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2277 ssl->session_negotiate->id_len = n = 32;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2278 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id,
2279 n)) != 0) {
2280 return ret;
2281 }
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2282 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2283 } else {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2284 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2285 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2286 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2287 n = ssl->session_negotiate->id_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2288 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2289
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2290 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
2291 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
2292 return ret;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2293 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2294 }
2295
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2296 /*
2297 * 38 . 38 session id length
2298 * 39 . 38+n session id
2299 * 39+n . 40+n chosen ciphersuite
2300 * 41+n . 41+n chosen compression alg.
2301 * 42+n . 43+n extensions length
2302 * 44+n . 43+n+m extensions
2303 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2304 *p++ = (unsigned char) ssl->session_negotiate->id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2305 memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2306 p += ssl->session_negotiate->id_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2307
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2308 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
2309 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n);
2310 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
2311 ssl->handshake->resume ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2312
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2313 MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2314 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2315 *p++ = MBEDTLS_BYTE_0(MBEDTLS_SSL_COMPRESS_NULL);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2316
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2317 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s",
2318 mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite)));
2319 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X",
2320 (unsigned int) MBEDTLS_SSL_COMPRESS_NULL));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2321
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2322 /*
2323 * First write extensions, then the total length
2324 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2325 ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2326 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2327
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2328#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2329 ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2330 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]2331#endif
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2332
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2333#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2334 ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen);
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]2335 ext_len += olen;
2336#endif
2337
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]2338#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2339 ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2340 ext_len += olen;
2341#endif
2342
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2343#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2344 ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2345 ext_len += olen;
2346#endif
2347
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2348#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2349 ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2350 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2351#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2352
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]2353#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]2354 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Leonid Rozenboim28752702022-04-21 18:00:52 -0700[diff] [blame]2355 const mbedtls_ssl_ciphersuite_t *suite =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2356 mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite);
2357 if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) {
2358 ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen);
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]2359 ext_len += olen;
2360 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2361#endif
2362
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]2363#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2364 ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]2365 ext_len += olen;
2366#endif
2367
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2368#if defined(MBEDTLS_SSL_ALPN)
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2369 unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2370 if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen))
2371 != 0) {
Paul Elliottf518f812022-07-11 12:36:20 +0100[diff] [blame]2372 return ret;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2373 }
Paul Elliottf518f812022-07-11 12:36:20 +0100[diff] [blame]2374
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]2375 ext_len += olen;
2376#endif
2377
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2378#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2379 ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen);
Johan Pascalc3ccd982020-10-28 17:18:18 +0100[diff] [blame]2380 ext_len += olen;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2381#endif
2382
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2383 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
2384 ext_len));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2385
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2386 if (ext_len > 0) {
2387 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani94180e72021-08-20 16:20:44 +0100[diff] [blame]2388 p += 2 + ext_len;
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]2389 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2390
2391 ssl->out_msglen = p - buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2392 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2393 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2394
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2395 ret = mbedtls_ssl_write_handshake_msg(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2396
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2397 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2398
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2399 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2400}
2401
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2402#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2403MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2404static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2405{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2406 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2407 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2408
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2409 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2410
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2411 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2412 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2413 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2414 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2415 }
2416
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2417 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2418 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2419}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2420#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2421MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2422static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2423{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2424 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2425 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2426 ssl->handshake->ciphersuite_info;
irwirc9bc3002020-04-01 13:46:36 +0300[diff] [blame]2427 uint16_t dn_size, total_dn_size; /* excluding length bytes */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2428 size_t ct_len, sa_len; /* including length bytes */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2429 unsigned char *buf, *p;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2430 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2431 const mbedtls_x509_crt *crt;
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2432 int authmode;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2433
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2434 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2435
2436 ssl->state++;
2437
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2438#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2439 if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2440 authmode = ssl->handshake->sni_authmode;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2441 } else
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2442#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2443 authmode = ssl->conf->authmode;
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2444
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2445 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) ||
2446 authmode == MBEDTLS_SSL_VERIFY_NONE) {
2447 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2448 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2449 }
2450
2451 /*
2452 * 0 . 0 handshake type
2453 * 1 . 3 handshake length
2454 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2455 * 5 .. m-1 cert types
2456 * m .. m+1 sig alg length (TLS 1.2 only)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]2457 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2458 * n .. n+1 length of all DNs
2459 * n+2 .. n+3 length of DN 1
2460 * n+4 .. ... Distinguished Name #1
2461 * ... .. ... length of DN 2, etc.
2462 */
2463 buf = ssl->out_msg;
2464 p = buf + 4;
2465
2466 /*
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2467 * Supported certificate types
2468 *
2469 * ClientCertificateType certificate_types<1..2^8-1>;
2470 * enum { (255) } ClientCertificateType;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2471 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2472 ct_len = 0;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2473
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2474#if defined(MBEDTLS_RSA_C)
2475 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2476#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2477#if defined(MBEDTLS_ECDSA_C)
2478 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2479#endif
2480
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2481 p[0] = (unsigned char) ct_len++;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2482 p += ct_len;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2483
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2484 sa_len = 0;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]2485
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2486 /*
2487 * Add signature_algorithms for verify (TLS 1.2)
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2488 *
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2489 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2490 *
2491 * struct {
2492 * HashAlgorithm hash;
2493 * SignatureAlgorithm signature;
2494 * } SignatureAndHashAlgorithm;
2495 *
2496 * enum { (255) } HashAlgorithm;
2497 * enum { (255) } SignatureAlgorithm;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2498 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2499 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
2500 if (sig_alg == NULL) {
2501 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2502 }
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2503
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2504 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2505 unsigned char hash = MBEDTLS_BYTE_1(*sig_alg);
Jerry Yu6106fdc2022-01-12 16:36:14 +0800[diff] [blame]2506
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2507 if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2508 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2509 }
2510 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2511 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2512 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2513
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2514 /* Write elements at offsets starting from 1 (offset 0 is for the
2515 * length). Thus the offset of each element is the length of the
2516 * partial list including that element. */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2517 sa_len += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2518 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, sa_len);
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2519
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2520 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2521
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2522 /* Fill in list length. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2523 MBEDTLS_PUT_UINT16_BE(sa_len, p, 0);
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2524 sa_len += 2;
2525 p += sa_len;
2526
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2527 /*
2528 * DistinguishedName certificate_authorities<0..2^16-1>;
2529 * opaque DistinguishedName<1..2^16-1>;
2530 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2531 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2532
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]2533 total_dn_size = 0;
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2534
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2535 if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) {
Hanno Becker8bf74f32019-03-27 11:01:30 +0000[diff] [blame]2536 /* NOTE: If trusted certificates are provisioned
2537 * via a CA callback (configured through
2538 * `mbedtls_ssl_conf_ca_cb()`, then the
2539 * CertificateRequest is currently left empty. */
2540
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2541#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2542#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2543 if (ssl->handshake->dn_hints != NULL) {
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2544 crt = ssl->handshake->dn_hints;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2545 } else
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2546#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2547 if (ssl->conf->dn_hints != NULL) {
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2548 crt = ssl->conf->dn_hints;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2549 } else
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2550#endif
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2551#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2552 if (ssl->handshake->sni_ca_chain != NULL) {
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2553 crt = ssl->handshake->sni_ca_chain;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2554 } else
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2555#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2556 crt = ssl->conf->ca_chain;
Manuel Pégourié-Gonnardbc1babb2015-10-02 11:16:47 +0200[diff] [blame]2557
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2558 while (crt != NULL && crt->version != 0) {
irwirc9bc3002020-04-01 13:46:36 +0300[diff] [blame]2559 /* It follows from RFC 5280 A.1 that this length
2560 * can be represented in at most 11 bits. */
2561 dn_size = (uint16_t) crt->subject_raw.len;
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2562
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2563 if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) {
2564 MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short"));
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2565 break;
2566 }
2567
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2568 MBEDTLS_PUT_UINT16_BE(dn_size, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2569 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2570 memcpy(p, crt->subject_raw.p, dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2571 p += dn_size;
2572
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2573 MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2574
2575 total_dn_size += 2 + dn_size;
2576 crt = crt->next;
Manuel Pégourié-Gonnardbc1babb2015-10-02 11:16:47 +0200[diff] [blame]2577 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2578 }
2579
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2580 ssl->out_msglen = p - buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2581 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2582 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2583 MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2584
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2585 ret = mbedtls_ssl_write_handshake_msg(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2586
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2587 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2588
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2589 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2590}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2591#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2592
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2593#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2594 (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2595 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED))
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2596MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2597static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2598{
2599 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2600 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2601 mbedtls_pk_context *pk;
2602 mbedtls_pk_type_t pk_type;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2603 psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2604#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2605 uint16_t tls_id = 0;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2606 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2607 size_t key_len;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2608 mbedtls_ecp_group_id grp_id;
Valerio Setti3589a4c2023-06-22 09:02:44 +0200[diff] [blame]2609 unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2610 mbedtls_ecp_keypair *key;
2611#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2612
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2613 pk = mbedtls_ssl_own_key(ssl);
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2614
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2615 if (pk == NULL) {
2616 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2617 }
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2618
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2619 pk_type = mbedtls_pk_get_type(pk);
Valerio Settid0405092023-05-24 13:16:40 +0200[diff] [blame]2620
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2621 switch (pk_type) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2622 case MBEDTLS_PK_OPAQUE:
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2623#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2624 case MBEDTLS_PK_ECKEY:
2625 case MBEDTLS_PK_ECKEY_DH:
2626 case MBEDTLS_PK_ECDSA:
2627#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2628 if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
2629 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2630 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2631
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2632 ssl->handshake->xxdh_psa_privkey = pk->priv_id;
Neil Armstronge88d1902022-04-04 11:25:23 +0200[diff] [blame]2633
Przemek Stekiel6f199852023-06-29 08:59:26 +0200[diff] [blame]2634 /* Key should not be destroyed in the TLS library */
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2635 ssl->handshake->xxdh_psa_privkey_is_external = 1;
Przemek Stekiel6f199852023-06-29 08:59:26 +0200[diff] [blame]2636
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2637 status = psa_get_key_attributes(ssl->handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2638 &key_attributes);
2639 if (status != PSA_SUCCESS) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2640 ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2641 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2642 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2643
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2644 ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
2645 ssl->handshake->xxdh_bits = psa_get_key_bits(&key_attributes);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2646
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2647 psa_reset_key_attributes(&key_attributes);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2648
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2649 ret = 0;
2650 break;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2651#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2652 case MBEDTLS_PK_ECKEY:
2653 case MBEDTLS_PK_ECKEY_DH:
2654 case MBEDTLS_PK_ECDSA:
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2655 key = mbedtls_pk_ec_rw(*pk);
Valerio Settid0405092023-05-24 13:16:40 +0200[diff] [blame]2656 grp_id = mbedtls_pk_get_group_id(pk);
2657 if (grp_id == MBEDTLS_ECP_DP_NONE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2658 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2659 }
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2660 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2661 if (tls_id == 0) {
2662 /* This elliptic curve is not supported */
2663 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2664 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2665
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2666 /* If the above conversion to TLS ID was fine, then also this one will
2667 be, so there is no need to check the return value here */
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2668 mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2669 &ssl->handshake->xxdh_bits);
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2670
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2671 ssl->handshake->xxdh_psa_type = key_type;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2672
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2673 key_attributes = psa_key_attributes_init();
2674 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2675 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2676 psa_set_key_type(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2677 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
2678 psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_bits);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2679
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2680 key_len = PSA_BITS_TO_BYTES(key->grp.pbits);
2681 ret = mbedtls_ecp_write_key(key, buf, key_len);
2682 if (ret != 0) {
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2683 mbedtls_platform_zeroize(buf, sizeof(buf));
2684 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2685 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2686
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2687 status = psa_import_key(&key_attributes, buf, key_len,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2688 &ssl->handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2689 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2690 ret = PSA_TO_MBEDTLS_ERR(status);
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2691 mbedtls_platform_zeroize(buf, sizeof(buf));
2692 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2693 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2694
Valerio Setti6835b4a2023-06-22 09:06:31 +0200[diff] [blame]2695 mbedtls_platform_zeroize(buf, sizeof(buf));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2696 ret = 0;
2697 break;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2698#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2699 default:
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2700 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2701 }
2702
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2703 return ret;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2704}
2705#elif defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2706 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2707MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2708static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2709{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2710 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2711
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2712 const mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
2713 if (private_key == NULL) {
2714 MBEDTLS_SSL_DEBUG_MSG(1, ("got no server private key"));
2715 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Leonid Rozenboim28752702022-04-21 18:00:52 -0700[diff] [blame]2716 }
2717
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2718 if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_ECKEY)) {
2719 MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
2720 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2721 }
2722
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2723 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx,
Valerio Setti77a75682023-05-15 11:18:46 +0200[diff] [blame]2724 mbedtls_pk_ec_ro(*mbedtls_ssl_own_key(ssl)),
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2725 MBEDTLS_ECDH_OURS)) != 0) {
2726 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
2727 return ret;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2728 }
2729
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2730 return 0;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2731}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2732#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2733 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2734
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2735#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2736 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2737MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2738static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl,
2739 size_t *signature_len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2740{
Gilles Peskine0fd90dd2018-04-26 07:41:09 +0200[diff] [blame]2741 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
2742 * signature length which will be added in ssl_write_server_key_exchange
2743 * after the call to ssl_prepare_server_key_exchange.
2744 * ssl_write_server_key_exchange also takes care of incrementing
2745 * ssl->out_msglen. */
2746 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2747 size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
2748 - sig_start);
2749 int ret = ssl->conf->f_async_resume(ssl,
2750 sig_start, signature_len, sig_max_len);
2751 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]2752 ssl->handshake->async_in_progress = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2753 mbedtls_ssl_set_async_operation_data(ssl, NULL);
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2754 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2755 MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret);
2756 return ret;
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2757}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2758#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2759 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2760
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]2761/* Prepare the ServerKeyExchange message, up to and including
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]2762 * calculating the signature if any, but excluding formatting the
2763 * signature and sending the message. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2764MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2765static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
2766 size_t *signature_len)
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]2767{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2768 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2769 ssl->handshake->ciphersuite_info;
2770
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2771#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2772#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine3ce9b902018-01-06 01:34:21 +0100[diff] [blame]2773 unsigned char *dig_signed = NULL;
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2774#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2775#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2776
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2777 (void) ciphersuite_info; /* unused in some configurations */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2778#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine22e695f2018-04-26 00:22:50 +0200[diff] [blame]2779 (void) signature_len;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2780#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2781
Gilles Peskine16fe8fc2021-06-22 09:45:56 +0200[diff] [blame]2782#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2783#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2784 size_t out_buf_len = ssl->out_buf_len - (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2785#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2786 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2787#endif
Gilles Peskine16fe8fc2021-06-22 09:45:56 +0200[diff] [blame]2788#endif
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2789
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2790 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2791
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2792 /*
2793 *
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2794 * Part 1: Provide key exchange parameters for chosen ciphersuite.
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2795 *
2796 */
2797
2798 /*
2799 * - ECJPAKE key exchanges
2800 */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2801#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2802 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2803 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2804#if defined(MBEDTLS_USE_PSA_CRYPTO)
2805 unsigned char *out_p = ssl->out_msg + ssl->out_msglen;
2806 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
2807 ssl->out_msglen;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2808 size_t output_offset = 0;
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]2809 size_t output_len = 0;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2810
Valerio Setti6f1b5742022-11-16 10:00:32 +0100[diff] [blame]2811 /*
2812 * The first 3 bytes are:
2813 * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
2814 * [1, 2] elliptic curve's TLS ID
2815 *
2816 * However since we only support secp256r1 for now, we hardcode its
2817 * TLS ID here
2818 */
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2819 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2820 MBEDTLS_ECP_DP_SECP256R1);
2821 if (tls_id == 0) {
2822 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Valerio Setti6f1b5742022-11-16 10:00:32 +0100[diff] [blame]2823 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2824 *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2825 MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1);
Valerio Setti819de862022-11-17 18:05:19 +0100[diff] [blame]2826 output_offset += 3;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2827
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2828 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
2829 out_p + output_offset,
2830 end_p - out_p - output_offset, &output_len,
2831 MBEDTLS_ECJPAKE_ROUND_TWO);
2832 if (ret != 0) {
2833 psa_destroy_key(ssl->handshake->psa_pake_password);
2834 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2835 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
2836 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2837 }
2838
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]2839 output_offset += output_len;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2840 ssl->out_msglen += output_offset;
2841#else
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2842 size_t len = 0;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2843
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2844 ret = mbedtls_ecjpake_write_round_two(
2845 &ssl->handshake->ecjpake_ctx,
2846 ssl->out_msg + ssl->out_msglen,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2847 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2848 ssl->conf->f_rng, ssl->conf->p_rng);
2849 if (ret != 0) {
2850 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
2851 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2852 }
2853
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2854 ssl->out_msglen += len;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2855#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2856 }
2857#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2858
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2859 /*
2860 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
2861 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
2862 * we use empty support identity hints here.
2863 **/
2864#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2865 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2866 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2867 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2868 ssl->out_msg[ssl->out_msglen++] = 0x00;
2869 ssl->out_msg[ssl->out_msglen++] = 0x00;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2870 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2871#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2872 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2873
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]2874 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2875 * - DHE key exchanges
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2876 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2877#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2878 if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2879 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2880 size_t len = 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2881
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2882 if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) {
2883 MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set"));
2884 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +0100[diff] [blame]2885 }
2886
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2887 /*
2888 * Ephemeral DH parameters:
2889 *
2890 * struct {
2891 * opaque dh_p<1..2^16-1>;
2892 * opaque dh_g<1..2^16-1>;
2893 * opaque dh_Ys<1..2^16-1>;
2894 * } ServerDHParams;
2895 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2896 if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx,
2897 &ssl->conf->dhm_P,
2898 &ssl->conf->dhm_G)) != 0) {
2899 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret);
2900 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2901 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2902
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2903 if ((ret = mbedtls_dhm_make_params(
2904 &ssl->handshake->dhm_ctx,
2905 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
2906 ssl->out_msg + ssl->out_msglen, &len,
2907 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2908 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret);
2909 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2910 }
2911
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2912#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2913 dig_signed = ssl->out_msg + ssl->out_msglen;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2914#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2915
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2916 ssl->out_msglen += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2917
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2918 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
2919 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
2920 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
2921 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2922 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2923#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2924
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2925 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2926 * - ECDHE key exchanges
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2927 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2928#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2929 if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2930 /*
2931 * Ephemeral ECDH parameters:
2932 *
2933 * struct {
2934 * ECParameters curve_params;
2935 * ECPoint public;
2936 * } ServerECDHParams;
2937 */
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2938 uint16_t *curr_tls_id = ssl->handshake->curves_tls_id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2939 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2940 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2941 size_t len = 0;
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2942
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2943 /* Match our preference list against the offered curves */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2944 if ((group_list == NULL) || (curr_tls_id == NULL)) {
2945 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2946 }
2947 for (; *group_list != 0; group_list++) {
2948 for (curr_tls_id = ssl->handshake->curves_tls_id;
2949 *curr_tls_id != 0; curr_tls_id++) {
2950 if (*curr_tls_id == *group_list) {
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2951 goto curve_matching_done;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2952 }
2953 }
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2954 }
Manuel Pégourié-Gonnardde053902014-02-04 13:58:39 +0100[diff] [blame]2955
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2956curve_matching_done:
2957 if (*curr_tls_id == 0) {
2958 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE"));
2959 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2960 }
2961
2962 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s",
2963 mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id)));
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2964
Przemek Stekielb6ce0b62022-03-09 15:38:24 +0100[diff] [blame]2965#if defined(MBEDTLS_USE_PSA_CRYPTO)
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2966 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
2967 psa_key_attributes_t key_attributes;
2968 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2969 uint8_t *p = ssl->out_msg + ssl->out_msglen;
2970 const size_t header_size = 4; // curve_type(1), namedcurve(2),
2971 // data length(1)
2972 const size_t data_length_size = 1;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2973 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]2974 size_t ec_bits = 0;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2975
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2976 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2977
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]2978 /* Convert EC's TLS ID to PSA key type. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2979 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id,
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2980 &key_type,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2981 &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
2982 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse."));
2983 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Przemek Stekielb6ce0b62022-03-09 15:38:24 +0100[diff] [blame]2984 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2985 handshake->xxdh_psa_type = key_type;
2986 handshake->xxdh_bits = ec_bits;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2987
2988 key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2989 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2990 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2991 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
2992 psa_set_key_bits(&key_attributes, handshake->xxdh_bits);
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2993
2994 /*
2995 * ECParameters curve_params
2996 *
2997 * First byte is curve_type, always named_curve
2998 */
2999 *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
3000
3001 /*
3002 * Next two bytes are the namedcurve value
3003 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3004 MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0);
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3005 p += 2;
3006
3007 /* Generate ECDH private key. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3008 status = psa_generate_key(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3009 &handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3010 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3011 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3012 MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
3013 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3014 }
3015
3016 /*
3017 * ECPoint public
3018 *
3019 * First byte is data length.
3020 * It will be filled later. p holds now the data length location.
3021 */
3022
3023 /* Export the public part of the ECDH private key from PSA.
3024 * Make one byte space for the length.
3025 */
3026 unsigned char *own_pubkey = p + data_length_size;
3027
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3028 size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN
3029 - (own_pubkey - ssl->out_msg));
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3030
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3031 status = psa_export_public_key(handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3032 own_pubkey, own_pubkey_max_len,
3033 &len);
3034 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3035 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3036 MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3037 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
3038 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3039 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3040 }
3041
3042 /* Store the length of the exported public key. */
3043 *p = (uint8_t) len;
3044
3045 /* Determine full message length. */
3046 len += header_size;
3047#else
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]3048 mbedtls_ecp_group_id curr_grp_id =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3049 mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]3050
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3051 if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx,
3052 curr_grp_id)) != 0) {
3053 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret);
3054 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3055 }
3056
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3057 if ((ret = mbedtls_ecdh_make_params(
3058 &ssl->handshake->ecdh_ctx, &len,
3059 ssl->out_msg + ssl->out_msglen,
3060 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
3061 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3062 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret);
3063 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3064 }
3065
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3066 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3067 MBEDTLS_DEBUG_ECDH_Q);
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3068#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3069
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]3070#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]3071 dig_signed = ssl->out_msg + ssl->out_msglen;
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]3072#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3073
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]3074 ssl->out_msglen += len;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3075 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3076#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3077
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3078 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]3079 *
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3080 * Part 2: For key exchanges involving the server signing the
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]3081 * exchange parameters, compute and add the signature here.
3082 *
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3083 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3084#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3085 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
3086 if (dig_signed == NULL) {
3087 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3088 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Elliott11420382022-05-13 17:43:47 +0100[diff] [blame]3089 }
3090
Gilles Peskine1004c192018-01-08 16:59:14 +0100[diff] [blame]3091 size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]3092 size_t hashlen = 0;
Manuel Pégourié-Gonnard88579842023-03-28 11:20:23 +0200[diff] [blame]3093 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
Przemek Stekiel51669542022-09-13 12:57:05 +0200[diff] [blame]3094
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3095 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]3096
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3097 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3098 * 2.1: Choose hash algorithm:
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]3099 * For TLS 1.2, obey signature-hash-algorithm extension
3100 * to choose appropriate hash.
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3101 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3102
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3103 mbedtls_pk_type_t sig_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3104 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3105
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]3106 unsigned int sig_hash =
3107 mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3108 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]3109
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3110 mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash);
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]3111
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3112 /* For TLS 1.2, obey signature-hash-algorithm extension
3113 * (RFC 5246, Sec. 7.4.1.4.1). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3114 if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) {
3115 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3116 /* (... because we choose a cipher suite
3117 * only if there is a matching hash.) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3118 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3119 }
3120
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3121 MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3122
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3123 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3124 * 2.2: Compute the hash to be signed
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3125 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3126 if (md_alg != MBEDTLS_MD_NONE) {
3127 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
3128 dig_signed,
3129 dig_signed_len,
3130 md_alg);
3131 if (ret != 0) {
3132 return ret;
3133 }
3134 } else {
3135 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3136 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3137 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3138
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3139 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3140
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3141 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3142 * 2.3: Compute and add the signature
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3143 */
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3144 /*
3145 * We need to specify signature and hash algorithm explicitly through
3146 * a prefix to the signature.
3147 *
3148 * struct {
3149 * HashAlgorithm hash;
3150 * SignatureAlgorithm signature;
3151 * } SignatureAndHashAlgorithm;
3152 *
3153 * struct {
3154 * SignatureAndHashAlgorithm algorithm;
3155 * opaque signature<0..2^16-1>;
3156 * } DigitallySigned;
3157 *
3158 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3159
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3160 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg);
3161 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3162
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3163#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3164 if (ssl->conf->f_async_sign_start != NULL) {
3165 ret = ssl->conf->f_async_sign_start(ssl,
3166 mbedtls_ssl_own_cert(ssl),
3167 md_alg, hash, hashlen);
3168 switch (ret) {
3169 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3170 /* act as if f_async_sign was null */
3171 break;
3172 case 0:
3173 ssl->handshake->async_in_progress = 1;
3174 return ssl_resume_server_key_exchange(ssl, signature_len);
3175 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3176 ssl->handshake->async_in_progress = 1;
3177 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3178 default:
3179 MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret);
3180 return ret;
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3181 }
3182 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3183#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3184
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3185 if (mbedtls_ssl_own_key(ssl) == NULL) {
3186 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key"));
3187 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3188 }
3189
Gilles Peskine0fd90dd2018-04-26 07:41:09 +0200[diff] [blame]3190 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3191 * signature length which will be added in ssl_write_server_key_exchange
3192 * after the call to ssl_prepare_server_key_exchange.
3193 * ssl_write_server_key_exchange also takes care of incrementing
3194 * ssl->out_msglen. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3195 if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl),
3196 md_alg, hash, hashlen,
3197 ssl->out_msg + ssl->out_msglen + 2,
3198 out_buf_len - ssl->out_msglen - 2,
3199 signature_len,
3200 ssl->conf->f_rng,
3201 ssl->conf->p_rng)) != 0) {
3202 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
3203 return ret;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]3204 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3205 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3206#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3207
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3208 return 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3209}
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3210
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3211/* Prepare the ServerKeyExchange message and send it. For ciphersuites
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3212 * that do not include a ServerKeyExchange message, do nothing. Either
3213 * way, if successful, move on to the next step in the SSL state
3214 * machine. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3215MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3216static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3217{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3218 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3219 size_t signature_len = 0;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3220#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3221 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3222 ssl->handshake->ciphersuite_info;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3223#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3224
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3225 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange"));
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3226
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3227#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3228 /* Extract static ECDH parameters and abort if ServerKeyExchange
3229 * is not needed. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3230 if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) {
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3231 /* For suites involving ECDH, extract DH parameters
3232 * from certificate at this point. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3233#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3234 if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) {
3235 ret = ssl_get_ecdh_params_from_cert(ssl);
3236 if (ret != 0) {
3237 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
3238 return ret;
Manuel Pégourié-Gonnardb64fb622022-06-10 09:34:20 +0200[diff] [blame]3239 }
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3240 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3241#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3242
3243 /* Key exchanges not involving ephemeral keys don't use
3244 * ServerKeyExchange, so end here. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3245 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3246 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3247 return 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3248 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3249#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3250
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3251#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3252 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3253 /* If we have already prepared the message and there is an ongoing
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3254 * signature operation, resume signing. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3255 if (ssl->handshake->async_in_progress != 0) {
3256 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation"));
3257 ret = ssl_resume_server_key_exchange(ssl, &signature_len);
3258 } else
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3259#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3260 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]3261 {
3262 /* ServerKeyExchange is needed. Prepare the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3263 ret = ssl_prepare_server_key_exchange(ssl, &signature_len);
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3264 }
3265
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3266 if (ret != 0) {
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]3267 /* If we're starting to write a new message, set ssl->out_msglen
3268 * to 0. But if we're resuming after an asynchronous message,
3269 * out_msglen is the amount of data written so far and mst be
3270 * preserved. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3271 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3272 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)"));
3273 } else {
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3274 ssl->out_msglen = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3275 }
3276 return ret;
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]3277 }
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3278
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3279 /* If there is a signature, write its length.
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3280 * ssl_prepare_server_key_exchange already wrote the signature
3281 * itself at its proper place in the output buffer. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3282#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3283 if (signature_len != 0) {
3284 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len);
3285 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len);
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3286
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3287 MBEDTLS_SSL_DEBUG_BUF(3, "my signature",
3288 ssl->out_msg + ssl->out_msglen,
3289 signature_len);
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3290
3291 /* Skip over the already-written signature */
3292 ssl->out_msglen += signature_len;
3293 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3294#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3295
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3296 /* Add header and send. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3297 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3298 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3299
3300 ssl->state++;
3301
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3302 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3303 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3304 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3305 }
3306
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3307 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange"));
3308 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3309}
3310
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3311MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3312static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3313{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3314 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3315
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3316 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3317
3318 ssl->out_msglen = 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3319 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3320 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3321
3322 ssl->state++;
3323
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3324#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3325 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3326 mbedtls_ssl_send_flight_completed(ssl);
3327 }
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3328#endif
3329
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3330 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3331 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3332 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3333 }
3334
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3335#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3336 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3337 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
3338 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
3339 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3340 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]3341#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3342
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3343 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3344
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3345 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3346}
3347
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3348#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3349 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3350MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3351static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p,
3352 const unsigned char *end)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3353{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3354 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3355 size_t n;
3356
3357 /*
3358 * Receive G^Y mod P, premaster = (G^Y)^X mod P
3359 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3360 if (*p + 2 > end) {
3361 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3362 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3363 }
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3364
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3365 n = ((*p)[0] << 8) | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3366 *p += 2;
3367
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3368 if (*p + n > end) {
3369 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3370 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3371 }
3372
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3373 if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) {
3374 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret);
3375 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3376 }
3377
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3378 *p += n;
3379
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3380 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3381
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3382 return ret;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3383}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3384#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3385 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3386
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3387#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3388 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3389
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3390#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3391MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3392static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
3393 unsigned char *peer_pms,
3394 size_t *peer_pmslen,
3395 size_t peer_pmssize)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3396{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3397 int ret = ssl->conf->f_async_resume(ssl,
3398 peer_pms, peer_pmslen, peer_pmssize);
3399 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]3400 ssl->handshake->async_in_progress = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3401 mbedtls_ssl_set_async_operation_data(ssl, NULL);
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3402 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3403 MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
3404 return ret;
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3405}
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3406#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3407
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3408MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3409static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
3410 const unsigned char *p,
3411 const unsigned char *end,
3412 unsigned char *peer_pms,
3413 size_t *peer_pmslen,
3414 size_t peer_pmssize)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3415{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3416 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Leonid Rozenboim70dfd4c2022-08-08 15:43:44 -0700[diff] [blame]3417
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3418 mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl);
3419 if (own_cert == NULL) {
3420 MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate"));
3421 return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
Leonid Rozenboim70dfd4c2022-08-08 15:43:44 -0700[diff] [blame]3422 }
3423 mbedtls_pk_context *public_key = &own_cert->pk;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3424 mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
3425 size_t len = mbedtls_pk_get_len(public_key);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3426
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3427#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3428 /* If we have already started decoding the message and there is an ongoing
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3429 * decryption operation, resume signing. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3430 if (ssl->handshake->async_in_progress != 0) {
3431 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
3432 return ssl_resume_decrypt_pms(ssl,
3433 peer_pms, peer_pmslen, peer_pmssize);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3434 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3435#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3436
3437 /*
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3438 * Prepare to decrypt the premaster using own private RSA key
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3439 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3440 if (p + 2 > end) {
3441 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3442 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]3443 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3444 if (*p++ != MBEDTLS_BYTE_1(len) ||
3445 *p++ != MBEDTLS_BYTE_0(len)) {
3446 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3447 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3448 }
3449
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3450 if (p + len != end) {
3451 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3452 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3453 }
3454
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3455 /*
3456 * Decrypt the premaster secret
3457 */
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3458#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3459 if (ssl->conf->f_async_decrypt_start != NULL) {
3460 ret = ssl->conf->f_async_decrypt_start(ssl,
3461 mbedtls_ssl_own_cert(ssl),
3462 p, len);
3463 switch (ret) {
3464 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3465 /* act as if f_async_decrypt_start was null */
3466 break;
3467 case 0:
3468 ssl->handshake->async_in_progress = 1;
3469 return ssl_resume_decrypt_pms(ssl,
3470 peer_pms,
3471 peer_pmslen,
3472 peer_pmssize);
3473 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3474 ssl->handshake->async_in_progress = 1;
3475 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3476 default:
3477 MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
3478 return ret;
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3479 }
3480 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3481#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3482
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3483 if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
3484 MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
3485 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3486 }
3487
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3488 ret = mbedtls_pk_decrypt(private_key, p, len,
3489 peer_pms, peer_pmslen, peer_pmssize,
3490 ssl->conf->f_rng, ssl->conf->p_rng);
3491 return ret;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3492}
3493
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3494MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3495static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
3496 const unsigned char *p,
3497 const unsigned char *end,
3498 size_t pms_offset)
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3499{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3500 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3501 unsigned char *pms = ssl->handshake->premaster + pms_offset;
3502 unsigned char ver[2];
3503 unsigned char fake_pms[48], peer_pms[48];
3504 unsigned char mask;
3505 size_t i, peer_pmslen;
3506 unsigned int diff;
3507
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3508 /* In case of a failure in decryption, the decryption may write less than
3509 * 2 bytes of output, but we always read the first two bytes. It doesn't
3510 * matter in the end because diff will be nonzero in that case due to
André Maroneze79533292020-11-12 09:37:42 +0100[diff] [blame]3511 * ret being nonzero, and we only care whether diff is 0.
3512 * But do initialize peer_pms and peer_pmslen for robustness anyway. This
3513 * also makes memory analyzers happy (don't access uninitialized memory,
3514 * even if it's an unsigned char). */
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3515 peer_pms[0] = peer_pms[1] = ~0;
André Maroneze79533292020-11-12 09:37:42 +0100[diff] [blame]3516 peer_pmslen = 0;
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3517
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3518 ret = ssl_decrypt_encrypted_pms(ssl, p, end,
3519 peer_pms,
3520 &peer_pmslen,
3521 sizeof(peer_pms));
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3522
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3523#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3524 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3525 return ret;
3526 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3527#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3528
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3529 mbedtls_ssl_write_version(ver, ssl->conf->transport,
3530 ssl->session_negotiate->tls_version);
Gilles Peskine2e333372018-04-24 13:22:10 +0200[diff] [blame]3531
3532 /* Avoid data-dependent branches while checking for invalid
3533 * padding, to protect against timing-based Bleichenbacher-type
3534 * attacks. */
3535 diff = (unsigned int) ret;
3536 diff |= peer_pmslen ^ 48;
3537 diff |= peer_pms[0] ^ ver[0];
3538 diff |= peer_pms[1] ^ ver[1];
3539
3540 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3541 mask = mbedtls_ct_uint_mask(diff);
Manuel Pégourié-Gonnardb9c93d02015-06-23 13:53:15 +0200[diff] [blame]3542
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3543 /*
3544 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3545 * must not cause the connection to end immediately; instead, send a
3546 * bad_record_mac later in the handshake.
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3547 * To protect against timing-based variants of the attack, we must
3548 * not have any branch that depends on whether the decryption was
3549 * successful. In particular, always generate the fake premaster secret,
3550 * regardless of whether it will ultimately influence the output or not.
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3551 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3552 ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
3553 if (ret != 0) {
Gilles Peskinee1416382018-04-26 10:23:21 +0200[diff] [blame]3554 /* It's ok to abort on an RNG failure, since this does not reveal
3555 * anything about the RSA decryption. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3556 return ret;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3557 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3558
Manuel Pégourié-Gonnard331ba572015-04-20 12:33:57 +0100[diff] [blame]3559#if defined(MBEDTLS_SSL_DEBUG_ALL)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3560 if (diff != 0) {
3561 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3562 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3563#endif
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3564
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3565 if (sizeof(ssl->handshake->premaster) < pms_offset ||
3566 sizeof(ssl->handshake->premaster) - pms_offset < 48) {
3567 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3568 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3569 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3570 ssl->handshake->pmslen = 48;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3571
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3572 /* Set pms to either the true or the fake PMS, without
3573 * data-dependent branches. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3574 for (i = 0; i < ssl->handshake->pmslen; i++) {
3575 pms[i] = (mask & fake_pms[i]) | ((~mask) & peer_pms[i]);
3576 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3577
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3578 return 0;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3579}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3580#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
3581 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3582
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3583#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3584MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3585static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
3586 const unsigned char *end)
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3587{
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]3588 int ret = 0;
irwir6527bd62019-09-21 18:51:25 +0300[diff] [blame]3589 uint16_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3590
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3591 if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
3592 MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key"));
3593 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3594 }
3595
3596 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3597 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3598 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3599 if (end - *p < 2) {
3600 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3601 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3602 }
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3603
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3604 n = ((*p)[0] << 8) | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3605 *p += 2;
3606
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3607 if (n == 0 || n > end - *p) {
3608 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3609 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3610 }
3611
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3612 if (ssl->conf->f_psk != NULL) {
3613 if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3614 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3615 }
3616 } else {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]3617 /* Identity is not a big secret since clients send it in the clear,
3618 * but treat it carefully anyway, just in case */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3619 if (n != ssl->conf->psk_identity_len ||
3620 mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3621 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]3622 }
3623 }
3624
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3625 if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
3626 MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n);
3627 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3628 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY);
3629 return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3630 }
3631
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3632 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3633
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3634 return 0;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3635}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3636#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3637
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3638MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3639static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3640{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3641 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3642 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Manuel Pégourié-Gonnard2114d722014-09-10 13:59:41 +0000[diff] [blame]3643 unsigned char *p, *end;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3644
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3645 ciphersuite_info = ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3646
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3647 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3648
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3649#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3650 (defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3651 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED))
3652 if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3653 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) &&
3654 (ssl->handshake->async_in_progress != 0)) {
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3655 /* We've already read a record and there is an asynchronous
3656 * operation in progress to decrypt it. So skip reading the
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3657 * record. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3658 MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
3659 } else
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3660#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3661 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3662 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3663 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3664 }
3665
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3666 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard2114d722014-09-10 13:59:41 +0000[diff] [blame]3667 end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnardf8995832014-09-10 08:25:12 +0000[diff] [blame]3668
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3669 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3670 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3671 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3672 }
3673
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3674 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) {
3675 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3676 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3677 }
3678
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3679#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3680 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
3681 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3682 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
3683 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3684 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3685
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3686 if (p != end) {
3687 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3688 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3689 }
3690
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3691 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3692 ssl->handshake->premaster,
3693 MBEDTLS_PREMASTER_SIZE,
3694 &ssl->handshake->pmslen,
3695 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3696 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3697 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3698 }
3699
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3700 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3701 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3702#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3703#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3704 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3705 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3706 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3707 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]3708 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3709 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3710 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]3711#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3712 size_t data_len = (size_t) (*p++);
3713 size_t buf_len = (size_t) (end - p);
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3714 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
3715 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3716
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3717 MBEDTLS_SSL_DEBUG_MSG(1, ("Read the peer's public key."));
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3718
3719 /*
Przemek Stekiel338b61d2022-03-15 08:03:43 +0100[diff] [blame]3720 * We must have at least two bytes (1 for length, at least 1 for data)
3721 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3722 if (buf_len < 2) {
3723 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length"));
3724 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3725 }
3726
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3727 if (data_len < 1 || data_len > buf_len) {
3728 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length"));
3729 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3730 }
3731
3732 /* Store peer's ECDH public key. */
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3733 memcpy(handshake->xxdh_psa_peerkey, p, data_len);
3734 handshake->xxdh_psa_peerkey_len = data_len;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3735
3736 /* Compute ECDH shared secret. */
3737 status = psa_raw_key_agreement(
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3738 PSA_ALG_ECDH, handshake->xxdh_psa_privkey,
3739 handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3740 handshake->premaster, sizeof(handshake->premaster),
3741 &handshake->pmslen);
3742 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3743 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3744 MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3745 if (handshake->xxdh_psa_privkey_is_external == 0) {
3746 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3747 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3748 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3749 return ret;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3750 }
3751
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3752 if (handshake->xxdh_psa_privkey_is_external == 0) {
3753 status = psa_destroy_key(handshake->xxdh_psa_privkey);
Neil Armstrong8113d252022-03-23 10:57:04 +0100[diff] [blame]3754
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3755 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3756 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3757 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
3758 return ret;
Neil Armstrong8113d252022-03-23 10:57:04 +0100[diff] [blame]3759 }
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3760 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3761 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3762#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3763 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
3764 p, end - p)) != 0) {
3765 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
3766 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3767 }
3768
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3769 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3770 MBEDTLS_DEBUG_ECDH_QP);
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3771
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3772 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
3773 &ssl->handshake->pmslen,
3774 ssl->handshake->premaster,
3775 MBEDTLS_MPI_MAX_SIZE,
3776 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3777 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
3778 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3779 }
3780
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3781 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3782 MBEDTLS_DEBUG_ECDH_Z);
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]3783#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3784 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3785#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3786 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3787 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3788 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3789#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3790 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
3791 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3792 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3793 return ret;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3794 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3795
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3796 if (p != end) {
3797 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3798 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3799 }
3800
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3801#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3802 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]3803 (mbedtls_key_exchange_type_t) ciphersuite_info->
3804 key_exchange)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3805 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3806 return ret;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]3807 }
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3808#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3809 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3810#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
3811#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3812 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3813#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3814 if (ssl->handshake->async_in_progress != 0) {
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3815 /* There is an asynchronous operation in progress to
3816 * decrypt the encrypted premaster secret, so skip
3817 * directly to resuming this operation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3818 MBEDTLS_SSL_DEBUG_MSG(3, ("PSK identity already parsed"));
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3819 /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
3820 * won't actually use it, but maintain p anyway for robustness. */
3821 p += ssl->conf->psk_identity_len + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3822 } else
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3823#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3824 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3825 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3826 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3827 }
3828
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3829 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) {
3830 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_encrypted_pms"), ret);
3831 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3832 }
3833
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3834#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3835 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]3836 (mbedtls_key_exchange_type_t) ciphersuite_info->
3837 key_exchange)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3838 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3839 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3840 }
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3841#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3842 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3843#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3844#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3845 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
3846 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3847 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3848 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3849 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3850 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3851 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
3852 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3853 }
3854
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3855 if (p != end) {
3856 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3857 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3858 }
3859
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3860#if defined(MBEDTLS_USE_PSA_CRYPTO)
3861 unsigned char *pms = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3862 unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3863 size_t pms_len;
3864
3865 /* Write length only when we know the actual value */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3866 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3867 pms + 2, pms_end - (pms + 2), &pms_len,
3868 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3869 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3870 return ret;
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3871 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3872 MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3873 pms += 2 + pms_len;
3874
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3875 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3876#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3877 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]3878 (mbedtls_key_exchange_type_t) ciphersuite_info->
3879 key_exchange)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3880 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3881 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3882 }
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3883#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3884 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3885#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3886#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3887 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]3888#if defined(MBEDTLS_USE_PSA_CRYPTO)
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3889 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3890 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
3891 uint8_t ecpoint_len;
3892
3893 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3894
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3895 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3896 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3897 psa_destroy_key(handshake->xxdh_psa_privkey);
3898 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3899 return ret;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3900 }
3901
3902 /* Keep a copy of the peer's public key */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3903 if (p >= end) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3904 psa_destroy_key(handshake->xxdh_psa_privkey);
3905 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3906 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Neil Armstrong3cae1672022-04-05 10:01:15 +0200[diff] [blame]3907 }
3908
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3909 ecpoint_len = *(p++);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3910 if ((size_t) (end - p) < ecpoint_len) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3911 psa_destroy_key(handshake->xxdh_psa_privkey);
3912 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3913 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3914 }
3915
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]3916 /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
3917 the sizes of the FFDH keys which are at least 2048 bits.
3918 The size of the array is thus greater than 256 bytes which is greater than any
3919 possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]3920#if !defined(PSA_WANT_ALG_FFDH)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3921 if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
3922 psa_destroy_key(handshake->xxdh_psa_privkey);
3923 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3924 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3925 }
Przemek Stekiel615cbcd2023-07-06 11:08:39 +0200[diff] [blame]3926#else
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]3927 MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
3928 "peer key buffer too small");
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]3929#endif
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3930
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3931 memcpy(handshake->xxdh_psa_peerkey, p, ecpoint_len);
3932 handshake->xxdh_psa_peerkey_len = ecpoint_len;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3933 p += ecpoint_len;
3934
Neil Armstrong3bcef082022-03-23 18:16:54 +0100[diff] [blame]3935 /* As RFC 5489 section 2, the premaster secret is formed as follows:
Neil Armstrongfdf20cb2022-03-24 09:43:02 +0100[diff] [blame]3936 * - a uint16 containing the length (in octets) of the ECDH computation
3937 * - the octet string produced by the ECDH computation
3938 * - a uint16 containing the length (in octets) of the PSK
3939 * - the PSK itself
3940 */
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3941 unsigned char *psm = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3942 const unsigned char * const psm_end =
3943 psm + sizeof(ssl->handshake->premaster);
Neil Armstrong2d63da92022-03-23 18:17:31 +0100[diff] [blame]3944 /* uint16 to store length (in octets) of the ECDH computation */
3945 const size_t zlen_size = 2;
Neil Armstrong549a3e42022-03-23 18:16:24 +0100[diff] [blame]3946 size_t zlen = 0;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3947
3948 /* Compute ECDH shared secret. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3949 status = psa_raw_key_agreement(PSA_ALG_ECDH,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3950 handshake->xxdh_psa_privkey,
3951 handshake->xxdh_psa_peerkey,
3952 handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3953 psm + zlen_size,
3954 psm_end - (psm + zlen_size),
3955 &zlen);
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3956
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3957 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
3958 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3959
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3960 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3961 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3962 } else if (destruction_status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3963 return PSA_TO_MBEDTLS_ERR(destruction_status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3964 }
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3965
Neil Armstrong3bcef082022-03-23 18:16:54 +0100[diff] [blame]3966 /* Write the ECDH computation length before the ECDH computation */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3967 MBEDTLS_PUT_UINT16_BE(zlen, psm, 0);
Neil Armstrong2d63da92022-03-23 18:17:31 +0100[diff] [blame]3968 psm += zlen_size + zlen;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3969
Przemek Stekiel14d11b02022-04-14 08:33:29 +0200[diff] [blame]3970#else /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3971 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3972 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3973 return ret;
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3974 }
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3975
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3976 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
3977 p, end - p)) != 0) {
3978 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
3979 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3980 }
3981
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3982 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3983 MBEDTLS_DEBUG_ECDH_QP);
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3984
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3985 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]3986 (mbedtls_key_exchange_type_t) ciphersuite_info->
3987 key_exchange)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3988 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3989 return ret;
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3990 }
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]3991#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3992 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3993#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3994#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3995 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
3996 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
3997 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
3998 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3999 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4000 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4001#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4002#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4003 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4004#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4005 if ((ret = mbedtls_psa_ecjpake_read_round(
4006 &ssl->handshake->psa_pake_ctx, p, end - p,
4007 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
4008 psa_destroy_key(ssl->handshake->psa_pake_password);
4009 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4010
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4011 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
4012 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4013 }
4014#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4015 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
4016 p, end - p);
4017 if (ret != 0) {
4018 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
4019 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4020 }
4021
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4022 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
4023 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
4024 ssl->conf->f_rng, ssl->conf->p_rng);
4025 if (ret != 0) {
4026 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
4027 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4028 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4029#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4030 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4031#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4032 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4033 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4034 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4035 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4036
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4037 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
4038 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
4039 return ret;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]4040 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4041
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4042 ssl->state++;
4043
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4044 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4045
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4046 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4047}
4048
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4049#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]4050MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4051static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4052{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]4053 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]4054 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4055
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4056 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4057
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4058 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4059 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]4060 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4061 return 0;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]4062 }
4063
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4064 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4065 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4066}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4067#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]4068MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4069static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4070{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4071 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4072 size_t i, sig_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4073 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]4074 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]4075 size_t hashlen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4076 mbedtls_pk_type_t pk_alg;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4077 mbedtls_md_type_t md_alg;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]4078 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]4079 ssl->handshake->ciphersuite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4080 mbedtls_pk_context *peer_pk;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4081
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4082 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4083
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4084 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4085 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4086 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4087 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4088 }
4089
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4090#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4091 if (ssl->session_negotiate->peer_cert == NULL) {
4092 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4093 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4094 return 0;
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4095 }
4096#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4097 if (ssl->session_negotiate->peer_cert_digest == NULL) {
4098 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4099 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4100 return 0;
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4101 }
4102#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4103
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4104 /* Read the message without adding it to the checksum */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4105 ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */);
4106 if (0 != ret) {
4107 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret);
4108 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4109 }
4110
4111 ssl->state++;
4112
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4113 /* Process the message contents */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4114 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
4115 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) {
4116 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4117 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4118 }
4119
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4120 i = mbedtls_ssl_hs_hdr_len(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4121
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]4122#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4123 peer_pk = &ssl->handshake->peer_pubkey;
4124#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4125 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]4126 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4127 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]4128 }
4129 peer_pk = &ssl->session_negotiate->peer_cert->pk;
4130#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4131
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4132 /*
4133 * struct {
4134 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
4135 * opaque signature<0..2^16-1>;
4136 * } DigitallySigned;
4137 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4138 if (i + 2 > ssl->in_hslen) {
4139 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4140 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4141 }
Manuel Pégourié-Gonnard5ee96542014-09-10 14:27:21 +0000[diff] [blame]4142
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4143 /*
4144 * Hash
4145 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4146 md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]);
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4147
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4148 if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) {
4149 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4150 " for verify message"));
4151 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4152 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4153
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4154#if !defined(MBEDTLS_MD_SHA1)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4155 if (MBEDTLS_MD_SHA1 == md_alg) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4156 hash_start += 16;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4157 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4158#endif
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]4159
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4160 /* Info from md_alg will be used instead */
4161 hashlen = 0;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]4162
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4163 i++;
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4164
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4165 /*
4166 * Signature
4167 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4168 if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i]))
4169 == MBEDTLS_PK_NONE) {
4170 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4171 " for verify message"));
4172 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]4173 }
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]4174
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4175 /*
4176 * Check the certificate's key type matches the signature alg
4177 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4178 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
4179 MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
4180 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4181 }
4182
4183 i++;
4184
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4185 if (i + 2 > ssl->in_hslen) {
4186 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4187 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard5ee96542014-09-10 14:27:21 +0000[diff] [blame]4188 }
4189
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4190 sig_len = (ssl->in_msg[i] << 8) | ssl->in_msg[i+1];
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4191 i += 2;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]4192
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4193 if (i + sig_len != ssl->in_hslen) {
4194 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4195 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4196 }
4197
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4198 /* Calculate hash and verify signature */
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]4199 {
4200 size_t dummy_hlen;
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]4201 ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
4202 if (0 != ret) {
4203 MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
4204 return ret;
4205 }
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]4206 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4207
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4208 if ((ret = mbedtls_pk_verify(peer_pk,
4209 md_alg, hash_start, hashlen,
4210 ssl->in_msg + i, sig_len)) != 0) {
4211 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
4212 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4213 }
4214
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]4215 ret = mbedtls_ssl_update_handshake_status(ssl);
4216 if (0 != ret) {
4217 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
4218 return ret;
4219 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4220
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4221 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4222
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4223 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4224}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4225#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4226
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4227#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]4228MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4229static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4230{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4231 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]4232 size_t tlen;
Manuel Pégourié-Gonnardb0394be2015-05-19 11:40:30 +0200[diff] [blame]4233 uint32_t lifetime;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4234
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4235 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4236
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4237 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4238 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4239
4240 /*
4241 * struct {
4242 * uint32 ticket_lifetime_hint;
4243 * opaque ticket<0..2^16-1>;
4244 * } NewSessionTicket;
4245 *
4246 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
4247 * 8 . 9 ticket_len (n)
4248 * 10 . 9+n ticket content
4249 */
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]4250
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4251 if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
4252 ssl->session_negotiate,
4253 ssl->out_msg + 10,
4254 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
4255 &tlen, &lifetime)) != 0) {
4256 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret);
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]4257 tlen = 0;
4258 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4259
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4260 MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4);
4261 MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8);
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]4262 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4263
Manuel Pégourié-Gonnard145dfcb2014-02-26 14:23:33 +0100[diff] [blame]4264 /*
4265 * Morally equivalent to updating ssl->state, but NewSessionTicket and
4266 * ChangeCipherSpec share the same state.
4267 */
4268 ssl->handshake->new_session_ticket = 0;
4269
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4270 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4271 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4272 return ret;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4273 }
4274
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4275 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4276
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4277 return 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4278}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4279#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4280
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4281/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4282 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4283 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4284int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4285{
4286 int ret = 0;
4287
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4288 MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state));
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4289
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4290 switch (ssl->state) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4291 case MBEDTLS_SSL_HELLO_REQUEST:
4292 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4293 break;
4294
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4295 /*
4296 * <== ClientHello
4297 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4298 case MBEDTLS_SSL_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4299 ret = ssl_parse_client_hello(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4300 break;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4301
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4302#if defined(MBEDTLS_SSL_PROTO_DTLS)
4303 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4304 return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED;
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]4305#endif
4306
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4307 /*
4308 * ==> ServerHello
4309 * Certificate
4310 * ( ServerKeyExchange )
4311 * ( CertificateRequest )
4312 * ServerHelloDone
4313 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4314 case MBEDTLS_SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4315 ret = ssl_write_server_hello(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4316 break;
4317
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4318 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4319 ret = mbedtls_ssl_write_certificate(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4320 break;
4321
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4322 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4323 ret = ssl_write_server_key_exchange(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4324 break;
4325
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4326 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4327 ret = ssl_write_certificate_request(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4328 break;
4329
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4330 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4331 ret = ssl_write_server_hello_done(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4332 break;
4333
4334 /*
4335 * <== ( Certificate/Alert )
4336 * ClientKeyExchange
4337 * ( CertificateVerify )
4338 * ChangeCipherSpec
4339 * Finished
4340 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4341 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4342 ret = mbedtls_ssl_parse_certificate(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4343 break;
4344
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4345 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4346 ret = ssl_parse_client_key_exchange(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4347 break;
4348
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4349 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4350 ret = ssl_parse_certificate_verify(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4351 break;
4352
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4353 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4354 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4355 break;
4356
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4357 case MBEDTLS_SSL_CLIENT_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4358 ret = mbedtls_ssl_parse_finished(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4359 break;
4360
4361 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4362 * ==> ( NewSessionTicket )
4363 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4364 * Finished
4365 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4366 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4367#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4368 if (ssl->handshake->new_session_ticket != 0) {
4369 ret = ssl_write_new_session_ticket(ssl);
4370 } else
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]4371#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4372 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4373 break;
4374
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4375 case MBEDTLS_SSL_SERVER_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4376 ret = mbedtls_ssl_write_finished(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4377 break;
4378
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4379 case MBEDTLS_SSL_FLUSH_BUFFERS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4380 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4381 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4382 break;
4383
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4384 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4385 mbedtls_ssl_handshake_wrapup(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4386 break;
4387
4388 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4389 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
4390 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4391 }
4392
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4393 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4394}
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4395
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4396void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order)
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4397{
TRodziewicz3946f792021-06-14 12:11:18 +0200[diff] [blame]4398 conf->respect_cli_pref = order;
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4399}
4400
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]4401#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */