TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ea59c43499ee11a0c061577b9a98462f02b4358e / . / library / ssl_tls12_server.c
blob: 7acede7733996d98db1d22af33b038323bd56029 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]2 * TLS server-side functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]20#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]23
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]24#include "mbedtls/platform.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]25
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]26#include "mbedtls/ssl.h"
Chris Jones84a773f2021-03-05 18:38:47 +0000[diff] [blame]27#include "ssl_misc.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]28#include "mbedtls/debug.h"
29#include "mbedtls/error.h"
Andres Amaya Garcia84914062018-04-24 08:40:46 -0500[diff] [blame]30#include "mbedtls/platform_util.h"
Gabor Mezei22c9a6f2021-10-20 12:09:35 +0200[diff] [blame]31#include "constant_time_internal.h"
Gabor Mezei765862c2021-10-19 12:22:25 +0200[diff] [blame]32#include "mbedtls/constant_time.h"
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]33
34#include <string.h>
35
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]36#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]37/* Define a local translating function to save code size by not using too many
38 * arguments in each translating place. */
Andrzej Kurek1c7a9982023-05-30 09:21:20 -0400[diff] [blame]39#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \
40 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]41static int local_err_translation(psa_status_t status)
42{
43 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -0400[diff] [blame]44 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]45 psa_generic_status_to_mbedtls);
46}
47#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]48#endif
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]49#endif
50
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]51#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]52#include "mbedtls/ecp.h"
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]53#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]54
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]55#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]56#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]57#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]59#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]60int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
61 const unsigned char *info,
62 size_t ilen)
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]63{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]64 if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) {
65 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
66 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]67
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]68 mbedtls_free(ssl->cli_id);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]69
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]70 if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) {
71 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
72 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]73
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]74 memcpy(ssl->cli_id, info, ilen);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]75 ssl->cli_id_len = ilen;
76
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]77 return 0;
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]78}
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]79
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]80void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf,
81 mbedtls_ssl_cookie_write_t *f_cookie_write,
82 mbedtls_ssl_cookie_check_t *f_cookie_check,
83 void *p_cookie)
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]84{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]85 conf->f_cookie_write = f_cookie_write;
86 conf->f_cookie_check = f_cookie_check;
87 conf->p_cookie = p_cookie;
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]88}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]89#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]90
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]91#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]92MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]93static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf)
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]94{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]95 if (conf->f_psk != NULL) {
96 return 1;
97 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]98
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]99 if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) {
100 return 0;
101 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]102
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]103
104#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]105 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
106 return 1;
107 }
Neil Armstrong8ecd6682022-05-05 11:40:35 +0200[diff] [blame]108#endif /* MBEDTLS_USE_PSA_CRYPTO */
109
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]110 if (conf->psk != NULL && conf->psk_len != 0) {
111 return 1;
112 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]113
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]114 return 0;
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]115}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]116#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]117
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]118MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]119static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
120 const unsigned char *buf,
121 size_t len)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]122{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]123#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]124 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]125 /* Check verify-data in constant-time. The length OTOH is no secret */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]126 if (len != 1 + ssl->verify_data_len ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]127 buf[0] != ssl->verify_data_len ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]128 mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data,
129 ssl->verify_data_len) != 0) {
130 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
131 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
132 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
133 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]134 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]135 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]136#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]137 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]138 if (len != 1 || buf[0] != 0x0) {
139 MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info"));
140 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
141 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
142 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]143 }
144
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]145 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]146 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]147
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]148 return 0;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]149}
150
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]151#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settic2232ea2023-07-05 18:57:52 +0200[diff] [blame]152 defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]153 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]154/*
Jerry Yud491ea42022-01-13 16:15:25 +0800[diff] [blame]155 * Function for parsing a supported groups (TLS 1.3) or supported elliptic
156 * curves (TLS 1.2) extension.
157 *
158 * The "extension_data" field of a supported groups extension contains a
159 * "NamedGroupList" value (TLS 1.3 RFC8446):
160 * enum {
161 * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
162 * x25519(0x001D), x448(0x001E),
163 * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
164 * ffdhe6144(0x0103), ffdhe8192(0x0104),
165 * ffdhe_private_use(0x01FC..0x01FF),
166 * ecdhe_private_use(0xFE00..0xFEFF),
167 * (0xFFFF)
168 * } NamedGroup;
169 * struct {
170 * NamedGroup named_group_list<2..2^16-1>;
171 * } NamedGroupList;
172 *
173 * The "extension_data" field of a supported elliptic curves extension contains
174 * a "NamedCurveList" value (TLS 1.2 RFC 8422):
175 * enum {
176 * deprecated(1..22),
177 * secp256r1 (23), secp384r1 (24), secp521r1 (25),
178 * x25519(29), x448(30),
179 * reserved (0xFE00..0xFEFF),
180 * deprecated(0xFF01..0xFF02),
181 * (0xFFFF)
182 * } NamedCurve;
183 * struct {
184 * NamedCurve named_curve_list<2..2^16-1>
185 * } NamedCurveList;
186 *
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]187 * The TLS 1.3 supported groups extension was defined to be a compatible
188 * generalization of the TLS 1.2 supported elliptic curves extension. They both
189 * share the same extension identifier.
Jerry Yud491ea42022-01-13 16:15:25 +0800[diff] [blame]190 *
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]191 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]192MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]193static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
194 const unsigned char *buf,
195 size_t len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]196{
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]197 size_t list_size, our_size;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]198 const unsigned char *p;
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]199 uint16_t *curves_tls_id;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]200
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]201 if (len < 2) {
202 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
203 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
204 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
205 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]206 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]207 list_size = ((buf[0] << 8) | (buf[1]));
208 if (list_size + 2 != len ||
209 list_size % 2 != 0) {
210 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
211 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
212 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
213 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]214 }
215
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]216 /* Should never happen unless client duplicates the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]217 if (ssl->handshake->curves_tls_id != NULL) {
218 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
219 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
220 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
221 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]222 }
223
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]224 /* Don't allow our peer to make us allocate too much memory,
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]225 * and leave room for a final 0 */
226 our_size = list_size / 2 + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]227 if (our_size > MBEDTLS_ECP_DP_MAX) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]228 our_size = MBEDTLS_ECP_DP_MAX;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]229 }
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]230
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]231 if ((curves_tls_id = mbedtls_calloc(our_size,
232 sizeof(*curves_tls_id))) == NULL) {
233 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
234 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
235 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]236 }
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]237
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]238 ssl->handshake->curves_tls_id = curves_tls_id;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]239
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]240 p = buf + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]241 while (list_size > 0 && our_size > 1) {
242 uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0);
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200[diff] [blame]243
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]244 if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) !=
245 MBEDTLS_ECP_DP_NONE) {
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]246 *curves_tls_id++ = curr_tls_id;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]247 our_size--;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]248 }
249
250 list_size -= 2;
251 p += 2;
252 }
253
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]254 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]255}
256
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]257MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]258static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
259 const unsigned char *buf,
260 size_t len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]261{
262 size_t list_size;
263 const unsigned char *p;
264
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]265 if (len == 0 || (size_t) (buf[0] + 1) != len) {
266 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
267 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
268 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
269 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]270 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]271 list_size = buf[0];
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]272
Manuel Pégourié-Gonnardc1b46d02015-09-16 11:18:32 +0200[diff] [blame]273 p = buf + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]274 while (list_size > 0) {
275 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
276 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]277#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
278 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]279 ssl->handshake->ecdh_ctx.point_format = p[0];
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]280#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]281#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]282 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
283 mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
284 p[0]);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]285#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]286 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
287 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]288 }
289
290 list_size--;
291 p++;
292 }
293
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]294 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]295}
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]296#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
Valerio Settic2232ea2023-07-05 18:57:52 +0200[diff] [blame]297 MBEDTLS_PK_CAN_ECDSA_SOME || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]298
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]299#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]300MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]301static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
302 const unsigned char *buf,
303 size_t len)
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]304{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]305 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]306
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]307#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]308 if (ssl->handshake->psa_pake_ctx_is_ok != 1)
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]309#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]310 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]311#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]312 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]313 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
314 return 0;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]315 }
316
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]317#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]318 if ((ret = mbedtls_psa_ecjpake_read_round(
319 &ssl->handshake->psa_pake_ctx, buf, len,
320 MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
321 psa_destroy_key(ssl->handshake->psa_pake_password);
322 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]323
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]324 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]325 mbedtls_ssl_send_alert_message(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]326 ssl,
327 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
328 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]329
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]330 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]331 }
332#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]333 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
334 buf, len)) != 0) {
335 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
336 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
337 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
338 return ret;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]339 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]340#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]341
342 /* Only mark the extension as OK when we're sure it is */
343 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
344
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]345 return 0;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]346}
347#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
348
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]349#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]350MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]351static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
352 const unsigned char *buf,
353 size_t len)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]354{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]355 if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) {
356 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
357 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
358 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
359 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]360 }
361
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]362 ssl->session_negotiate->mfl_code = buf[0];
363
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]364 return 0;
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]365}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]366#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]367
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]368#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]369MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]370static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
371 const unsigned char *buf,
372 size_t len)
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]373{
374 size_t peer_cid_len;
375
376 /* CID extension only makes sense in DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]377 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
378 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
379 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
380 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
381 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]382 }
383
384 /*
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]385 * struct {
386 * opaque cid<0..2^8-1>;
387 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]388 */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]390 if (len < 1) {
391 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
392 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
393 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
394 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]395 }
396
397 peer_cid_len = *buf++;
398 len--;
399
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]400 if (len != peer_cid_len) {
401 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
402 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
403 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
404 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]405 }
406
407 /* Ignore CID if the user has disabled its use. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]408 if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]409 /* Leave ssl->handshake->cid_in_use in its default
410 * value of MBEDTLS_SSL_CID_DISABLED. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]411 MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled"));
412 return 0;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]413 }
414
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]415 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
416 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
417 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
418 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
419 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]420 }
421
Hanno Becker08556bf2019-05-03 12:43:44 +0100[diff] [blame]422 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]423 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]424 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]425
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]426 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
427 MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len);
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]428
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]429 return 0;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]430}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]431#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]432
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]433#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]434MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]435static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
436 const unsigned char *buf,
437 size_t len)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]438{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]439 if (len != 0) {
440 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
441 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
442 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
443 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]444 }
445
446 ((void) buf);
447
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]448 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]449 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]450 }
451
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]452 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]453}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]454#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]455
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]456#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]457MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]458static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
459 const unsigned char *buf,
460 size_t len)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]461{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]462 if (len != 0) {
463 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
464 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
465 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
466 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]467 }
468
469 ((void) buf);
470
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]471 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]472 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]473 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]474
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]475 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]476}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]477#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]478
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]479#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]480MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]481static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
482 unsigned char *buf,
483 size_t len)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]484{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]485 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]486 mbedtls_ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]487
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]488 mbedtls_ssl_session_init(&session);
Manuel Pégourié-Gonnardbae389b2015-06-24 10:45:58 +0200[diff] [blame]489
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]490 if (ssl->conf->f_ticket_parse == NULL ||
491 ssl->conf->f_ticket_write == NULL) {
492 return 0;
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]493 }
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]494
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]495 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]496 ssl->handshake->new_session_ticket = 1;
497
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]498 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len));
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]499
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]500 if (len == 0) {
501 return 0;
502 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]503
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]504#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]505 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
506 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating"));
507 return 0;
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]508 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]509#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]510
511 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]512 * Failures are ok: just ignore the ticket and proceed.
513 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]514 if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session,
515 buf, len)) != 0) {
516 mbedtls_ssl_session_free(&session);
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]517
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]518 if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
519 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
520 } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
521 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
522 } else {
523 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret);
524 }
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]525
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]526 return 0;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]527 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]528
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]529 /*
530 * Keep the session ID sent by the client, since we MUST send it back to
531 * inform them we're accepting the ticket (RFC 5077 section 3.4)
532 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]533 session.id_len = ssl->session_negotiate->id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]534 memcpy(&session.id, ssl->session_negotiate->id, session.id_len);
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]535
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]536 mbedtls_ssl_session_free(ssl->session_negotiate);
537 memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session));
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]538
539 /* Zeroize instead of free as we copied the content */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]540 mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session));
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]541
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]542 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket"));
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]543
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]544 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]545
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]546 /* Don't send a new ticket after all, this one is OK */
547 ssl->handshake->new_session_ticket = 0;
548
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]549 return 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]550}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]551#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]552
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]553#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]554MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]555static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
556 const unsigned char *buf,
557 size_t len)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]558{
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]559 mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]560 size_t i, j;
Johan Pascalf6417ec2020-09-22 15:15:19 +0200[diff] [blame]561 size_t profile_length;
562 uint16_t mki_length;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]563 /*! 2 bytes for profile length and 1 byte for mki len */
564 const size_t size_of_lengths = 3;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]565
566 /* If use_srtp is not configured, just ignore the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]567 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
568 (ssl->conf->dtls_srtp_profile_list == NULL) ||
569 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
570 return 0;
Johan Pascal85269572020-08-25 10:01:54 +0200[diff] [blame]571 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]572
573 /* RFC5764 section 4.1.1
574 * uint8 SRTPProtectionProfile[2];
575 *
576 * struct {
577 * SRTPProtectionProfiles SRTPProtectionProfiles;
578 * opaque srtp_mki<0..255>;
579 * } UseSRTPData;
580
581 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]582 */
583
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]584 /*
585 * Min length is 5: at least one protection profile(2 bytes)
586 * and length(2 bytes) + srtp_mki length(1 byte)
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]587 * Check here that we have at least 2 bytes of protection profiles length
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]588 * and one of srtp_mki length
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]589 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]590 if (len < size_of_lengths) {
591 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
592 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
593 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]594 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]595
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]596 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]597
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]598 /* first 2 bytes are protection profile length(in bytes) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]599 profile_length = (buf[0] << 8) | buf[1];
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]600 buf += 2;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]601
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]602 /* The profile length cannot be bigger than input buffer size - lengths fields */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]603 if (profile_length > len - size_of_lengths ||
604 profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */
605 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
606 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
607 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]608 }
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]609 /*
610 * parse the extension list values are defined in
611 * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
612 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]613 for (j = 0; j < profile_length; j += 2) {
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]614 uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]615 client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]616
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]617 if (client_protection != MBEDTLS_TLS_SRTP_UNSET) {
618 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
619 mbedtls_ssl_get_srtp_profile_as_string(
620 client_protection)));
621 } else {
Johan Pascal85269572020-08-25 10:01:54 +0200[diff] [blame]622 continue;
623 }
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]624 /* check if suggested profile is in our list */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]625 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
626 if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) {
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]627 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]628 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
629 mbedtls_ssl_get_srtp_profile_as_string(
630 client_protection)));
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]631 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]632 }
633 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]635 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]636 }
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]637 }
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]638 buf += profile_length; /* buf points to the mki length */
639 mki_length = *buf;
640 buf++;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]641
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]642 if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH ||
643 mki_length + profile_length + size_of_lengths != len) {
644 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
645 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
646 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]647 }
648
649 /* Parse the mki only if present and mki is supported locally */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]650 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
651 mki_length > 0) {
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]652 ssl->dtls_srtp_info.mki_len = mki_length;
653
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]654 memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length);
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]655
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]656 MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value,
657 ssl->dtls_srtp_info.mki_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]658 }
659
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]660 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]661}
662#endif /* MBEDTLS_SSL_DTLS_SRTP */
663
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]664/*
665 * Auxiliary functions for ServerHello parsing and related actions
666 */
667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]668#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]669/*
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100[diff] [blame]670 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]671 */
Valerio Setti1fa5c562023-03-20 13:56:38 +0100[diff] [blame]672#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]673MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]674static int ssl_check_key_curve(mbedtls_pk_context *pk,
675 uint16_t *curves_tls_id)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]676{
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]677 uint16_t *curr_tls_id = curves_tls_id;
Valerio Setti77a75682023-05-15 11:18:46 +0200[diff] [blame]678 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec_ro(*pk)->grp.id;
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]679 mbedtls_ecp_group_id curr_grp_id;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]680
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]681 while (*curr_tls_id != 0) {
682 curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
683 if (curr_grp_id == grp_id) {
684 return 0;
685 }
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]686 curr_tls_id++;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]687 }
688
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]689 return -1;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]690}
Valerio Setti1fa5c562023-03-20 13:56:38 +0100[diff] [blame]691#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]692
693/*
694 * Try picking a certificate for this ciphersuite,
695 * return 0 on success and -1 on failure.
696 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]697MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]698static int ssl_pick_cert(mbedtls_ssl_context *ssl,
699 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]700{
Glenn Strauss041a3762022-03-15 06:08:29 -0400[diff] [blame]701 mbedtls_ssl_key_cert *cur, *list;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]702#if defined(MBEDTLS_USE_PSA_CRYPTO)
703 psa_algorithm_t pk_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]704 mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]705 psa_key_usage_t pk_usage =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]706 mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]707#else
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]708 mbedtls_pk_type_t pk_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]709 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]710#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +0200[diff] [blame]711 uint32_t flags;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]712
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]713#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]714 if (ssl->handshake->sni_key_cert != NULL) {
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]715 list = ssl->handshake->sni_key_cert;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]716 } else
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]717#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]718 list = ssl->conf->key_cert;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]719
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]720 int pk_alg_is_none = 0;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]721#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]722 pk_alg_is_none = (pk_alg == PSA_ALG_NONE);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]723#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]724 pk_alg_is_none = (pk_alg == MBEDTLS_PK_NONE);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]725#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]726 if (pk_alg_is_none) {
727 return 0;
Manuel Pégourié-Gonnarde540b492015-07-07 12:44:38 +0200[diff] [blame]728 }
729
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]730 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate"));
731
732 if (list == NULL) {
733 MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
734 return -1;
735 }
736
737 for (cur = list; cur != NULL; cur = cur->next) {
Andrzej Kurek7ed01e82020-03-18 11:51:59 -0400[diff] [blame]738 flags = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]739 MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate",
740 cur->cert);
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]741
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]742 int key_type_matches = 0;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]743#if defined(MBEDTLS_USE_PSA_CRYPTO)
744#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]745 key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
746 ssl->conf->f_async_decrypt_start != NULL ||
747 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
748 mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]749#else
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]750 key_type_matches = (
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]751 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]752#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
753#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]754 key_type_matches = mbedtls_pk_can_do(&cur->cert->pk, pk_alg);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]755#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]756 if (!key_type_matches) {
757 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]758 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]759 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]760
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]761 /*
762 * This avoids sending the client a cert it'll reject based on
763 * keyUsage or other extensions.
764 *
765 * It also allows the user to provision different certificates for
766 * different uses based on keyUsage, eg if they want to avoid signing
767 * and decrypting with the same RSA key.
768 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]769 if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
770 MBEDTLS_SSL_IS_SERVER, &flags) != 0) {
771 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
772 "(extended) key usage extension"));
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]773 continue;
774 }
775
Valerio Setti1fa5c562023-03-20 13:56:38 +0100[diff] [blame]776#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]777 if (pk_alg == MBEDTLS_PK_ECDSA &&
778 ssl_check_key_curve(&cur->cert->pk,
779 ssl->handshake->curves_tls_id) != 0) {
780 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve"));
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]781 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]782 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]783#endif
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]784
785 /* If we get there, we got a winner */
786 break;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]787 }
788
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]789 /* Do not update ssl->handshake->key_cert unless there is a match */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]790 if (cur != NULL) {
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]791 ssl->handshake->key_cert = cur;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]792 MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate",
793 ssl->handshake->key_cert->cert);
794 return 0;
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]795 }
796
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]797 return -1;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]798}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]799#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]800
801/*
802 * Check if a given ciphersuite is suitable for use with our config/keys/etc
803 * Sets ciphersuite_info only if the suite matches.
804 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]805MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]806static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
807 const mbedtls_ssl_ciphersuite_t **ciphersuite_info)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]808{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]809 const mbedtls_ssl_ciphersuite_t *suite_info;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]810
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]811#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]812 mbedtls_pk_type_t sig_type;
813#endif
814
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]815 suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
816 if (suite_info == NULL) {
817 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
818 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]819 }
820
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]821 MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)",
822 (unsigned int) suite_id, suite_info->name));
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]823
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]824 if (suite_info->min_tls_version > ssl->tls_version ||
825 suite_info->max_tls_version < ssl->tls_version) {
826 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version"));
827 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]828 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]829
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]830#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]831 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
832 (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) {
833 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake "
834 "not configured or ext missing"));
835 return 0;
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]836 }
837#endif
838
839
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]840#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settic2232ea2023-07-05 18:57:52 +0200[diff] [blame]841 defined(MBEDTLS_PK_CAN_ECDSA_SOME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]842 if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
843 (ssl->handshake->curves_tls_id == NULL ||
844 ssl->handshake->curves_tls_id[0] == 0)) {
845 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
846 "no common elliptic curve"));
847 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]848 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]849#endif
850
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]851#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]852 /* If the ciphersuite requires a pre-shared key and we don't
853 * have one, skip it now rather than failing later */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]854 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
855 ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
856 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key"));
857 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]858 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]859#endif
860
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]861#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]862 /*
863 * Final check: if ciphersuite requires us to have a
864 * certificate/key of a particular type:
865 * - select the appropriate certificate if we have one, or
866 * - try the next ciphersuite if we don't
867 * This must be done last since we modify the key_cert list.
868 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]869 if (ssl_pick_cert(ssl, suite_info) != 0) {
870 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
871 "no suitable certificate"));
872 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]873 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]874#endif
875
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]876#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
877 /* If the ciphersuite requires signing, check whether
878 * a suitable hash algorithm is present. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]879 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
880 if (sig_type != MBEDTLS_PK_NONE &&
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]881 mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]882 ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) {
883 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm "
884 "for signature algorithm %u", (unsigned) sig_type));
885 return 0;
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]886 }
887
888#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
889
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]890 *ciphersuite_info = suite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]891 return 0;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]892}
893
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]894/* This function doesn't alert on errors that happen early during
895 ClientHello parsing because they might indicate that the client is
896 not talking SSL/TLS at all and would not understand our alert. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]897MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]898static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]899{
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]900 int ret, got_common_suite;
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]901 size_t i, j;
902 size_t ciph_offset, comp_offset, ext_offset;
903 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]904#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]905 size_t cookie_offset, cookie_len;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]906#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]907 unsigned char *buf, *p, *ext;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]908#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]909 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]910#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]911 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]912 const int *ciphersuites;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]913 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]914
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]915 /* If there is no signature-algorithm extension present,
916 * we need to fall back to the default values for allowed
917 * signature-hash pairs. */
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]918#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]919 int sig_hash_alg_ext_present = 0;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]920#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]921
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]922 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]923
David Horstmanne0af39a2022-10-06 18:19:18 +0100[diff] [blame]924 int renegotiating;
925
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]926#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]927read_record_header:
928#endif
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]929 /*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]930 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]931 * otherwise read it ourselves manually in order to support SSLv2
932 * ClientHello, which doesn't use the same record layer format.
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]933 * Otherwise in a scenario of TLS 1.3/TLS 1.2 version negotiation, the
934 * ClientHello has been already fully fetched by the TLS 1.3 code and the
935 * flag ssl->keep_current_message is raised.
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]936 */
David Horstmanne0af39a2022-10-06 18:19:18 +0100[diff] [blame]937 renegotiating = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]938#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]939 renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]940#endif
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]941 if (!renegotiating && !ssl->keep_current_message) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]942 if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]943 /* No alert on a read error. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]944 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
945 return ret;
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]946 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]947 }
948
949 buf = ssl->in_hdr;
950
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]951 MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl));
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]952
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]953 /*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]954 * TLS Client Hello
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]955 *
956 * Record layer:
957 * 0 . 0 message type
958 * 1 . 2 protocol version
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]959 * 3 . 11 DTLS: epoch + record sequence number
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]960 * 3 . 4 message length
961 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]962 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message type: %d",
963 buf[0]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]964
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]965 if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
966 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
967 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]968 }
969
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]970 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d",
971 (ssl->in_len[0] << 8) | ssl->in_len[1]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]972
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]973 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, protocol version: [%d:%d]",
974 buf[1], buf[2]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]975
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]976 /* For DTLS if this is the initial handshake, remember the client sequence
977 * number to use it in our next message (RFC 6347 4.2.1) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]978#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]979 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]980#if defined(MBEDTLS_SSL_RENEGOTIATION)
981 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
Manuel Pégourié-Gonnard3a173f42015-01-22 13:30:33 +0000[diff] [blame]982#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]983 ) {
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]984 /* Epoch should be 0 for initial handshakes */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]985 if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
986 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
987 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]988 }
989
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]990 memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2,
991 sizeof(ssl->cur_out_ctr) - 2);
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]992
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]993#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]994 if (mbedtls_ssl_dtls_replay_check(ssl) != 0) {
995 MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding"));
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]996 ssl->next_record_offset = 0;
997 ssl->in_left = 0;
998 goto read_record_header;
999 }
1000
1001 /* No MAC to check yet, so we can update right now */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1002 mbedtls_ssl_dtls_replay_update(ssl);
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]1003#endif
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1004 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1005#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1006
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1007 msg_len = (ssl->in_len[0] << 8) | ssl->in_len[1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1008
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1009#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1010 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1011 /* Set by mbedtls_ssl_read_record() */
Manuel Pégourié-Gonnardb89c4f32015-01-21 13:24:10 +0000[diff] [blame]1012 msg_len = ssl->in_hslen;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1013 } else
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1014#endif
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1015 {
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1016 if (ssl->keep_current_message) {
1017 ssl->keep_current_message = 0;
1018 } else {
1019 if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
1020 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1021 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1022 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1023
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1024 if ((ret = mbedtls_ssl_fetch_input(ssl,
1025 mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) {
1026 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
1027 return ret;
1028 }
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1029
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1030 /* Done reading this record, get ready for the next one */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1031#if defined(MBEDTLS_SSL_PROTO_DTLS)
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1032 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1033 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl);
1034 } else
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1035#endif
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1036 ssl->in_left = 0;
1037 }
Manuel Pégourié-Gonnardd6b721c2014-03-24 12:13:54 +0100[diff] [blame]1038 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1039
1040 buf = ssl->in_msg;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1041
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1042 MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len);
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1043
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]1044 ret = ssl->handshake->update_checksum(ssl, buf, msg_len);
1045 if (0 != ret) {
1046 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
1047 return ret;
1048 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1049
1050 /*
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1051 * Handshake layer:
1052 * 0 . 0 handshake type
1053 * 1 . 3 handshake length
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1054 * 4 . 5 DTLS only: message sequence number
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1055 * 6 . 8 DTLS only: fragment offset
1056 * 9 . 11 DTLS only: fragment length
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1057 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1058 if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) {
1059 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1060 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1061 }
1062
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1063 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0]));
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1064
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1065 if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
1066 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1067 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1068 }
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1069 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1070 size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1);
1071 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u",
1072 (unsigned) handshake_len));
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1073
1074 /* The record layer has a record size limit of 2^14 - 1 and
1075 * fragmentation is not supported, so buf[1] should be zero. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1076 if (buf[1] != 0) {
1077 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0",
1078 (unsigned) buf[1]));
1079 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1080 }
1081
1082 /* We don't support fragmentation of ClientHello (yet?) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1083 if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) {
1084 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u",
1085 (unsigned) msg_len,
1086 (unsigned) mbedtls_ssl_hs_hdr_len(ssl),
1087 (unsigned) handshake_len));
1088 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1089 }
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1090 }
1091
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1092#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1093 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1094 /*
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1095 * Copy the client's handshake message_seq on initial handshakes,
1096 * check sequence number on renego.
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1097 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1098#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1099 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]1100 /* This couldn't be done in ssl_prepare_handshake_record() */
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +0100[diff] [blame]1101 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1102 if (cli_msg_seq != ssl->handshake->in_msg_seq) {
1103 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
1104 "%u (expected %u)", cli_msg_seq,
1105 ssl->handshake->in_msg_seq));
1106 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]1107 }
1108
1109 ssl->handshake->in_msg_seq++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1110 } else
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1111#endif
1112 {
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +0100[diff] [blame]1113 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1114 ssl->handshake->out_msg_seq = cli_msg_seq;
1115 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
1116 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1117 {
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1118 /*
1119 * For now we don't support fragmentation, so make sure
1120 * fragment_offset == 0 and fragment_length == length
1121 */
1122 size_t fragment_offset, fragment_length, length;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1123 fragment_offset = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6);
1124 fragment_length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9);
1125 length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1);
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1126 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1127 4, ("fragment_offset=%u fragment_length=%u length=%u",
1128 (unsigned) fragment_offset, (unsigned) fragment_length,
1129 (unsigned) length));
1130 if (fragment_offset != 0 || length != fragment_length) {
1131 MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported"));
1132 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1133 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1134 }
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1135 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1136#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1137
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1138 buf += mbedtls_ssl_hs_hdr_len(ssl);
1139 msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1140
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1141 /*
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1142 * ClientHello layer:
1143 * 0 . 1 protocol version
1144 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
1145 * 34 . 35 session id length (1 byte)
1146 * 35 . 34+x session id
1147 * 35+x . 35+x DTLS only: cookie length (1 byte)
1148 * 36+x . .. DTLS only: cookie
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1149 * .. . .. ciphersuite list length (2 bytes)
1150 * .. . .. ciphersuite list
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1151 * .. . .. compression alg. list length (1 byte)
1152 * .. . .. compression alg. list
1153 * .. . .. extensions length (2 bytes, optional)
1154 * .. . .. extensions (optional)
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1155 */
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1156
1157 /*
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]1158 * Minimal length (with everything empty and extensions omitted) is
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1159 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1160 * read at least up to session id length without worrying.
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1161 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1162 if (msg_len < 38) {
1163 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1164 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1165 }
1166
1167 /*
1168 * Check and save the protocol version
1169 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1170 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1171
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1172 ssl->tls_version = mbedtls_ssl_read_version(buf, ssl->conf->transport);
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1173 ssl->session_negotiate->tls_version = ssl->tls_version;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1174
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1175 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
1176 MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2"));
1177 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1178 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1179 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1180 }
1181
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1182 /*
1183 * Save client random (inc. Unix time)
1184 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1185 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1186
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1187 memcpy(ssl->handshake->randbytes, buf + 2, 32);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1188
1189 /*
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1190 * Check the session ID length and save session ID
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1191 */
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1192 sess_len = buf[34];
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1193
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1194 if (sess_len > sizeof(ssl->session_negotiate->id) ||
1195 sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */
1196 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1197 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1198 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1199 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1200 }
1201
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1202 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1203
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1204 ssl->session_negotiate->id_len = sess_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1205 memset(ssl->session_negotiate->id, 0,
1206 sizeof(ssl->session_negotiate->id));
1207 memcpy(ssl->session_negotiate->id, buf + 35,
1208 ssl->session_negotiate->id_len);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1209
1210 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1211 * Check the cookie length and content
1212 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1213#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1214 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1215 cookie_offset = 35 + sess_len;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1216 cookie_len = buf[cookie_offset];
1217
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1218 if (cookie_offset + 1 + cookie_len + 2 > msg_len) {
1219 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1220 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1221 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1222 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1223 }
1224
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1225 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
1226 buf + cookie_offset + 1, cookie_len);
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1227
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1228#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1229 if (ssl->conf->f_cookie_check != NULL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1230#if defined(MBEDTLS_SSL_RENEGOTIATION)
1231 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1232#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1233 ) {
1234 if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
1235 buf + cookie_offset + 1, cookie_len,
1236 ssl->cli_id, ssl->cli_id_len) != 0) {
1237 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed"));
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1238 ssl->handshake->cookie_verify_result = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1239 } else {
1240 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed"));
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1241 ssl->handshake->cookie_verify_result = 0;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1242 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1243 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1244#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1245 {
1246 /* We know we didn't send a cookie, so it should be empty */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1247 if (cookie_len != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1248 /* This may be an attacker's probe, so don't send an alert */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1249 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1250 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1251 }
1252
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1253 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped"));
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1254 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1255
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1256 /*
1257 * Check the ciphersuitelist length (will be parsed later)
1258 */
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1259 ciph_offset = cookie_offset + 1 + cookie_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1260 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1261#endif /* MBEDTLS_SSL_PROTO_DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1262 ciph_offset = 35 + sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1263
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1264 ciph_len = (buf[ciph_offset + 0] << 8)
1265 | (buf[ciph_offset + 1]);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1266
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1267 if (ciph_len < 2 ||
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1268 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1269 (ciph_len % 2) != 0) {
1270 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1271 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1272 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1273 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1274 }
1275
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1276 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
1277 buf + ciph_offset + 2, ciph_len);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1278
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1279 /*
Thomas Daubney20f89a92022-06-20 15:12:19 +0100[diff] [blame]1280 * Check the compression algorithm's length.
1281 * The list contents are ignored because implementing
1282 * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only
1283 * option supported by Mbed TLS.
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1284 */
1285 comp_offset = ciph_offset + 2 + ciph_len;
1286
1287 comp_len = buf[comp_offset];
1288
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1289 if (comp_len < 1 ||
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1290 comp_len > 16 ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1291 comp_len + comp_offset + 1 > msg_len) {
1292 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1293 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1294 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1295 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1296 }
1297
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1298 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression",
1299 buf + comp_offset + 1, comp_len);
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1300
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1301 /*
1302 * Check the extension length
1303 */
1304 ext_offset = comp_offset + 1 + comp_len;
1305 if (msg_len > ext_offset) {
1306 if (msg_len < ext_offset + 2) {
1307 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1308 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1309 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1310 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1311 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1312
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1313 ext_len = (buf[ext_offset + 0] << 8)
1314 | (buf[ext_offset + 1]);
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1315
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1316 if (msg_len != ext_offset + 2 + ext_len) {
1317 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1318 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1319 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1320 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1321 }
1322 } else {
1323 ext_len = 0;
1324 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1325
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1326 ext = buf + ext_offset + 2;
1327 MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len);
1328
1329 while (ext_len != 0) {
1330 unsigned int ext_id;
1331 unsigned int ext_size;
1332 if (ext_len < 4) {
1333 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1334 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1335 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1336 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1337 }
1338 ext_id = ((ext[0] << 8) | (ext[1]));
1339 ext_size = ((ext[2] << 8) | (ext[3]));
1340
1341 if (ext_size + 4 > ext_len) {
1342 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1343 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1344 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1345 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1346 }
1347 switch (ext_id) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1348#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1349 case MBEDTLS_TLS_EXT_SERVERNAME:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1350 MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1351 ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4,
1352 ext + 4 + ext_size);
1353 if (ret != 0) {
1354 return ret;
1355 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1356 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1357#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]1358
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1359 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1360 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1361#if defined(MBEDTLS_SSL_RENEGOTIATION)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1362 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1363#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1364
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1365 ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size);
1366 if (ret != 0) {
1367 return ret;
1368 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1369 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1370
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1371#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1372 case MBEDTLS_TLS_EXT_SIG_ALG:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1373 MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
Ron Eldor73a38172017-10-03 15:58:26 +0300[diff] [blame]1374
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1375 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size);
1376 if (ret != 0) {
1377 return ret;
1378 }
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1379
1380 sig_hash_alg_ext_present = 1;
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1381 break;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1382#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1383
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]1384#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settic2232ea2023-07-05 18:57:52 +0200[diff] [blame]1385 defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1386 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yub47d0f82021-12-20 17:34:40 +0800[diff] [blame]1387 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1388 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1390 ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size);
1391 if (ret != 0) {
1392 return ret;
1393 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1394 break;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1395
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1396 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1397 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension"));
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1398 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1399
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1400 ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size);
1401 if (ret != 0) {
1402 return ret;
1403 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1404 break;
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]1405#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || \
Valerio Settic2232ea2023-07-05 18:57:52 +0200[diff] [blame]1406 MBEDTLS_PK_CAN_ECDSA_SOME || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1407
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1408#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1409 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1410 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension"));
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1411
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1412 ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size);
1413 if (ret != 0) {
1414 return ret;
1415 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1416 break;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1417#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1418
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1419#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1420 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1421 MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension"));
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1422
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1423 ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size);
1424 if (ret != 0) {
1425 return ret;
1426 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1427 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1428#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1429
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1430#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1431 case MBEDTLS_TLS_EXT_CID:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1432 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1433
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1434 ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size);
1435 if (ret != 0) {
1436 return ret;
1437 }
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1438 break;
Thomas Daubneye1c9a402021-06-15 11:26:43 +0100[diff] [blame]1439#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1440
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1441#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1442 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1443 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1444
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1445 ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size);
1446 if (ret != 0) {
1447 return ret;
1448 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1449 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1450#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1451
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1452#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1453 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1454 MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1455
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1456 ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size);
1457 if (ret != 0) {
1458 return ret;
1459 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1460 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1461#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1462
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1463#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1464 case MBEDTLS_TLS_EXT_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1465 MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1466
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1467 ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size);
1468 if (ret != 0) {
1469 return ret;
1470 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1471 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1472#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1473
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1474#if defined(MBEDTLS_SSL_ALPN)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1475 case MBEDTLS_TLS_EXT_ALPN:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1476 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1477
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1478 ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4,
1479 ext + 4 + ext_size);
1480 if (ret != 0) {
1481 return ret;
1482 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1483 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1484#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1485
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1486#if defined(MBEDTLS_SSL_DTLS_SRTP)
1487 case MBEDTLS_TLS_EXT_USE_SRTP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1488 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
Johan Pascald576fdb2020-09-22 10:39:53 +0200[diff] [blame]1489
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1490 ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size);
1491 if (ret != 0) {
1492 return ret;
1493 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1494 break;
1495#endif /* MBEDTLS_SSL_DTLS_SRTP */
1496
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1497 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1498 MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)",
1499 ext_id));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1500 }
Janos Follathc6dab2b2016-05-23 14:27:02 +0100[diff] [blame]1501
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1502 ext_len -= 4 + ext_size;
1503 ext += 4 + ext_size;
1504 }
1505
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1506#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1507
1508 /*
1509 * Try to fall back to default hash SHA1 if the client
1510 * hasn't provided any preferred signature-hash combinations.
1511 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1512 if (!sig_hash_alg_ext_present) {
Gabor Mezei86acf052022-05-10 13:29:02 +0200[diff] [blame]1513 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
1514 const uint16_t default_sig_algs[] = {
Valerio Setti1fa5c562023-03-20 13:56:38 +0100[diff] [blame]1515#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1516 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA,
1517 MBEDTLS_SSL_HASH_SHA1),
Gabor Mezeic1051b62022-05-10 13:13:58 +0200[diff] [blame]1518#endif
1519#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1520 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA,
1521 MBEDTLS_SSL_HASH_SHA1),
Gabor Mezeic1051b62022-05-10 13:13:58 +0200[diff] [blame]1522#endif
Gabor Mezei86acf052022-05-10 13:29:02 +0200[diff] [blame]1523 MBEDTLS_TLS_SIG_NONE
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1524 };
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1525
Tom Cosgrove6ef9bb32023-03-08 14:19:51 +0000[diff] [blame]1526 MBEDTLS_STATIC_ASSERT(sizeof(default_sig_algs) / sizeof(default_sig_algs[0])
1527 <= MBEDTLS_RECEIVED_SIG_ALGS_SIZE,
1528 "default_sig_algs is too big");
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1529
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1530 memcpy(received_sig_algs, default_sig_algs, sizeof(default_sig_algs));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1531 }
1532
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1533#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1534
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1535 /*
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1536 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1537 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1538 for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
1539 if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
1540 MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1541#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1542 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1543 MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
1544 "during renegotiation"));
1545 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1546 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1547 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1548 }
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1549#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1550 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1551 break;
1552 }
1553 }
1554
1555 /*
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1556 * Renegotiation security checks
1557 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1558 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1559 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1560 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1561 handshake_failure = 1;
1562 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1563#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1564 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1565 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1566 renegotiation_info_seen == 0) {
1567 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1568 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1569 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1570 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1571 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1572 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1573 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1574 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1575 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1576 renegotiation_info_seen == 1) {
1577 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1578 handshake_failure = 1;
1579 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1580#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1581
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1582 if (handshake_failure == 1) {
1583 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1584 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1585 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1586 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1587
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1588 /*
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1589 * Server certification selection (after processing TLS extensions)
1590 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1591 if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
1592 MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
1593 return ret;
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1594 }
Glenn Strauss69894072022-01-24 12:58:00 -0500[diff] [blame]1595#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1596 ssl->handshake->sni_name = NULL;
1597 ssl->handshake->sni_name_len = 0;
1598#endif
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1599
1600 /*
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1601 * Search for a matching ciphersuite
Manuel Pégourié-Gonnard3ebb2cd2013-09-23 17:00:18 +0200[diff] [blame]1602 * (At the end because we need information from the EC-based extensions
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1603 * and certificate from the SNI callback triggered by the SNI extension
1604 * or certificate from server certificate selection callback.)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1605 */
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1606 got_common_suite = 0;
Hanno Beckerd60b6c62021-04-29 12:04:11 +0100[diff] [blame]1607 ciphersuites = ssl->conf->ciphersuite_list;
Manuel Pégourié-Gonnard59b81d72013-11-30 17:46:04 +0100[diff] [blame]1608 ciphersuite_info = NULL;
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1609
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1610 if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) {
1611 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1612 for (i = 0; ciphersuites[i] != 0; i++) {
1613 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1614 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1615 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1616
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1617 got_common_suite = 1;
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1618
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1619 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1620 &ciphersuite_info)) != 0) {
1621 return ret;
1622 }
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +0100[diff] [blame]1623
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1624 if (ciphersuite_info != NULL) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1625 goto have_ciphersuite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1626 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1627 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1628 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1629 } else {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1630 for (i = 0; ciphersuites[i] != 0; i++) {
1631 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1632 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1633 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1634 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1635
1636 got_common_suite = 1;
1637
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1638 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1639 &ciphersuite_info)) != 0) {
1640 return ret;
1641 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1642
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1643 if (ciphersuite_info != NULL) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1644 goto have_ciphersuite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1645 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1646 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1647 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1648 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1649
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1650 if (got_common_suite) {
1651 MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
1652 "but none of them usable"));
1653 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1654 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1655 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1656 } else {
1657 MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
1658 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1659 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1660 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1661 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1662
1663have_ciphersuite:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1664 MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]1665
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1666 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]1667 ssl->handshake->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1668
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1669 ssl->state++;
1670
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1671#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1672 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1673 mbedtls_ssl_recv_flight_completed(ssl);
1674 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1675#endif
1676
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1677 /* Debugging-only output for testsuite */
1678#if defined(MBEDTLS_DEBUG_C) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1679 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1680 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
1681 if (sig_alg != MBEDTLS_PK_NONE) {
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]1682 unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1683 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
1684 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u",
1685 sig_hash));
1686 } else {
1687 MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm "
1688 "%u - should not happen", (unsigned) sig_alg));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1689 }
1690#endif
1691
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1692 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1693
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1694 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1695}
1696
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1697#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1698static void ssl_write_cid_ext(mbedtls_ssl_context *ssl,
1699 unsigned char *buf,
1700 size_t *olen)
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1701{
1702 unsigned char *p = buf;
1703 size_t ext_len;
1704 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1705
1706 *olen = 0;
1707
1708 /* Skip writing the extension if we don't want to use it or if
1709 * the client hasn't offered it. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1710 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) {
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1711 return;
1712 }
1713
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1714 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
1715 * which is at most 255, so the increment cannot overflow. */
1716 if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) {
1717 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1718 return;
1719 }
1720
1721 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension"));
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1722
1723 /*
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1724 * struct {
1725 * opaque cid<0..2^8-1>;
1726 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1727 */
1728 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1729 p += 2;
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1730 ext_len = (size_t) ssl->own_cid_len + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1731 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1732 p += 2;
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1733
1734 *p++ = (uint8_t) ssl->own_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1735 memcpy(p, ssl->own_cid, ssl->own_cid_len);
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1736
1737 *olen = ssl->own_cid_len + 5;
1738}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1739#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1740
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]1741#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1742static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
1743 unsigned char *buf,
1744 size_t *olen)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1745{
1746 unsigned char *p = buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1747 const mbedtls_ssl_ciphersuite_t *suite = NULL;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1748
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1749 /*
1750 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
1751 * from a client and then selects a stream or Authenticated Encryption
1752 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
1753 * encrypt-then-MAC response extension back to the client."
1754 */
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1755 suite = mbedtls_ssl_ciphersuite_from_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1756 ssl->session_negotiate->ciphersuite);
1757 if (suite == NULL) {
Ronald Cron862902d2022-03-24 14:15:28 +0100[diff] [blame]1758 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1759 } else {
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1760 mbedtls_ssl_mode_t ssl_mode =
Neil Armstrongab555e02022-04-04 11:07:59 +0200[diff] [blame]1761 mbedtls_ssl_get_mode_from_ciphersuite(
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1762 ssl->session_negotiate->encrypt_then_mac,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1763 suite);
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1764
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1765 if (ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM) {
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1766 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1767 }
Ronald Cron862902d2022-03-24 14:15:28 +0100[diff] [blame]1768 }
1769
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1770 if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1771 *olen = 0;
1772 return;
1773 }
1774
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1775 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1776
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1777 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1778 p += 2;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1779
1780 *p++ = 0x00;
1781 *p++ = 0x00;
1782
1783 *olen = 4;
1784}
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]1785#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1786
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1787#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1788static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
1789 unsigned char *buf,
1790 size_t *olen)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1791{
1792 unsigned char *p = buf;
1793
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1794 if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1795 *olen = 0;
1796 return;
1797 }
1798
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1799 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret "
1800 "extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1801
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1802 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1803 p += 2;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1804
1805 *p++ = 0x00;
1806 *p++ = 0x00;
1807
1808 *olen = 4;
1809}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1810#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1811
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1812#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1813static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
1814 unsigned char *buf,
1815 size_t *olen)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1816{
1817 unsigned char *p = buf;
1818
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1819 if (ssl->handshake->new_session_ticket == 0) {
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1820 *olen = 0;
1821 return;
1822 }
1823
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1824 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1825
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1826 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1827 p += 2;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1828
1829 *p++ = 0x00;
1830 *p++ = 0x00;
1831
1832 *olen = 4;
1833}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1834#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1835
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1836static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
1837 unsigned char *buf,
1838 size_t *olen)
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1839{
1840 unsigned char *p = buf;
1841
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1842 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) {
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1843 *olen = 0;
1844 return;
1845 }
1846
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1847 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension"));
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1848
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1849 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1850 p += 2;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1851
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1852#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1853 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1854 *p++ = 0x00;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1855 *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1856 *p++ = ssl->verify_data_len * 2 & 0xFF;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1857
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1858 memcpy(p, ssl->peer_verify_data, ssl->verify_data_len);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1859 p += ssl->verify_data_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1860 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1861 p += ssl->verify_data_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1862 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1863#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1864 {
1865 *p++ = 0x00;
1866 *p++ = 0x01;
1867 *p++ = 0x00;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1868 }
Manuel Pégourié-Gonnard19389752015-06-23 13:46:44 +0200[diff] [blame]1869
1870 *olen = p - buf;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1871}
1872
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1873#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1874static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
1875 unsigned char *buf,
1876 size_t *olen)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1877{
1878 unsigned char *p = buf;
1879
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1880 if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1881 *olen = 0;
1882 return;
1883 }
1884
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1885 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension"));
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1886
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1887 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1888 p += 2;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1889
1890 *p++ = 0x00;
1891 *p++ = 1;
1892
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]1893 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1894
1895 *olen = 5;
1896}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1897#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1898
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]1899#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
1900 defined(MBEDTLS_ECDSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1901static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
1902 unsigned char *buf,
1903 size_t *olen)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1904{
1905 unsigned char *p = buf;
1906 ((void) ssl);
1907
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1908 if ((ssl->handshake->cli_exts &
1909 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) {
Paul Bakker677377f2013-10-28 12:54:26 +0100[diff] [blame]1910 *olen = 0;
1911 return;
1912 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1913
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1914 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension"));
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1915
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1916 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1917 p += 2;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1918
1919 *p++ = 0x00;
1920 *p++ = 2;
1921
1922 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1923 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1924
1925 *olen = 6;
1926}
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]1927#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || MBEDTLS_ECDSA_C ||
1928 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1929
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1930#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1931static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
1932 unsigned char *buf,
1933 size_t *olen)
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1934{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1935 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1936 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]1937 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1938 size_t kkpp_len;
1939
1940 *olen = 0;
1941
1942 /* Skip costly computation if not needed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1943 if (ssl->handshake->ciphersuite_info->key_exchange !=
1944 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1945 return;
1946 }
1947
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1948 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension"));
1949
1950 if (end - p < 4) {
1951 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1952 return;
1953 }
1954
1955 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1956 p += 2;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1957
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1958#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1959 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
1960 p + 2, end - p - 2, &kkpp_len,
1961 MBEDTLS_ECJPAKE_ROUND_ONE);
1962 if (ret != 0) {
1963 psa_destroy_key(ssl->handshake->psa_pake_password);
1964 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
1965 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
Valerio Settia9883642022-11-17 15:34:59 +0100[diff] [blame]1966 return;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1967 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1968#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1969 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
1970 p + 2, end - p - 2, &kkpp_len,
1971 ssl->conf->f_rng, ssl->conf->p_rng);
1972 if (ret != 0) {
1973 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret);
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1974 return;
1975 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1976#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1977
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1978 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1979 p += 2;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1980
1981 *olen = kkpp_len + 4;
1982}
1983#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1984
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1985#if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS)
1986static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
1987 unsigned char *buf,
1988 size_t *olen)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1989{
Ron Eldor75870ec2018-12-06 17:31:55 +0200[diff] [blame]1990 size_t mki_len = 0, ext_len = 0;
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1991 uint16_t profile_value = 0;
Johan Pascal8f70fba2020-09-02 10:32:06 +0200[diff] [blame]1992 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1993
1994 *olen = 0;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1995
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1996 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
1997 (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) {
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1998 return;
1999 }
2000
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2001 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension"));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2002
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2003 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]2004 mki_len = ssl->dtls_srtp_info.mki_len;
2005 }
2006
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]2007 /* The extension total size is 9 bytes :
2008 * - 2 bytes for the extension tag
2009 * - 2 bytes for the total size
2010 * - 2 bytes for the protection profile length
2011 * - 2 bytes for the protection profile
2012 * - 1 byte for the mki length
2013 * + the actual mki length
2014 * Check we have enough room in the output buffer */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2015 if ((size_t) (end - buf) < mki_len + 9) {
2016 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
Johan Pascal8f70fba2020-09-02 10:32:06 +0200[diff] [blame]2017 return;
2018 }
2019
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2020 /* extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2021 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0);
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]2022 /*
2023 * total length 5 and mki value: only one profile(2 bytes)
2024 * and length(2 bytes) and srtp_mki )
2025 */
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]2026 ext_len = 5 + mki_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2027 MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2028
2029 /* protection profile length: 2 */
2030 buf[4] = 0x00;
2031 buf[5] = 0x02;
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]2032 profile_value = mbedtls_ssl_check_srtp_profile_value(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2033 ssl->dtls_srtp_info.chosen_dtls_srtp_profile);
2034 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
2035 MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6);
2036 } else {
2037 MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile"));
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]2038 return;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2039 }
2040
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]2041 buf[8] = mki_len & 0xFF;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2042 memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2043
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]2044 *olen = 9 + mki_len;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2045}
2046#endif /* MBEDTLS_SSL_DTLS_SRTP */
2047
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2048#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2049MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2050static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2051{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2052 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2053 unsigned char *p = ssl->out_msg + 4;
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2054 unsigned char *cookie_len_byte;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2055
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2056 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2057
2058 /*
2059 * struct {
2060 * ProtocolVersion server_version;
2061 * opaque cookie<0..2^8-1>;
2062 * } HelloVerifyRequest;
2063 */
2064
Manuel Pégourié-Gonnardb35fe562014-08-09 17:00:46 +0200[diff] [blame]2065 /* The RFC is not clear on this point, but sending the actual negotiated
2066 * version looks like the most interoperable thing to do. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2067 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
2068 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2069 p += 2;
2070
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]2071 /* If we get here, f_cookie_check is not null */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2072 if (ssl->conf->f_cookie_write == NULL) {
2073 MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks"));
2074 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]2075 }
2076
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2077 /* Skip length byte until we know the length */
2078 cookie_len_byte = p++;
2079
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2080 if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie,
2081 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2082 ssl->cli_id, ssl->cli_id_len)) != 0) {
2083 MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret);
2084 return ret;
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2085 }
2086
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2087 *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1));
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2088
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2089 MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2090
2091 ssl->out_msglen = p - ssl->out_msg;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2092 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2093 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2094
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2095 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2096
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2097 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
2098 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
2099 return ret;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2100 }
2101
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2102#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2103 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2104 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
2105 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
2106 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2107 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]2108#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2109
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2110 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2111
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2112 return 0;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2113}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2114#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2115
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2116static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl)
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2117{
2118 int ret;
Hanno Beckera5b1a392021-04-15 16:48:01 +0100[diff] [blame]2119 mbedtls_ssl_session session_tmp;
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2120 mbedtls_ssl_session * const session = ssl->session_negotiate;
2121
2122 /* Resume is 0 by default, see ssl_handshake_init().
2123 * It may be already set to 1 by ssl_parse_session_ticket_ext(). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2124 if (ssl->handshake->resume == 1) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2125 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2126 }
2127 if (session->id_len == 0) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2128 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2129 }
2130 if (ssl->conf->f_get_cache == NULL) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2131 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2132 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2133#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2134 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2135 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2136 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2137#endif
2138
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2139 mbedtls_ssl_session_init(&session_tmp);
Hanno Beckera5b1a392021-04-15 16:48:01 +0100[diff] [blame]2140
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2141 ret = ssl->conf->f_get_cache(ssl->conf->p_cache,
2142 session->id,
2143 session->id_len,
2144 &session_tmp);
2145 if (ret != 0) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2146 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2147 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2148
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2149 if (session->ciphersuite != session_tmp.ciphersuite) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2150 /* Mismatch between cached and negotiated session */
2151 goto exit;
2152 }
2153
2154 /* Move semantics */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2155 mbedtls_ssl_session_free(session);
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2156 *session = session_tmp;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2157 memset(&session_tmp, 0, sizeof(session_tmp));
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2158
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2159 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache"));
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2160 ssl->handshake->resume = 1;
2161
2162exit:
2163
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2164 mbedtls_ssl_session_free(&session_tmp);
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2165}
2166
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2167MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2168static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2169{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2170#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]2171 mbedtls_time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2172#endif
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2173 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2174 size_t olen, ext_len = 0, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2175 unsigned char *buf, *p;
2176
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2177 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2178
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2179#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2180 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2181 ssl->handshake->cookie_verify_result != 0) {
2182 MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated"));
2183 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2184
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2185 return ssl_write_hello_verify_request(ssl);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2186 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2187#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2188
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2189 if (ssl->conf->f_rng == NULL) {
2190 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
2191 return MBEDTLS_ERR_SSL_NO_RNG;
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]2192 }
2193
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2194 /*
2195 * 0 . 0 handshake type
2196 * 1 . 3 handshake length
2197 * 4 . 5 protocol version
2198 * 6 . 9 UNIX time()
2199 * 10 . 37 random bytes
2200 */
2201 buf = ssl->out_msg;
2202 p = buf + 4;
2203
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2204 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]2205 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2206
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2207 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]",
2208 buf[4], buf[5]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2209
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2210#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2211 t = mbedtls_time(NULL);
2212 MBEDTLS_PUT_UINT32_BE(t, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2213 p += 4;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2214
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2215 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
2216 (long long) t));
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2217#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2218 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) {
2219 return ret;
2220 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2221
2222 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2223#endif /* MBEDTLS_HAVE_TIME */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2224
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2225 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2226 return ret;
2227 }
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2228 p += 20;
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2229
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2230#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2231 /*
2232 * RFC 8446
2233 * TLS 1.3 has a downgrade protection mechanism embedded in the server's
2234 * random value. TLS 1.3 servers which negotiate TLS 1.2 or below in
2235 * response to a ClientHello MUST set the last 8 bytes of their Random
2236 * value specially in their ServerHello.
2237 */
2238 if (mbedtls_ssl_conf_is_tls13_enabled(ssl->conf)) {
2239 static const unsigned char magic_tls12_downgrade_string[] =
2240 { 'D', 'O', 'W', 'N', 'G', 'R', 'D', 1 };
2241
2242 MBEDTLS_STATIC_ASSERT(
2243 sizeof(magic_tls12_downgrade_string) == 8,
2244 "magic_tls12_downgrade_string does not have the expected size");
2245
Ronald Cronfe01ec22023-04-06 09:56:53 +0200[diff] [blame]2246 memcpy(p, magic_tls12_downgrade_string,
2247 sizeof(magic_tls12_downgrade_string));
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2248 } else
2249#endif
2250 {
2251 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) {
2252 return ret;
2253 }
2254 }
2255 p += 8;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2256
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2257 memcpy(ssl->handshake->randbytes + 32, buf + 6, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2258
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2259 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2260
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2261 ssl_handle_id_based_session_resumption(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2262
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2263 if (ssl->handshake->resume == 0) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2264 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2265 * New session, create a new session id,
2266 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2267 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2268 ssl->state++;
2269
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2270#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2271 ssl->session_negotiate->start = mbedtls_time(NULL);
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]2272#endif
2273
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2274#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2275 if (ssl->handshake->new_session_ticket != 0) {
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2276 ssl->session_negotiate->id_len = n = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2277 memset(ssl->session_negotiate->id, 0, 32);
2278 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2279#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2280 {
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2281 ssl->session_negotiate->id_len = n = 32;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2282 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id,
2283 n)) != 0) {
2284 return ret;
2285 }
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2286 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2287 } else {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2288 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2289 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2290 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2291 n = ssl->session_negotiate->id_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2292 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2293
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2294 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
2295 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
2296 return ret;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2297 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2298 }
2299
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2300 /*
2301 * 38 . 38 session id length
2302 * 39 . 38+n session id
2303 * 39+n . 40+n chosen ciphersuite
2304 * 41+n . 41+n chosen compression alg.
2305 * 42+n . 43+n extensions length
2306 * 44+n . 43+n+m extensions
2307 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2308 *p++ = (unsigned char) ssl->session_negotiate->id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2309 memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2310 p += ssl->session_negotiate->id_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2311
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2312 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
2313 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n);
2314 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
2315 ssl->handshake->resume ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2316
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2317 MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2318 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2319 *p++ = MBEDTLS_BYTE_0(MBEDTLS_SSL_COMPRESS_NULL);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2320
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2321 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s",
2322 mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite)));
2323 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X",
2324 (unsigned int) MBEDTLS_SSL_COMPRESS_NULL));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2325
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2326 /*
2327 * First write extensions, then the total length
2328 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2329 ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2330 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2331
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2332#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2333 ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2334 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]2335#endif
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2336
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2337#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2338 ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen);
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]2339 ext_len += olen;
2340#endif
2341
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]2342#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2343 ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2344 ext_len += olen;
2345#endif
2346
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2347#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2348 ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2349 ext_len += olen;
2350#endif
2351
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2352#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2353 ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2354 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2355#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2356
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]2357#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
2358 defined(MBEDTLS_ECDSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Leonid Rozenboim28752702022-04-21 18:00:52 -0700[diff] [blame]2359 const mbedtls_ssl_ciphersuite_t *suite =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2360 mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite);
2361 if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) {
2362 ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen);
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]2363 ext_len += olen;
2364 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2365#endif
2366
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]2367#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2368 ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]2369 ext_len += olen;
2370#endif
2371
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2372#if defined(MBEDTLS_SSL_ALPN)
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2373 unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2374 if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen))
2375 != 0) {
Paul Elliottf518f812022-07-11 12:36:20 +0100[diff] [blame]2376 return ret;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2377 }
Paul Elliottf518f812022-07-11 12:36:20 +0100[diff] [blame]2378
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]2379 ext_len += olen;
2380#endif
2381
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2382#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2383 ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen);
Johan Pascalc3ccd982020-10-28 17:18:18 +0100[diff] [blame]2384 ext_len += olen;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2385#endif
2386
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2387 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
2388 ext_len));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2390 if (ext_len > 0) {
2391 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani94180e72021-08-20 16:20:44 +0100[diff] [blame]2392 p += 2 + ext_len;
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]2393 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2394
2395 ssl->out_msglen = p - buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2396 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2397 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2398
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2399 ret = mbedtls_ssl_write_handshake_msg(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2400
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2401 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2402
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2403 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2404}
2405
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2406#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2407MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2408static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2409{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2410 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2411 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2412
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2413 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2414
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2415 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2416 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2417 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2418 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2419 }
2420
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2421 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2422 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2423}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2424#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2425MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2426static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2427{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2428 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2429 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2430 ssl->handshake->ciphersuite_info;
irwirc9bc3002020-04-01 13:46:36 +0300[diff] [blame]2431 uint16_t dn_size, total_dn_size; /* excluding length bytes */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2432 size_t ct_len, sa_len; /* including length bytes */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2433 unsigned char *buf, *p;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2434 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2435 const mbedtls_x509_crt *crt;
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2436 int authmode;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2437
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2438 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2439
2440 ssl->state++;
2441
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2442#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2443 if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2444 authmode = ssl->handshake->sni_authmode;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2445 } else
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2446#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2447 authmode = ssl->conf->authmode;
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2448
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2449 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) ||
2450 authmode == MBEDTLS_SSL_VERIFY_NONE) {
2451 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2452 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2453 }
2454
2455 /*
2456 * 0 . 0 handshake type
2457 * 1 . 3 handshake length
2458 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2459 * 5 .. m-1 cert types
2460 * m .. m+1 sig alg length (TLS 1.2 only)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]2461 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2462 * n .. n+1 length of all DNs
2463 * n+2 .. n+3 length of DN 1
2464 * n+4 .. ... Distinguished Name #1
2465 * ... .. ... length of DN 2, etc.
2466 */
2467 buf = ssl->out_msg;
2468 p = buf + 4;
2469
2470 /*
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2471 * Supported certificate types
2472 *
2473 * ClientCertificateType certificate_types<1..2^8-1>;
2474 * enum { (255) } ClientCertificateType;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2475 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2476 ct_len = 0;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2477
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2478#if defined(MBEDTLS_RSA_C)
2479 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2480#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2481#if defined(MBEDTLS_ECDSA_C)
2482 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2483#endif
2484
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2485 p[0] = (unsigned char) ct_len++;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2486 p += ct_len;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2487
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2488 sa_len = 0;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]2489
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2490 /*
2491 * Add signature_algorithms for verify (TLS 1.2)
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2492 *
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2493 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2494 *
2495 * struct {
2496 * HashAlgorithm hash;
2497 * SignatureAlgorithm signature;
2498 * } SignatureAndHashAlgorithm;
2499 *
2500 * enum { (255) } HashAlgorithm;
2501 * enum { (255) } SignatureAlgorithm;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2502 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2503 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
2504 if (sig_alg == NULL) {
2505 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2506 }
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2507
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2508 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2509 unsigned char hash = MBEDTLS_BYTE_1(*sig_alg);
Jerry Yu6106fdc2022-01-12 16:36:14 +0800[diff] [blame]2510
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2511 if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2512 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2513 }
2514 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2515 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2516 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2517
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2518 /* Write elements at offsets starting from 1 (offset 0 is for the
2519 * length). Thus the offset of each element is the length of the
2520 * partial list including that element. */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2521 sa_len += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2522 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, sa_len);
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2523
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2524 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2525
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2526 /* Fill in list length. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2527 MBEDTLS_PUT_UINT16_BE(sa_len, p, 0);
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2528 sa_len += 2;
2529 p += sa_len;
2530
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2531 /*
2532 * DistinguishedName certificate_authorities<0..2^16-1>;
2533 * opaque DistinguishedName<1..2^16-1>;
2534 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2535 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2536
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]2537 total_dn_size = 0;
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2538
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2539 if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) {
Hanno Becker8bf74f32019-03-27 11:01:30 +0000[diff] [blame]2540 /* NOTE: If trusted certificates are provisioned
2541 * via a CA callback (configured through
2542 * `mbedtls_ssl_conf_ca_cb()`, then the
2543 * CertificateRequest is currently left empty. */
2544
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2545#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2546#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2547 if (ssl->handshake->dn_hints != NULL) {
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2548 crt = ssl->handshake->dn_hints;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2549 } else
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2550#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2551 if (ssl->conf->dn_hints != NULL) {
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2552 crt = ssl->conf->dn_hints;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2553 } else
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2554#endif
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2555#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2556 if (ssl->handshake->sni_ca_chain != NULL) {
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2557 crt = ssl->handshake->sni_ca_chain;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2558 } else
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2559#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2560 crt = ssl->conf->ca_chain;
Manuel Pégourié-Gonnardbc1babb2015-10-02 11:16:47 +0200[diff] [blame]2561
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2562 while (crt != NULL && crt->version != 0) {
irwirc9bc3002020-04-01 13:46:36 +0300[diff] [blame]2563 /* It follows from RFC 5280 A.1 that this length
2564 * can be represented in at most 11 bits. */
2565 dn_size = (uint16_t) crt->subject_raw.len;
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2566
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2567 if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) {
2568 MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short"));
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2569 break;
2570 }
2571
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2572 MBEDTLS_PUT_UINT16_BE(dn_size, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2573 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2574 memcpy(p, crt->subject_raw.p, dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2575 p += dn_size;
2576
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2577 MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2578
2579 total_dn_size += 2 + dn_size;
2580 crt = crt->next;
Manuel Pégourié-Gonnardbc1babb2015-10-02 11:16:47 +0200[diff] [blame]2581 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2582 }
2583
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2584 ssl->out_msglen = p - buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2585 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2586 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2587 MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2588
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2589 ret = mbedtls_ssl_write_handshake_msg(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2590
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2591 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2592
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2593 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2594}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2595#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2596
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2597#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2598 (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2599 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED))
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2600MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2601static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2602{
2603 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2604 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2605 mbedtls_pk_context *pk;
2606 mbedtls_pk_type_t pk_type;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2607 psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2608#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2609 uint16_t tls_id = 0;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2610 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2611 size_t key_len;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2612 mbedtls_ecp_group_id grp_id;
Valerio Setti3589a4c2023-06-22 09:02:44 +0200[diff] [blame]2613 unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2614 mbedtls_ecp_keypair *key;
2615#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2616
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2617 pk = mbedtls_ssl_own_key(ssl);
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2618
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2619 if (pk == NULL) {
2620 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2621 }
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2622
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2623 pk_type = mbedtls_pk_get_type(pk);
Valerio Settid0405092023-05-24 13:16:40 +0200[diff] [blame]2624
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2625 switch (pk_type) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2626 case MBEDTLS_PK_OPAQUE:
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2627#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2628 case MBEDTLS_PK_ECKEY:
2629 case MBEDTLS_PK_ECKEY_DH:
2630 case MBEDTLS_PK_ECDSA:
2631#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2632 if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
2633 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2634 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2635
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2636 ssl->handshake->xxdh_psa_privkey = pk->priv_id;
Neil Armstronge88d1902022-04-04 11:25:23 +0200[diff] [blame]2637
Przemek Stekiel6f199852023-06-29 08:59:26 +0200[diff] [blame]2638 /* Key should not be destroyed in the TLS library */
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2639 ssl->handshake->xxdh_psa_privkey_is_external = 1;
Przemek Stekiel6f199852023-06-29 08:59:26 +0200[diff] [blame]2640
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2641 status = psa_get_key_attributes(ssl->handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2642 &key_attributes);
2643 if (status != PSA_SUCCESS) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2644 ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2645 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2646 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2647
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2648 ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame^]2649 ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2650
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2651 psa_reset_key_attributes(&key_attributes);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2652
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2653 ret = 0;
2654 break;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2655#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2656 case MBEDTLS_PK_ECKEY:
2657 case MBEDTLS_PK_ECKEY_DH:
2658 case MBEDTLS_PK_ECDSA:
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2659 key = mbedtls_pk_ec_rw(*pk);
Valerio Settid0405092023-05-24 13:16:40 +0200[diff] [blame]2660 grp_id = mbedtls_pk_get_group_id(pk);
2661 if (grp_id == MBEDTLS_ECP_DP_NONE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2662 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2663 }
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2664 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2665 if (tls_id == 0) {
2666 /* This elliptic curve is not supported */
2667 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2668 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2669
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2670 /* If the above conversion to TLS ID was fine, then also this one will
2671 be, so there is no need to check the return value here */
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2672 mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame^]2673 &ssl->handshake->xxdh_psa_bits);
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2674
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2675 ssl->handshake->xxdh_psa_type = key_type;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2676
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2677 key_attributes = psa_key_attributes_init();
2678 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2679 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2680 psa_set_key_type(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2681 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame^]2682 psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2683
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2684 key_len = PSA_BITS_TO_BYTES(key->grp.pbits);
2685 ret = mbedtls_ecp_write_key(key, buf, key_len);
2686 if (ret != 0) {
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2687 mbedtls_platform_zeroize(buf, sizeof(buf));
2688 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2689 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2690
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2691 status = psa_import_key(&key_attributes, buf, key_len,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2692 &ssl->handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2693 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2694 ret = PSA_TO_MBEDTLS_ERR(status);
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2695 mbedtls_platform_zeroize(buf, sizeof(buf));
2696 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2697 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2698
Valerio Setti6835b4a2023-06-22 09:06:31 +0200[diff] [blame]2699 mbedtls_platform_zeroize(buf, sizeof(buf));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2700 ret = 0;
2701 break;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2702#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2703 default:
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2704 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2705 }
2706
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2707 return ret;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2708}
2709#elif defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2710 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2711MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2712static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2713{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2714 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2715
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2716 const mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
2717 if (private_key == NULL) {
2718 MBEDTLS_SSL_DEBUG_MSG(1, ("got no server private key"));
2719 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Leonid Rozenboim28752702022-04-21 18:00:52 -0700[diff] [blame]2720 }
2721
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2722 if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_ECKEY)) {
2723 MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
2724 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2725 }
2726
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2727 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx,
Valerio Setti77a75682023-05-15 11:18:46 +0200[diff] [blame]2728 mbedtls_pk_ec_ro(*mbedtls_ssl_own_key(ssl)),
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2729 MBEDTLS_ECDH_OURS)) != 0) {
2730 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
2731 return ret;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2732 }
2733
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2734 return 0;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2735}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2736#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2737 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2738
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2739#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2740 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2741MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2742static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl,
2743 size_t *signature_len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2744{
Gilles Peskine0fd90dd2018-04-26 07:41:09 +0200[diff] [blame]2745 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
2746 * signature length which will be added in ssl_write_server_key_exchange
2747 * after the call to ssl_prepare_server_key_exchange.
2748 * ssl_write_server_key_exchange also takes care of incrementing
2749 * ssl->out_msglen. */
2750 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2751 size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
2752 - sig_start);
2753 int ret = ssl->conf->f_async_resume(ssl,
2754 sig_start, signature_len, sig_max_len);
2755 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]2756 ssl->handshake->async_in_progress = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2757 mbedtls_ssl_set_async_operation_data(ssl, NULL);
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2758 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2759 MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret);
2760 return ret;
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2761}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2762#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2763 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2764
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]2765/* Prepare the ServerKeyExchange message, up to and including
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]2766 * calculating the signature if any, but excluding formatting the
2767 * signature and sending the message. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2768MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2769static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
2770 size_t *signature_len)
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]2771{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2772 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2773 ssl->handshake->ciphersuite_info;
2774
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2775#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2776#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine3ce9b902018-01-06 01:34:21 +0100[diff] [blame]2777 unsigned char *dig_signed = NULL;
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2778#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2779#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2780
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2781 (void) ciphersuite_info; /* unused in some configurations */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2782#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine22e695f2018-04-26 00:22:50 +0200[diff] [blame]2783 (void) signature_len;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2784#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2785
Gilles Peskine16fe8fc2021-06-22 09:45:56 +0200[diff] [blame]2786#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2787#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2788 size_t out_buf_len = ssl->out_buf_len - (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2789#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2790 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2791#endif
Gilles Peskine16fe8fc2021-06-22 09:45:56 +0200[diff] [blame]2792#endif
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2793
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2794 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2795
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2796 /*
2797 *
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2798 * Part 1: Provide key exchange parameters for chosen ciphersuite.
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2799 *
2800 */
2801
2802 /*
2803 * - ECJPAKE key exchanges
2804 */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2805#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2806 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2807 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2808#if defined(MBEDTLS_USE_PSA_CRYPTO)
2809 unsigned char *out_p = ssl->out_msg + ssl->out_msglen;
2810 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
2811 ssl->out_msglen;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2812 size_t output_offset = 0;
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]2813 size_t output_len = 0;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2814
Valerio Setti6f1b5742022-11-16 10:00:32 +0100[diff] [blame]2815 /*
2816 * The first 3 bytes are:
2817 * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
2818 * [1, 2] elliptic curve's TLS ID
2819 *
2820 * However since we only support secp256r1 for now, we hardcode its
2821 * TLS ID here
2822 */
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2823 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2824 MBEDTLS_ECP_DP_SECP256R1);
2825 if (tls_id == 0) {
2826 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Valerio Setti6f1b5742022-11-16 10:00:32 +0100[diff] [blame]2827 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2828 *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2829 MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1);
Valerio Setti819de862022-11-17 18:05:19 +0100[diff] [blame]2830 output_offset += 3;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2831
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2832 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
2833 out_p + output_offset,
2834 end_p - out_p - output_offset, &output_len,
2835 MBEDTLS_ECJPAKE_ROUND_TWO);
2836 if (ret != 0) {
2837 psa_destroy_key(ssl->handshake->psa_pake_password);
2838 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2839 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
2840 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2841 }
2842
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]2843 output_offset += output_len;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2844 ssl->out_msglen += output_offset;
2845#else
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2846 size_t len = 0;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2847
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2848 ret = mbedtls_ecjpake_write_round_two(
2849 &ssl->handshake->ecjpake_ctx,
2850 ssl->out_msg + ssl->out_msglen,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2851 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2852 ssl->conf->f_rng, ssl->conf->p_rng);
2853 if (ret != 0) {
2854 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
2855 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2856 }
2857
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2858 ssl->out_msglen += len;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2859#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2860 }
2861#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2862
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2863 /*
2864 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
2865 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
2866 * we use empty support identity hints here.
2867 **/
2868#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2869 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2870 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2871 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2872 ssl->out_msg[ssl->out_msglen++] = 0x00;
2873 ssl->out_msg[ssl->out_msglen++] = 0x00;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2874 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2875#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2876 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2877
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]2878 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2879 * - DHE key exchanges
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2880 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2881#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2882 if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2883 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2884 size_t len = 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2885
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2886 if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) {
2887 MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set"));
2888 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +0100[diff] [blame]2889 }
2890
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2891 /*
2892 * Ephemeral DH parameters:
2893 *
2894 * struct {
2895 * opaque dh_p<1..2^16-1>;
2896 * opaque dh_g<1..2^16-1>;
2897 * opaque dh_Ys<1..2^16-1>;
2898 * } ServerDHParams;
2899 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2900 if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx,
2901 &ssl->conf->dhm_P,
2902 &ssl->conf->dhm_G)) != 0) {
2903 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret);
2904 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2905 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2906
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2907 if ((ret = mbedtls_dhm_make_params(
2908 &ssl->handshake->dhm_ctx,
2909 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
2910 ssl->out_msg + ssl->out_msglen, &len,
2911 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2912 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret);
2913 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2914 }
2915
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2916#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2917 dig_signed = ssl->out_msg + ssl->out_msglen;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2918#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2919
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2920 ssl->out_msglen += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2921
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2922 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
2923 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
2924 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
2925 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2926 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2927#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2928
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2929 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2930 * - ECDHE key exchanges
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2931 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2932#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2933 if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2934 /*
2935 * Ephemeral ECDH parameters:
2936 *
2937 * struct {
2938 * ECParameters curve_params;
2939 * ECPoint public;
2940 * } ServerECDHParams;
2941 */
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2942 uint16_t *curr_tls_id = ssl->handshake->curves_tls_id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2943 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2944 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2945 size_t len = 0;
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2946
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2947 /* Match our preference list against the offered curves */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2948 if ((group_list == NULL) || (curr_tls_id == NULL)) {
2949 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2950 }
2951 for (; *group_list != 0; group_list++) {
2952 for (curr_tls_id = ssl->handshake->curves_tls_id;
2953 *curr_tls_id != 0; curr_tls_id++) {
2954 if (*curr_tls_id == *group_list) {
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2955 goto curve_matching_done;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2956 }
2957 }
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2958 }
Manuel Pégourié-Gonnardde053902014-02-04 13:58:39 +0100[diff] [blame]2959
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2960curve_matching_done:
2961 if (*curr_tls_id == 0) {
2962 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE"));
2963 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2964 }
2965
2966 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s",
2967 mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id)));
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2968
Przemek Stekielb6ce0b62022-03-09 15:38:24 +0100[diff] [blame]2969#if defined(MBEDTLS_USE_PSA_CRYPTO)
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2970 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
2971 psa_key_attributes_t key_attributes;
2972 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2973 uint8_t *p = ssl->out_msg + ssl->out_msglen;
2974 const size_t header_size = 4; // curve_type(1), namedcurve(2),
2975 // data length(1)
2976 const size_t data_length_size = 1;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2977 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]2978 size_t ec_bits = 0;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2979
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2980 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2981
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]2982 /* Convert EC's TLS ID to PSA key type. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2983 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id,
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2984 &key_type,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2985 &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
2986 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse."));
2987 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Przemek Stekielb6ce0b62022-03-09 15:38:24 +0100[diff] [blame]2988 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2989 handshake->xxdh_psa_type = key_type;
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame^]2990 handshake->xxdh_psa_bits = ec_bits;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2991
2992 key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2993 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2994 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2995 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame^]2996 psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2997
2998 /*
2999 * ECParameters curve_params
3000 *
3001 * First byte is curve_type, always named_curve
3002 */
3003 *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
3004
3005 /*
3006 * Next two bytes are the namedcurve value
3007 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3008 MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0);
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3009 p += 2;
3010
3011 /* Generate ECDH private key. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3012 status = psa_generate_key(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3013 &handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3014 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3015 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3016 MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
3017 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3018 }
3019
3020 /*
3021 * ECPoint public
3022 *
3023 * First byte is data length.
3024 * It will be filled later. p holds now the data length location.
3025 */
3026
3027 /* Export the public part of the ECDH private key from PSA.
3028 * Make one byte space for the length.
3029 */
3030 unsigned char *own_pubkey = p + data_length_size;
3031
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3032 size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN
3033 - (own_pubkey - ssl->out_msg));
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3034
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3035 status = psa_export_public_key(handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3036 own_pubkey, own_pubkey_max_len,
3037 &len);
3038 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3039 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3040 MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3041 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
3042 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3043 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3044 }
3045
3046 /* Store the length of the exported public key. */
3047 *p = (uint8_t) len;
3048
3049 /* Determine full message length. */
3050 len += header_size;
3051#else
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]3052 mbedtls_ecp_group_id curr_grp_id =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3053 mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]3054
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3055 if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx,
3056 curr_grp_id)) != 0) {
3057 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret);
3058 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3059 }
3060
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3061 if ((ret = mbedtls_ecdh_make_params(
3062 &ssl->handshake->ecdh_ctx, &len,
3063 ssl->out_msg + ssl->out_msglen,
3064 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
3065 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3066 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret);
3067 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3068 }
3069
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3070 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3071 MBEDTLS_DEBUG_ECDH_Q);
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3072#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3073
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]3074#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]3075 dig_signed = ssl->out_msg + ssl->out_msglen;
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]3076#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3077
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]3078 ssl->out_msglen += len;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3079 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3080#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3081
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3082 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]3083 *
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3084 * Part 2: For key exchanges involving the server signing the
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]3085 * exchange parameters, compute and add the signature here.
3086 *
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3087 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3088#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3089 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
3090 if (dig_signed == NULL) {
3091 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3092 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Elliott11420382022-05-13 17:43:47 +0100[diff] [blame]3093 }
3094
Gilles Peskine1004c192018-01-08 16:59:14 +0100[diff] [blame]3095 size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]3096 size_t hashlen = 0;
Manuel Pégourié-Gonnard88579842023-03-28 11:20:23 +0200[diff] [blame]3097 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
Przemek Stekiel51669542022-09-13 12:57:05 +0200[diff] [blame]3098
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3099 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]3100
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3101 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3102 * 2.1: Choose hash algorithm:
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]3103 * For TLS 1.2, obey signature-hash-algorithm extension
3104 * to choose appropriate hash.
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3105 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3106
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3107 mbedtls_pk_type_t sig_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3108 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3109
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]3110 unsigned int sig_hash =
3111 mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3112 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]3113
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3114 mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash);
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]3115
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3116 /* For TLS 1.2, obey signature-hash-algorithm extension
3117 * (RFC 5246, Sec. 7.4.1.4.1). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3118 if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) {
3119 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3120 /* (... because we choose a cipher suite
3121 * only if there is a matching hash.) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3122 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3123 }
3124
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3125 MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3126
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3127 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3128 * 2.2: Compute the hash to be signed
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3129 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3130 if (md_alg != MBEDTLS_MD_NONE) {
3131 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
3132 dig_signed,
3133 dig_signed_len,
3134 md_alg);
3135 if (ret != 0) {
3136 return ret;
3137 }
3138 } else {
3139 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3140 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3141 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3142
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3143 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3144
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3145 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3146 * 2.3: Compute and add the signature
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3147 */
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3148 /*
3149 * We need to specify signature and hash algorithm explicitly through
3150 * a prefix to the signature.
3151 *
3152 * struct {
3153 * HashAlgorithm hash;
3154 * SignatureAlgorithm signature;
3155 * } SignatureAndHashAlgorithm;
3156 *
3157 * struct {
3158 * SignatureAndHashAlgorithm algorithm;
3159 * opaque signature<0..2^16-1>;
3160 * } DigitallySigned;
3161 *
3162 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3163
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3164 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg);
3165 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3166
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3167#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3168 if (ssl->conf->f_async_sign_start != NULL) {
3169 ret = ssl->conf->f_async_sign_start(ssl,
3170 mbedtls_ssl_own_cert(ssl),
3171 md_alg, hash, hashlen);
3172 switch (ret) {
3173 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3174 /* act as if f_async_sign was null */
3175 break;
3176 case 0:
3177 ssl->handshake->async_in_progress = 1;
3178 return ssl_resume_server_key_exchange(ssl, signature_len);
3179 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3180 ssl->handshake->async_in_progress = 1;
3181 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3182 default:
3183 MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret);
3184 return ret;
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3185 }
3186 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3187#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3188
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3189 if (mbedtls_ssl_own_key(ssl) == NULL) {
3190 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key"));
3191 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3192 }
3193
Gilles Peskine0fd90dd2018-04-26 07:41:09 +0200[diff] [blame]3194 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3195 * signature length which will be added in ssl_write_server_key_exchange
3196 * after the call to ssl_prepare_server_key_exchange.
3197 * ssl_write_server_key_exchange also takes care of incrementing
3198 * ssl->out_msglen. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3199 if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl),
3200 md_alg, hash, hashlen,
3201 ssl->out_msg + ssl->out_msglen + 2,
3202 out_buf_len - ssl->out_msglen - 2,
3203 signature_len,
3204 ssl->conf->f_rng,
3205 ssl->conf->p_rng)) != 0) {
3206 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
3207 return ret;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]3208 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3209 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3210#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3211
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3212 return 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3213}
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3214
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3215/* Prepare the ServerKeyExchange message and send it. For ciphersuites
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3216 * that do not include a ServerKeyExchange message, do nothing. Either
3217 * way, if successful, move on to the next step in the SSL state
3218 * machine. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3219MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3220static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3221{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3222 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3223 size_t signature_len = 0;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3224#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3225 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3226 ssl->handshake->ciphersuite_info;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3227#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3228
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3229 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange"));
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3230
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3231#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3232 /* Extract static ECDH parameters and abort if ServerKeyExchange
3233 * is not needed. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3234 if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) {
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3235 /* For suites involving ECDH, extract DH parameters
3236 * from certificate at this point. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3237#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3238 if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) {
3239 ret = ssl_get_ecdh_params_from_cert(ssl);
3240 if (ret != 0) {
3241 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
3242 return ret;
Manuel Pégourié-Gonnardb64fb622022-06-10 09:34:20 +0200[diff] [blame]3243 }
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3244 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3245#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3246
3247 /* Key exchanges not involving ephemeral keys don't use
3248 * ServerKeyExchange, so end here. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3249 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3250 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3251 return 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3252 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3253#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3254
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3255#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3256 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3257 /* If we have already prepared the message and there is an ongoing
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3258 * signature operation, resume signing. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3259 if (ssl->handshake->async_in_progress != 0) {
3260 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation"));
3261 ret = ssl_resume_server_key_exchange(ssl, &signature_len);
3262 } else
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3263#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3264 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]3265 {
3266 /* ServerKeyExchange is needed. Prepare the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3267 ret = ssl_prepare_server_key_exchange(ssl, &signature_len);
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3268 }
3269
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3270 if (ret != 0) {
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]3271 /* If we're starting to write a new message, set ssl->out_msglen
3272 * to 0. But if we're resuming after an asynchronous message,
3273 * out_msglen is the amount of data written so far and mst be
3274 * preserved. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3275 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3276 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)"));
3277 } else {
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3278 ssl->out_msglen = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3279 }
3280 return ret;
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]3281 }
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3282
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3283 /* If there is a signature, write its length.
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3284 * ssl_prepare_server_key_exchange already wrote the signature
3285 * itself at its proper place in the output buffer. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3286#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3287 if (signature_len != 0) {
3288 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len);
3289 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len);
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3290
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3291 MBEDTLS_SSL_DEBUG_BUF(3, "my signature",
3292 ssl->out_msg + ssl->out_msglen,
3293 signature_len);
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3294
3295 /* Skip over the already-written signature */
3296 ssl->out_msglen += signature_len;
3297 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3298#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3299
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3300 /* Add header and send. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3301 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3302 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3303
3304 ssl->state++;
3305
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3306 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3307 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3308 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3309 }
3310
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3311 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange"));
3312 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3313}
3314
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3315MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3316static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3317{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3318 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3319
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3320 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3321
3322 ssl->out_msglen = 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3323 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3324 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3325
3326 ssl->state++;
3327
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3328#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3329 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3330 mbedtls_ssl_send_flight_completed(ssl);
3331 }
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3332#endif
3333
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3334 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3335 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3336 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3337 }
3338
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3339#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3340 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3341 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
3342 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
3343 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3344 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]3345#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3346
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3347 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3348
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3349 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3350}
3351
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3352#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3353 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3354MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3355static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p,
3356 const unsigned char *end)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3357{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3358 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3359 size_t n;
3360
3361 /*
3362 * Receive G^Y mod P, premaster = (G^Y)^X mod P
3363 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3364 if (*p + 2 > end) {
3365 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3366 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3367 }
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3368
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3369 n = ((*p)[0] << 8) | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3370 *p += 2;
3371
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3372 if (*p + n > end) {
3373 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3374 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3375 }
3376
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3377 if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) {
3378 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret);
3379 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3380 }
3381
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3382 *p += n;
3383
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3384 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3385
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3386 return ret;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3387}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3388#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3389 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3390
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3391#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3392 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3393
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3394#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3395MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3396static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
3397 unsigned char *peer_pms,
3398 size_t *peer_pmslen,
3399 size_t peer_pmssize)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3400{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3401 int ret = ssl->conf->f_async_resume(ssl,
3402 peer_pms, peer_pmslen, peer_pmssize);
3403 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]3404 ssl->handshake->async_in_progress = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3405 mbedtls_ssl_set_async_operation_data(ssl, NULL);
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3406 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3407 MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
3408 return ret;
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3409}
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3410#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3411
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3412MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3413static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
3414 const unsigned char *p,
3415 const unsigned char *end,
3416 unsigned char *peer_pms,
3417 size_t *peer_pmslen,
3418 size_t peer_pmssize)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3419{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3420 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Leonid Rozenboim70dfd4c2022-08-08 15:43:44 -0700[diff] [blame]3421
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3422 mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl);
3423 if (own_cert == NULL) {
3424 MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate"));
3425 return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
Leonid Rozenboim70dfd4c2022-08-08 15:43:44 -0700[diff] [blame]3426 }
3427 mbedtls_pk_context *public_key = &own_cert->pk;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3428 mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
3429 size_t len = mbedtls_pk_get_len(public_key);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3430
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3431#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3432 /* If we have already started decoding the message and there is an ongoing
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3433 * decryption operation, resume signing. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3434 if (ssl->handshake->async_in_progress != 0) {
3435 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
3436 return ssl_resume_decrypt_pms(ssl,
3437 peer_pms, peer_pmslen, peer_pmssize);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3438 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3439#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3440
3441 /*
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3442 * Prepare to decrypt the premaster using own private RSA key
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3443 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3444 if (p + 2 > end) {
3445 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3446 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]3447 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3448 if (*p++ != MBEDTLS_BYTE_1(len) ||
3449 *p++ != MBEDTLS_BYTE_0(len)) {
3450 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3451 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3452 }
3453
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3454 if (p + len != end) {
3455 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3456 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3457 }
3458
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3459 /*
3460 * Decrypt the premaster secret
3461 */
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3462#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3463 if (ssl->conf->f_async_decrypt_start != NULL) {
3464 ret = ssl->conf->f_async_decrypt_start(ssl,
3465 mbedtls_ssl_own_cert(ssl),
3466 p, len);
3467 switch (ret) {
3468 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3469 /* act as if f_async_decrypt_start was null */
3470 break;
3471 case 0:
3472 ssl->handshake->async_in_progress = 1;
3473 return ssl_resume_decrypt_pms(ssl,
3474 peer_pms,
3475 peer_pmslen,
3476 peer_pmssize);
3477 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3478 ssl->handshake->async_in_progress = 1;
3479 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3480 default:
3481 MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
3482 return ret;
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3483 }
3484 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3485#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3486
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3487 if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
3488 MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
3489 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3490 }
3491
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3492 ret = mbedtls_pk_decrypt(private_key, p, len,
3493 peer_pms, peer_pmslen, peer_pmssize,
3494 ssl->conf->f_rng, ssl->conf->p_rng);
3495 return ret;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3496}
3497
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3498MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3499static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
3500 const unsigned char *p,
3501 const unsigned char *end,
3502 size_t pms_offset)
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3503{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3504 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3505 unsigned char *pms = ssl->handshake->premaster + pms_offset;
3506 unsigned char ver[2];
3507 unsigned char fake_pms[48], peer_pms[48];
3508 unsigned char mask;
3509 size_t i, peer_pmslen;
3510 unsigned int diff;
3511
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3512 /* In case of a failure in decryption, the decryption may write less than
3513 * 2 bytes of output, but we always read the first two bytes. It doesn't
3514 * matter in the end because diff will be nonzero in that case due to
André Maroneze79533292020-11-12 09:37:42 +0100[diff] [blame]3515 * ret being nonzero, and we only care whether diff is 0.
3516 * But do initialize peer_pms and peer_pmslen for robustness anyway. This
3517 * also makes memory analyzers happy (don't access uninitialized memory,
3518 * even if it's an unsigned char). */
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3519 peer_pms[0] = peer_pms[1] = ~0;
André Maroneze79533292020-11-12 09:37:42 +0100[diff] [blame]3520 peer_pmslen = 0;
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3521
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3522 ret = ssl_decrypt_encrypted_pms(ssl, p, end,
3523 peer_pms,
3524 &peer_pmslen,
3525 sizeof(peer_pms));
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3526
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3527#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3528 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3529 return ret;
3530 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3531#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3532
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3533 mbedtls_ssl_write_version(ver, ssl->conf->transport,
3534 ssl->session_negotiate->tls_version);
Gilles Peskine2e333372018-04-24 13:22:10 +0200[diff] [blame]3535
3536 /* Avoid data-dependent branches while checking for invalid
3537 * padding, to protect against timing-based Bleichenbacher-type
3538 * attacks. */
3539 diff = (unsigned int) ret;
3540 diff |= peer_pmslen ^ 48;
3541 diff |= peer_pms[0] ^ ver[0];
3542 diff |= peer_pms[1] ^ ver[1];
3543
3544 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3545 mask = mbedtls_ct_uint_mask(diff);
Manuel Pégourié-Gonnardb9c93d02015-06-23 13:53:15 +0200[diff] [blame]3546
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3547 /*
3548 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3549 * must not cause the connection to end immediately; instead, send a
3550 * bad_record_mac later in the handshake.
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3551 * To protect against timing-based variants of the attack, we must
3552 * not have any branch that depends on whether the decryption was
3553 * successful. In particular, always generate the fake premaster secret,
3554 * regardless of whether it will ultimately influence the output or not.
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3555 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3556 ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
3557 if (ret != 0) {
Gilles Peskinee1416382018-04-26 10:23:21 +0200[diff] [blame]3558 /* It's ok to abort on an RNG failure, since this does not reveal
3559 * anything about the RSA decryption. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3560 return ret;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3561 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3562
Manuel Pégourié-Gonnard331ba572015-04-20 12:33:57 +0100[diff] [blame]3563#if defined(MBEDTLS_SSL_DEBUG_ALL)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3564 if (diff != 0) {
3565 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3566 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3567#endif
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3568
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3569 if (sizeof(ssl->handshake->premaster) < pms_offset ||
3570 sizeof(ssl->handshake->premaster) - pms_offset < 48) {
3571 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3572 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3573 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3574 ssl->handshake->pmslen = 48;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3575
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3576 /* Set pms to either the true or the fake PMS, without
3577 * data-dependent branches. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3578 for (i = 0; i < ssl->handshake->pmslen; i++) {
3579 pms[i] = (mask & fake_pms[i]) | ((~mask) & peer_pms[i]);
3580 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3581
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3582 return 0;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3583}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3584#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
3585 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3586
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3587#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3588MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3589static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
3590 const unsigned char *end)
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3591{
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]3592 int ret = 0;
irwir6527bd62019-09-21 18:51:25 +0300[diff] [blame]3593 uint16_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3594
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3595 if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
3596 MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key"));
3597 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3598 }
3599
3600 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3601 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3602 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3603 if (end - *p < 2) {
3604 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3605 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3606 }
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3607
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3608 n = ((*p)[0] << 8) | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3609 *p += 2;
3610
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3611 if (n == 0 || n > end - *p) {
3612 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3613 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3614 }
3615
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3616 if (ssl->conf->f_psk != NULL) {
3617 if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3618 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3619 }
3620 } else {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]3621 /* Identity is not a big secret since clients send it in the clear,
3622 * but treat it carefully anyway, just in case */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3623 if (n != ssl->conf->psk_identity_len ||
3624 mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3625 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]3626 }
3627 }
3628
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3629 if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
3630 MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n);
3631 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3632 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY);
3633 return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3634 }
3635
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3636 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3637
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3638 return 0;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3639}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3640#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3641
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3642MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3643static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3644{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3645 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3646 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Manuel Pégourié-Gonnard2114d722014-09-10 13:59:41 +0000[diff] [blame]3647 unsigned char *p, *end;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3648
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3649 ciphersuite_info = ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3650
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3651 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3652
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3653#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3654 (defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3655 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED))
3656 if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3657 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) &&
3658 (ssl->handshake->async_in_progress != 0)) {
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3659 /* We've already read a record and there is an asynchronous
3660 * operation in progress to decrypt it. So skip reading the
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3661 * record. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3662 MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
3663 } else
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3664#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3665 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3666 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3667 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3668 }
3669
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3670 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard2114d722014-09-10 13:59:41 +0000[diff] [blame]3671 end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnardf8995832014-09-10 08:25:12 +0000[diff] [blame]3672
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3673 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3674 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3675 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3676 }
3677
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3678 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) {
3679 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3680 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3681 }
3682
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3683#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3684 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
3685 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3686 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
3687 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3688 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3689
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3690 if (p != end) {
3691 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3692 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3693 }
3694
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3695 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3696 ssl->handshake->premaster,
3697 MBEDTLS_PREMASTER_SIZE,
3698 &ssl->handshake->pmslen,
3699 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3700 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3701 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3702 }
3703
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3704 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3705 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3706#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3707#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3708 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3709 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3710 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3711 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]3712 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3713 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3714 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]3715#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3716 size_t data_len = (size_t) (*p++);
3717 size_t buf_len = (size_t) (end - p);
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3718 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
3719 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3720
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3721 MBEDTLS_SSL_DEBUG_MSG(1, ("Read the peer's public key."));
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3722
3723 /*
Przemek Stekiel338b61d2022-03-15 08:03:43 +0100[diff] [blame]3724 * We must have at least two bytes (1 for length, at least 1 for data)
3725 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3726 if (buf_len < 2) {
3727 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length"));
3728 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3729 }
3730
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3731 if (data_len < 1 || data_len > buf_len) {
3732 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length"));
3733 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3734 }
3735
3736 /* Store peer's ECDH public key. */
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3737 memcpy(handshake->xxdh_psa_peerkey, p, data_len);
3738 handshake->xxdh_psa_peerkey_len = data_len;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3739
3740 /* Compute ECDH shared secret. */
3741 status = psa_raw_key_agreement(
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3742 PSA_ALG_ECDH, handshake->xxdh_psa_privkey,
3743 handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3744 handshake->premaster, sizeof(handshake->premaster),
3745 &handshake->pmslen);
3746 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3747 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3748 MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3749 if (handshake->xxdh_psa_privkey_is_external == 0) {
3750 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3751 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3752 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3753 return ret;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3754 }
3755
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3756 if (handshake->xxdh_psa_privkey_is_external == 0) {
3757 status = psa_destroy_key(handshake->xxdh_psa_privkey);
Neil Armstrong8113d252022-03-23 10:57:04 +0100[diff] [blame]3758
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3759 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3760 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3761 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
3762 return ret;
Neil Armstrong8113d252022-03-23 10:57:04 +0100[diff] [blame]3763 }
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3764 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3765 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3766#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3767 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
3768 p, end - p)) != 0) {
3769 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
3770 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3771 }
3772
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3773 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3774 MBEDTLS_DEBUG_ECDH_QP);
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3775
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3776 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
3777 &ssl->handshake->pmslen,
3778 ssl->handshake->premaster,
3779 MBEDTLS_MPI_MAX_SIZE,
3780 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3781 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
3782 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3783 }
3784
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3785 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3786 MBEDTLS_DEBUG_ECDH_Z);
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]3787#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3788 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3789#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3790 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3791 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3792 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3793#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3794 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
3795 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3796 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3797 return ret;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3798 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3799
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3800 if (p != end) {
3801 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3802 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3803 }
3804
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3805#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3806 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3807 ciphersuite_info->key_exchange)) != 0) {
3808 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3809 return ret;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]3810 }
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3811#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3812 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3813#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
3814#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3815 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3816#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3817 if (ssl->handshake->async_in_progress != 0) {
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3818 /* There is an asynchronous operation in progress to
3819 * decrypt the encrypted premaster secret, so skip
3820 * directly to resuming this operation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3821 MBEDTLS_SSL_DEBUG_MSG(3, ("PSK identity already parsed"));
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3822 /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
3823 * won't actually use it, but maintain p anyway for robustness. */
3824 p += ssl->conf->psk_identity_len + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3825 } else
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3826#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3827 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3828 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3829 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3830 }
3831
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3832 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) {
3833 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_encrypted_pms"), ret);
3834 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3835 }
3836
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3837#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3838 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3839 ciphersuite_info->key_exchange)) != 0) {
3840 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3841 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3842 }
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3843#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3844 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3845#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3846#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3847 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
3848 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3849 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3850 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3851 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3852 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3853 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
3854 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3855 }
3856
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3857 if (p != end) {
3858 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3859 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3860 }
3861
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3862#if defined(MBEDTLS_USE_PSA_CRYPTO)
3863 unsigned char *pms = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3864 unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3865 size_t pms_len;
3866
3867 /* Write length only when we know the actual value */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3868 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3869 pms + 2, pms_end - (pms + 2), &pms_len,
3870 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3871 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3872 return ret;
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3873 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3874 MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3875 pms += 2 + pms_len;
3876
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3877 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3878#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3879 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3880 ciphersuite_info->key_exchange)) != 0) {
3881 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3882 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3883 }
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3884#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3885 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3886#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3887#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3888 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]3889#if defined(MBEDTLS_USE_PSA_CRYPTO)
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3890 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3891 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
3892 uint8_t ecpoint_len;
3893
3894 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3895
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3896 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3897 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3898 psa_destroy_key(handshake->xxdh_psa_privkey);
3899 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3900 return ret;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3901 }
3902
3903 /* Keep a copy of the peer's public key */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3904 if (p >= end) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3905 psa_destroy_key(handshake->xxdh_psa_privkey);
3906 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3907 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Neil Armstrong3cae1672022-04-05 10:01:15 +0200[diff] [blame]3908 }
3909
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3910 ecpoint_len = *(p++);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3911 if ((size_t) (end - p) < ecpoint_len) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3912 psa_destroy_key(handshake->xxdh_psa_privkey);
3913 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3914 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3915 }
3916
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]3917 /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
3918 the sizes of the FFDH keys which are at least 2048 bits.
3919 The size of the array is thus greater than 256 bytes which is greater than any
3920 possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]3921#if !defined(PSA_WANT_ALG_FFDH)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3922 if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
3923 psa_destroy_key(handshake->xxdh_psa_privkey);
3924 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3925 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3926 }
Przemek Stekiel615cbcd2023-07-06 11:08:39 +0200[diff] [blame]3927#else
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]3928 MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
3929 "peer key buffer too small");
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]3930#endif
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3931
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3932 memcpy(handshake->xxdh_psa_peerkey, p, ecpoint_len);
3933 handshake->xxdh_psa_peerkey_len = ecpoint_len;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3934 p += ecpoint_len;
3935
Neil Armstrong3bcef082022-03-23 18:16:54 +0100[diff] [blame]3936 /* As RFC 5489 section 2, the premaster secret is formed as follows:
Neil Armstrongfdf20cb2022-03-24 09:43:02 +0100[diff] [blame]3937 * - a uint16 containing the length (in octets) of the ECDH computation
3938 * - the octet string produced by the ECDH computation
3939 * - a uint16 containing the length (in octets) of the PSK
3940 * - the PSK itself
3941 */
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3942 unsigned char *psm = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3943 const unsigned char * const psm_end =
3944 psm + sizeof(ssl->handshake->premaster);
Neil Armstrong2d63da92022-03-23 18:17:31 +0100[diff] [blame]3945 /* uint16 to store length (in octets) of the ECDH computation */
3946 const size_t zlen_size = 2;
Neil Armstrong549a3e42022-03-23 18:16:24 +0100[diff] [blame]3947 size_t zlen = 0;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3948
3949 /* Compute ECDH shared secret. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3950 status = psa_raw_key_agreement(PSA_ALG_ECDH,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3951 handshake->xxdh_psa_privkey,
3952 handshake->xxdh_psa_peerkey,
3953 handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3954 psm + zlen_size,
3955 psm_end - (psm + zlen_size),
3956 &zlen);
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3957
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3958 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
3959 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3960
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3961 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3962 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3963 } else if (destruction_status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3964 return PSA_TO_MBEDTLS_ERR(destruction_status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3965 }
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3966
Neil Armstrong3bcef082022-03-23 18:16:54 +0100[diff] [blame]3967 /* Write the ECDH computation length before the ECDH computation */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3968 MBEDTLS_PUT_UINT16_BE(zlen, psm, 0);
Neil Armstrong2d63da92022-03-23 18:17:31 +0100[diff] [blame]3969 psm += zlen_size + zlen;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3970
Przemek Stekiel14d11b02022-04-14 08:33:29 +0200[diff] [blame]3971#else /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3972 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3973 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3974 return ret;
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3975 }
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3976
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3977 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
3978 p, end - p)) != 0) {
3979 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
3980 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3981 }
3982
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3983 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3984 MBEDTLS_DEBUG_ECDH_QP);
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3985
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3986 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3987 ciphersuite_info->key_exchange)) != 0) {
3988 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3989 return ret;
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3990 }
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]3991#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3992 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3993#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3994#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3995 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
3996 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
3997 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
3998 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3999 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4000 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4001#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4002#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4003 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4004#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4005 if ((ret = mbedtls_psa_ecjpake_read_round(
4006 &ssl->handshake->psa_pake_ctx, p, end - p,
4007 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
4008 psa_destroy_key(ssl->handshake->psa_pake_password);
4009 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4010
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4011 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
4012 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4013 }
4014#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4015 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
4016 p, end - p);
4017 if (ret != 0) {
4018 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
4019 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4020 }
4021
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4022 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
4023 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
4024 ssl->conf->f_rng, ssl->conf->p_rng);
4025 if (ret != 0) {
4026 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
4027 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4028 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4029#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4030 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4031#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4032 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4033 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4034 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4035 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4036
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4037 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
4038 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
4039 return ret;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]4040 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4041
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4042 ssl->state++;
4043
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4044 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4045
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4046 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4047}
4048
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4049#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]4050MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4051static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4052{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]4053 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]4054 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4055
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4056 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4057
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4058 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4059 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]4060 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4061 return 0;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]4062 }
4063
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4064 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4065 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4066}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4067#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]4068MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4069static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4070{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4071 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4072 size_t i, sig_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4073 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]4074 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]4075 size_t hashlen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4076 mbedtls_pk_type_t pk_alg;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4077 mbedtls_md_type_t md_alg;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]4078 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]4079 ssl->handshake->ciphersuite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4080 mbedtls_pk_context *peer_pk;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4081
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4082 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4083
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4084 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4085 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4086 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4087 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4088 }
4089
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4090#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4091 if (ssl->session_negotiate->peer_cert == NULL) {
4092 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4093 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4094 return 0;
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4095 }
4096#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4097 if (ssl->session_negotiate->peer_cert_digest == NULL) {
4098 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4099 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4100 return 0;
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4101 }
4102#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4103
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4104 /* Read the message without adding it to the checksum */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4105 ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */);
4106 if (0 != ret) {
4107 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret);
4108 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4109 }
4110
4111 ssl->state++;
4112
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4113 /* Process the message contents */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4114 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
4115 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) {
4116 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4117 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4118 }
4119
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4120 i = mbedtls_ssl_hs_hdr_len(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4121
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]4122#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4123 peer_pk = &ssl->handshake->peer_pubkey;
4124#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4125 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]4126 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4127 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]4128 }
4129 peer_pk = &ssl->session_negotiate->peer_cert->pk;
4130#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4131
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4132 /*
4133 * struct {
4134 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
4135 * opaque signature<0..2^16-1>;
4136 * } DigitallySigned;
4137 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4138 if (i + 2 > ssl->in_hslen) {
4139 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4140 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4141 }
Manuel Pégourié-Gonnard5ee96542014-09-10 14:27:21 +0000[diff] [blame]4142
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4143 /*
4144 * Hash
4145 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4146 md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]);
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4147
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4148 if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) {
4149 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4150 " for verify message"));
4151 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4152 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4153
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4154#if !defined(MBEDTLS_MD_SHA1)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4155 if (MBEDTLS_MD_SHA1 == md_alg) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4156 hash_start += 16;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4157 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4158#endif
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]4159
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4160 /* Info from md_alg will be used instead */
4161 hashlen = 0;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]4162
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4163 i++;
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4164
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4165 /*
4166 * Signature
4167 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4168 if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i]))
4169 == MBEDTLS_PK_NONE) {
4170 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4171 " for verify message"));
4172 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]4173 }
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]4174
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4175 /*
4176 * Check the certificate's key type matches the signature alg
4177 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4178 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
4179 MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
4180 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4181 }
4182
4183 i++;
4184
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4185 if (i + 2 > ssl->in_hslen) {
4186 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4187 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard5ee96542014-09-10 14:27:21 +0000[diff] [blame]4188 }
4189
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4190 sig_len = (ssl->in_msg[i] << 8) | ssl->in_msg[i+1];
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4191 i += 2;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]4192
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4193 if (i + sig_len != ssl->in_hslen) {
4194 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4195 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4196 }
4197
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4198 /* Calculate hash and verify signature */
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]4199 {
4200 size_t dummy_hlen;
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]4201 ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
4202 if (0 != ret) {
4203 MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
4204 return ret;
4205 }
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]4206 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4207
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4208 if ((ret = mbedtls_pk_verify(peer_pk,
4209 md_alg, hash_start, hashlen,
4210 ssl->in_msg + i, sig_len)) != 0) {
4211 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
4212 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4213 }
4214
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]4215 ret = mbedtls_ssl_update_handshake_status(ssl);
4216 if (0 != ret) {
4217 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
4218 return ret;
4219 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4220
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4221 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4222
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4223 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4224}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4225#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4226
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4227#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]4228MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4229static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4230{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4231 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]4232 size_t tlen;
Manuel Pégourié-Gonnardb0394be2015-05-19 11:40:30 +0200[diff] [blame]4233 uint32_t lifetime;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4234
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4235 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4236
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4237 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4238 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4239
4240 /*
4241 * struct {
4242 * uint32 ticket_lifetime_hint;
4243 * opaque ticket<0..2^16-1>;
4244 * } NewSessionTicket;
4245 *
4246 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
4247 * 8 . 9 ticket_len (n)
4248 * 10 . 9+n ticket content
4249 */
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]4250
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4251 if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
4252 ssl->session_negotiate,
4253 ssl->out_msg + 10,
4254 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
4255 &tlen, &lifetime)) != 0) {
4256 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret);
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]4257 tlen = 0;
4258 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4259
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4260 MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4);
4261 MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8);
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]4262 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4263
Manuel Pégourié-Gonnard145dfcb2014-02-26 14:23:33 +0100[diff] [blame]4264 /*
4265 * Morally equivalent to updating ssl->state, but NewSessionTicket and
4266 * ChangeCipherSpec share the same state.
4267 */
4268 ssl->handshake->new_session_ticket = 0;
4269
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4270 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4271 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4272 return ret;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4273 }
4274
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4275 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4276
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4277 return 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4278}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4279#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4280
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4281/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4282 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4283 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4284int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4285{
4286 int ret = 0;
4287
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4288 MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state));
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4289
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4290 switch (ssl->state) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4291 case MBEDTLS_SSL_HELLO_REQUEST:
4292 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4293 break;
4294
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4295 /*
4296 * <== ClientHello
4297 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4298 case MBEDTLS_SSL_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4299 ret = ssl_parse_client_hello(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4300 break;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4301
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4302#if defined(MBEDTLS_SSL_PROTO_DTLS)
4303 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4304 return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED;
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]4305#endif
4306
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4307 /*
4308 * ==> ServerHello
4309 * Certificate
4310 * ( ServerKeyExchange )
4311 * ( CertificateRequest )
4312 * ServerHelloDone
4313 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4314 case MBEDTLS_SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4315 ret = ssl_write_server_hello(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4316 break;
4317
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4318 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4319 ret = mbedtls_ssl_write_certificate(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4320 break;
4321
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4322 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4323 ret = ssl_write_server_key_exchange(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4324 break;
4325
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4326 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4327 ret = ssl_write_certificate_request(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4328 break;
4329
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4330 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4331 ret = ssl_write_server_hello_done(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4332 break;
4333
4334 /*
4335 * <== ( Certificate/Alert )
4336 * ClientKeyExchange
4337 * ( CertificateVerify )
4338 * ChangeCipherSpec
4339 * Finished
4340 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4341 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4342 ret = mbedtls_ssl_parse_certificate(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4343 break;
4344
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4345 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4346 ret = ssl_parse_client_key_exchange(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4347 break;
4348
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4349 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4350 ret = ssl_parse_certificate_verify(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4351 break;
4352
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4353 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4354 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4355 break;
4356
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4357 case MBEDTLS_SSL_CLIENT_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4358 ret = mbedtls_ssl_parse_finished(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4359 break;
4360
4361 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4362 * ==> ( NewSessionTicket )
4363 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4364 * Finished
4365 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4366 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4367#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4368 if (ssl->handshake->new_session_ticket != 0) {
4369 ret = ssl_write_new_session_ticket(ssl);
4370 } else
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]4371#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4372 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4373 break;
4374
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4375 case MBEDTLS_SSL_SERVER_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4376 ret = mbedtls_ssl_write_finished(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4377 break;
4378
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4379 case MBEDTLS_SSL_FLUSH_BUFFERS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4380 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4381 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4382 break;
4383
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4384 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4385 mbedtls_ssl_handshake_wrapup(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4386 break;
4387
4388 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4389 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
4390 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4391 }
4392
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4393 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4394}
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4395
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4396void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order)
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4397{
TRodziewicz3946f792021-06-14 12:11:18 +0200[diff] [blame]4398 conf->respect_cli_pref = order;
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4399}
4400
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]4401#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */