TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/2.28-sphinx-versioned-documentation / . / library / ssl_cli.c
blob: b693d53031b276ec7f0fbe8f0eec181c39610771 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 client-side functions
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]20#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]21
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]22#if defined(MBEDTLS_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]23
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]24#include "mbedtls/platform.h"
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]25
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]26#include "mbedtls/ssl.h"
27#include "mbedtls/ssl_internal.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]28#include "mbedtls/debug.h"
29#include "mbedtls/error.h"
Gabor Mezeie24dea82021-10-19 12:22:25 +0200[diff] [blame]30#include "mbedtls/constant_time.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]31
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]32#if defined(MBEDTLS_USE_PSA_CRYPTO)
33#include "mbedtls/psa_util.h"
Ronald Cron3a95d2b2021-10-18 09:47:58 +0200[diff] [blame]34#include "psa/crypto.h"
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]35#endif /* MBEDTLS_USE_PSA_CRYPTO */
36
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]37#include <string.h>
38
Manuel Pégourié-Gonnard93866642015-06-22 19:21:23 +0200[diff] [blame]39#include <stdint.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]40
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]42#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]43#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]44
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]45#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]46#include "mbedtls/platform_util.h"
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]47#endif
48
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]49#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]50MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]51static int ssl_conf_has_static_psk(mbedtls_ssl_config const *conf)
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]52{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]53 if (conf->psk_identity == NULL ||
54 conf->psk_identity_len == 0) {
55 return 0;
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]56 }
57
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]58 if (conf->psk != NULL && conf->psk_len != 0) {
59 return 1;
60 }
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]61
62#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]63 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
64 return 1;
65 }
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]66#endif /* MBEDTLS_USE_PSA_CRYPTO */
67
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]68 return 0;
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]69}
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]70
71#if defined(MBEDTLS_USE_PSA_CRYPTO)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]72MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]73static int ssl_conf_has_static_raw_psk(mbedtls_ssl_config const *conf)
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]74{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]75 if (conf->psk_identity == NULL ||
76 conf->psk_identity_len == 0) {
77 return 0;
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]78 }
79
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]80 if (conf->psk != NULL && conf->psk_len != 0) {
81 return 1;
82 }
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]83
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]84 return 0;
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]85}
86#endif /* MBEDTLS_USE_PSA_CRYPTO */
87
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]88#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]89
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]90#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]91MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]92static int ssl_write_hostname_ext(mbedtls_ssl_context *ssl,
93 unsigned char *buf,
94 const unsigned char *end,
95 size_t *olen)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]96{
97 unsigned char *p = buf;
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]98 size_t hostname_len;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]99
100 *olen = 0;
101
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]102 if (ssl->hostname == NULL) {
103 return 0;
104 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]105
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]106 MBEDTLS_SSL_DEBUG_MSG(3,
107 ("client hello, adding server name extension: %s",
108 ssl->hostname));
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]109
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]110 hostname_len = strlen(ssl->hostname);
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]111
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]112 MBEDTLS_SSL_CHK_BUF_PTR(p, end, hostname_len + 9);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]113
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]114 /*
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100[diff] [blame]115 * Sect. 3, RFC 6066 (TLS Extensions Definitions)
116 *
117 * In order to provide any of the server names, clients MAY include an
118 * extension of type "server_name" in the (extended) client hello. The
119 * "extension_data" field of this extension SHALL contain
120 * "ServerNameList" where:
121 *
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]122 * struct {
123 * NameType name_type;
124 * select (name_type) {
125 * case host_name: HostName;
126 * } name;
127 * } ServerName;
128 *
129 * enum {
130 * host_name(0), (255)
131 * } NameType;
132 *
133 * opaque HostName<1..2^16-1>;
134 *
135 * struct {
136 * ServerName server_name_list<1..2^16-1>
137 * } ServerNameList;
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100[diff] [blame]138 *
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]139 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]140 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SERVERNAME, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]141 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]142
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]143 MBEDTLS_PUT_UINT16_BE(hostname_len + 5, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]144 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]145
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]146 MBEDTLS_PUT_UINT16_BE(hostname_len + 3, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]147 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]148
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]149 *p++ = MBEDTLS_BYTE_0(MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]150
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]151 MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]152 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]153
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]154 memcpy(p, ssl->hostname, hostname_len);
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]155
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]156 *olen = hostname_len + 9;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]157
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]158 return 0;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]159}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]160#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]161
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]162#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]163MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]164static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
165 unsigned char *buf,
166 const unsigned char *end,
167 size_t *olen)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]168{
169 unsigned char *p = buf;
170
171 *olen = 0;
172
Tom Cosgrove5205c972022-07-28 06:12:08 +0100[diff] [blame]173 /* We're always including a TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
Hanno Becker40f8b512017-10-12 14:58:55 +0100[diff] [blame]174 * initial ClientHello, in which case also adding the renegotiation
175 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]176 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
177 return 0;
178 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]179
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]180 MBEDTLS_SSL_DEBUG_MSG(3,
181 ("client hello, adding renegotiation extension"));
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]182
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]183 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + ssl->verify_data_len);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]184
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]185 /*
186 * Secure renegotiation
187 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]188 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]189 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]190
191 *p++ = 0x00;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]192 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len + 1);
193 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len);
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]194
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]195 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]196
197 *olen = 5 + ssl->verify_data_len;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]198
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]199 return 0;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]200}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]201#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]202
Manuel Pégourié-Gonnardd9423232014-12-02 11:57:29 +0100[diff] [blame]203/*
204 * Only if we handle at least one key exchange that needs signatures.
205 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]206#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]207 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]208MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]209static int ssl_write_signature_algorithms_ext(mbedtls_ssl_context *ssl,
210 unsigned char *buf,
211 const unsigned char *end,
212 size_t *olen)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]213{
214 unsigned char *p = buf;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]215 size_t sig_alg_len = 0;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]216 const int *md;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]217
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]218#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5bfd9682014-06-24 15:18:11 +0200[diff] [blame]219 unsigned char *sig_alg_list = buf + 6;
220#endif
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]221
222 *olen = 0;
223
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]224 if (ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3) {
225 return 0;
226 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]227
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]228 MBEDTLS_SSL_DEBUG_MSG(3,
229 ("client hello, adding signature_algorithms extension"));
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]230
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]231 if (ssl->conf->sig_hashes == NULL) {
232 return MBEDTLS_ERR_SSL_BAD_CONFIG;
233 }
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]234
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]235 for (md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]236#if defined(MBEDTLS_ECDSA_C)
237 sig_alg_len += 2;
238#endif
239#if defined(MBEDTLS_RSA_C)
240 sig_alg_len += 2;
241#endif
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]242 if (sig_alg_len > MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN) {
243 MBEDTLS_SSL_DEBUG_MSG(3,
244 ("length in bytes of sig-hash-alg extension too big"));
245 return MBEDTLS_ERR_SSL_BAD_CONFIG;
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]246 }
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]247 }
248
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]249 /* Empty signature algorithms list, this is a configuration error. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]250 if (sig_alg_len == 0) {
251 return MBEDTLS_ERR_SSL_BAD_CONFIG;
252 }
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]253
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]254 MBEDTLS_SSL_CHK_BUF_PTR(p, end, sig_alg_len + 6);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]255
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]256 /*
257 * Prepare signature_algorithms extension (TLS 1.2)
258 */
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]259 sig_alg_len = 0;
260
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]261 for (md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]262#if defined(MBEDTLS_ECDSA_C)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]263 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg(*md);
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]264 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200[diff] [blame]265#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]266#if defined(MBEDTLS_RSA_C)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]267 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg(*md);
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]268 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200[diff] [blame]269#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]270 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]271
272 /*
273 * enum {
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]274 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
275 * sha512(6), (255)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]276 * } HashAlgorithm;
277 *
278 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
279 * SignatureAlgorithm;
280 *
281 * struct {
282 * HashAlgorithm hash;
283 * SignatureAlgorithm signature;
284 * } SignatureAndHashAlgorithm;
285 *
286 * SignatureAndHashAlgorithm
287 * supported_signature_algorithms<2..2^16-2>;
288 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]289 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SIG_ALG, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]290 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]291
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]292 MBEDTLS_PUT_UINT16_BE(sig_alg_len + 2, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]293 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]294
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]295 MBEDTLS_PUT_UINT16_BE(sig_alg_len, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]296 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]297
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]298 *olen = 6 + sig_alg_len;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]299
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]300 return 0;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]301}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]302#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]303 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]304
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]305#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]306 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]307MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]308static int ssl_write_supported_elliptic_curves_ext(mbedtls_ssl_context *ssl,
309 unsigned char *buf,
310 const unsigned char *end,
311 size_t *olen)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]312{
313 unsigned char *p = buf;
Manuel Pégourié-Gonnard8e205fc2014-01-23 17:27:10 +0100[diff] [blame]314 unsigned char *elliptic_curve_list = p + 6;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]315 size_t elliptic_curve_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]316 const mbedtls_ecp_curve_info *info;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]317 const mbedtls_ecp_group_id *grp_id;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]318
319 *olen = 0;
320
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]321 MBEDTLS_SSL_DEBUG_MSG(3,
322 ("client hello, adding supported_elliptic_curves extension"));
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]323
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]324 if (ssl->conf->curve_list == NULL) {
325 return MBEDTLS_ERR_SSL_BAD_CONFIG;
326 }
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]327
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]328 for (grp_id = ssl->conf->curve_list;
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]329 *grp_id != MBEDTLS_ECP_DP_NONE;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]330 grp_id++) {
331 info = mbedtls_ecp_curve_info_from_grp_id(*grp_id);
332 if (info == NULL) {
333 MBEDTLS_SSL_DEBUG_MSG(1,
334 ("invalid curve in ssl configuration"));
335 return MBEDTLS_ERR_SSL_BAD_CONFIG;
Janos Follath8a317052016-04-21 23:37:09 +0100[diff] [blame]336 }
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]337 elliptic_curve_len += 2;
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]338
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]339 if (elliptic_curve_len > MBEDTLS_SSL_MAX_CURVE_LIST_LEN) {
340 MBEDTLS_SSL_DEBUG_MSG(3,
341 ("malformed supported_elliptic_curves extension in config"));
342 return MBEDTLS_ERR_SSL_BAD_CONFIG;
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]343 }
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]344 }
345
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]346 /* Empty elliptic curve list, this is a configuration error. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]347 if (elliptic_curve_len == 0) {
348 return MBEDTLS_ERR_SSL_BAD_CONFIG;
349 }
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]350
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]351 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6 + elliptic_curve_len);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]352
353 elliptic_curve_len = 0;
354
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]355 for (grp_id = ssl->conf->curve_list;
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]356 *grp_id != MBEDTLS_ECP_DP_NONE;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]357 grp_id++) {
358 info = mbedtls_ecp_curve_info_from_grp_id(*grp_id);
359 elliptic_curve_list[elliptic_curve_len++] = MBEDTLS_BYTE_1(info->tls_id);
360 elliptic_curve_list[elliptic_curve_len++] = MBEDTLS_BYTE_0(info->tls_id);
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200[diff] [blame]361 }
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]362
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]363 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]364 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]365
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]366 MBEDTLS_PUT_UINT16_BE(elliptic_curve_len + 2, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]367 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]368
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]369 MBEDTLS_PUT_UINT16_BE(elliptic_curve_len, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]370 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]371
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]372 *olen = 6 + elliptic_curve_len;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]373
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]374 return 0;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]375}
376
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]377MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]378static int ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
379 unsigned char *buf,
380 const unsigned char *end,
381 size_t *olen)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]382{
383 unsigned char *p = buf;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]384 (void) ssl; /* ssl used for debugging only */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]385
386 *olen = 0;
387
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]388 MBEDTLS_SSL_DEBUG_MSG(3,
389 ("client hello, adding supported_point_formats extension"));
390 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]391
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]392 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]393 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]394
395 *p++ = 0x00;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]396 *p++ = 2;
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]397
398 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]399 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]400
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]401 *olen = 6;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]402
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]403 return 0;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]404}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]405#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]406 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]407
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]408#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]409MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]410static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
411 unsigned char *buf,
412 const unsigned char *end,
413 size_t *olen)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]414{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]415 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]416 unsigned char *p = buf;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]417 size_t kkpp_len;
418
419 *olen = 0;
420
421 /* Skip costly extension if we can't use EC J-PAKE anyway */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]422 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
423 return 0;
424 }
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]425
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]426 MBEDTLS_SSL_DEBUG_MSG(3,
427 ("client hello, adding ecjpake_kkpp extension"));
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]428
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]429 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]430
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]431 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]432 p += 2;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]433
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]434 /*
435 * We may need to send ClientHello multiple times for Hello verification.
436 * We don't want to compute fresh values every time (both for performance
437 * and consistency reasons), so cache the extension content.
438 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]439 if (ssl->handshake->ecjpake_cache == NULL ||
440 ssl->handshake->ecjpake_cache_len == 0) {
441 MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters"));
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]442
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]443 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
444 p + 2, end - p - 2, &kkpp_len,
445 ssl->conf->f_rng, ssl->conf->p_rng);
446 if (ret != 0) {
447 MBEDTLS_SSL_DEBUG_RET(1,
448 "mbedtls_ecjpake_write_round_one", ret);
449 return ret;
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]450 }
451
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]452 ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len);
453 if (ssl->handshake->ecjpake_cache == NULL) {
454 MBEDTLS_SSL_DEBUG_MSG(1, ("allocation failed"));
455 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]456 }
457
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]458 memcpy(ssl->handshake->ecjpake_cache, p + 2, kkpp_len);
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]459 ssl->handshake->ecjpake_cache_len = kkpp_len;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]460 } else {
461 MBEDTLS_SSL_DEBUG_MSG(3, ("re-using cached ecjpake parameters"));
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]462
463 kkpp_len = ssl->handshake->ecjpake_cache_len;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]464 MBEDTLS_SSL_CHK_BUF_PTR(p + 2, end, kkpp_len);
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]465
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]466 memcpy(p + 2, ssl->handshake->ecjpake_cache, kkpp_len);
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]467 }
468
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]469 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]470 p += 2;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]471
472 *olen = kkpp_len + 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]473
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]474 return 0;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]475}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]476#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]477
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]478#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]479MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]480static int ssl_write_cid_ext(mbedtls_ssl_context *ssl,
481 unsigned char *buf,
482 const unsigned char *end,
483 size_t *olen)
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]484{
485 unsigned char *p = buf;
486 size_t ext_len;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]487
488 /*
Hanno Beckerebcc9132019-05-15 10:26:32 +0100[diff] [blame]489 * Quoting draft-ietf-tls-dtls-connection-id-05
490 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]491 *
492 * struct {
493 * opaque cid<0..2^8-1>;
494 * } ConnectionId;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]495 */
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]496
497 *olen = 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]498 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
499 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
500 return 0;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]501 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]502 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding CID extension"));
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]503
504 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
505 * which is at most 255, so the increment cannot overflow. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]506 MBEDTLS_SSL_CHK_BUF_PTR(p, end, (unsigned) (ssl->own_cid_len + 5));
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]507
508 /* Add extension ID + size */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]509 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]510 p += 2;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]511 ext_len = (size_t) ssl->own_cid_len + 1;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]512 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]513 p += 2;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]514
515 *p++ = (uint8_t) ssl->own_cid_len;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]516 memcpy(p, ssl->own_cid, ssl->own_cid_len);
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]517
518 *olen = ssl->own_cid_len + 5;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]519
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]520 return 0;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]521}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]522#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]523
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]524#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]525MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]526static int ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
527 unsigned char *buf,
528 const unsigned char *end,
529 size_t *olen)
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]530{
531 unsigned char *p = buf;
532
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]533 *olen = 0;
534
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]535 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
536 return 0;
537 }
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]538
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]539 MBEDTLS_SSL_DEBUG_MSG(3,
540 ("client hello, adding max_fragment_length extension"));
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]541
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]542 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]543
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]544 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]545 p += 2;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]546
547 *p++ = 0x00;
548 *p++ = 1;
549
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]550 *p++ = ssl->conf->mfl_code;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]551
552 *olen = 5;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]553
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]554 return 0;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]555}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]556#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]557
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]558#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]559MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]560static int ssl_write_truncated_hmac_ext(mbedtls_ssl_context *ssl,
561 unsigned char *buf,
562 const unsigned char *end,
563 size_t *olen)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]564{
565 unsigned char *p = buf;
566
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]567 *olen = 0;
568
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]569 if (ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED) {
570 return 0;
571 }
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]572
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]573 MBEDTLS_SSL_DEBUG_MSG(3,
574 ("client hello, adding truncated_hmac extension"));
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]575
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]576 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]577
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]578 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_TRUNCATED_HMAC, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]579 p += 2;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]580
581 *p++ = 0x00;
582 *p++ = 0x00;
583
584 *olen = 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]585
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]586 return 0;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]587}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]588#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]589
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]590#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]591MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]592static int ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
593 unsigned char *buf,
594 const unsigned char *end,
595 size_t *olen)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]596{
597 unsigned char *p = buf;
598
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]599 *olen = 0;
600
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]601 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
602 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) {
603 return 0;
604 }
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]605
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]606 MBEDTLS_SSL_DEBUG_MSG(3,
607 ("client hello, adding encrypt_then_mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]608
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]609 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]610
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]611 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]612 p += 2;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]613
614 *p++ = 0x00;
615 *p++ = 0x00;
616
617 *olen = 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]618
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]619 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]620}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]621#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]622
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]623#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]624MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]625static int ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
626 unsigned char *buf,
627 const unsigned char *end,
628 size_t *olen)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]629{
630 unsigned char *p = buf;
631
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]632 *olen = 0;
633
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]634 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
635 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) {
636 return 0;
637 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]638
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]639 MBEDTLS_SSL_DEBUG_MSG(3,
640 ("client hello, adding extended_master_secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]641
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]642 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]643
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]644 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]645 p += 2;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]646
647 *p++ = 0x00;
648 *p++ = 0x00;
649
650 *olen = 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]651
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]652 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]653}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]654#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]655
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]656#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]657MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]658static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
659 unsigned char *buf,
660 const unsigned char *end,
661 size_t *olen)
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]662{
663 unsigned char *p = buf;
664 size_t tlen = ssl->session_negotiate->ticket_len;
665
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]666 *olen = 0;
667
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]668 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
669 return 0;
670 }
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]671
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]672 MBEDTLS_SSL_DEBUG_MSG(3,
673 ("client hello, adding session ticket extension"));
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]674
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]675 /* The addition is safe here since the ticket length is 16 bit. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]676 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + tlen);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]677
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]678 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]679 p += 2;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]680
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]681 MBEDTLS_PUT_UINT16_BE(tlen, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]682 p += 2;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]683
684 *olen = 4;
685
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]686 if (ssl->session_negotiate->ticket == NULL || tlen == 0) {
687 return 0;
688 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]689
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]690 MBEDTLS_SSL_DEBUG_MSG(3,
691 ("sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen));
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]692
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]693 memcpy(p, ssl->session_negotiate->ticket, tlen);
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]694
695 *olen += tlen;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]696
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]697 return 0;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]698}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]699#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]700
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]701#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]702MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]703static int ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
704 unsigned char *buf,
705 const unsigned char *end,
706 size_t *olen)
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]707{
708 unsigned char *p = buf;
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]709 size_t alpnlen = 0;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]710 const char **cur;
711
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]712 *olen = 0;
713
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]714 if (ssl->conf->alpn_list == NULL) {
715 return 0;
716 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]717
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]718 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding alpn extension"));
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]719
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]720 for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
721 alpnlen += strlen(*cur) + 1;
722 }
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]723
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]724 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6 + alpnlen);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]725
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]726 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]727 p += 2;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]728
729 /*
730 * opaque ProtocolName<1..2^8-1>;
731 *
732 * struct {
733 * ProtocolName protocol_name_list<2..2^16-1>
734 * } ProtocolNameList;
735 */
736
737 /* Skip writing extension and list length for now */
738 p += 4;
739
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]740 for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
Hanno Beckere131bfe2017-04-12 14:54:42 +0100[diff] [blame]741 /*
742 * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of
743 * protocol names is less than 255.
744 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]745 *p = (unsigned char) strlen(*cur);
746 memcpy(p + 1, *cur, *p);
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]747 p += 1 + *p;
748 }
749
750 *olen = p - buf;
751
752 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]753 MBEDTLS_PUT_UINT16_BE(*olen - 6, buf, 4);
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]754
755 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]756 MBEDTLS_PUT_UINT16_BE(*olen - 4, buf, 2);
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]757
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]758 return 0;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]759}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]760#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]761
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]762#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]763MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]764static int ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
765 unsigned char *buf,
766 const unsigned char *end,
767 size_t *olen)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]768{
769 unsigned char *p = buf;
Johan Pascalf6417ec2020-09-22 15:15:19 +0200[diff] [blame]770 size_t protection_profiles_index = 0, ext_len = 0;
771 uint16_t mki_len = 0, profile_value = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]772
773 *olen = 0;
774
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]775 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
776 (ssl->conf->dtls_srtp_profile_list == NULL) ||
777 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
778 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]779 }
780
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]781 /* RFC 5764 section 4.1.1
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]782 * uint8 SRTPProtectionProfile[2];
783 *
784 * struct {
785 * SRTPProtectionProfiles SRTPProtectionProfiles;
786 * opaque srtp_mki<0..255>;
787 * } UseSRTPData;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]788 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]789 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]790 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]791 mki_len = ssl->dtls_srtp_info.mki_len;
792 }
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]793 /* Extension length = 2 bytes for profiles length,
794 * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ),
795 * 1 byte for srtp_mki vector length and the mki_len value
796 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]797 ext_len = 2 + 2 * (ssl->conf->dtls_srtp_profile_list_len) + 1 + mki_len;
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]798
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]799 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding use_srtp extension"));
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]800
801 /* Check there is room in the buffer for the extension + 4 bytes
802 * - the extension tag (2 bytes)
803 * - the extension length (2 bytes)
804 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]805 MBEDTLS_SSL_CHK_BUF_PTR(p, end, ext_len + 4);
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]806
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]807 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]808 p += 2;
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]809
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]810 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]811 p += 2;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]812
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]813 /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */
Johan Pascalaae4d222020-09-22 21:21:39 +0200[diff] [blame]814 /* micro-optimization:
815 * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH
816 * which is lower than 127, so the upper byte of the length is always 0
817 * For the documentation, the more generic code is left in comments
818 * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len )
819 * >> 8 ) & 0xFF );
820 */
821 *p++ = 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]822 *p++ = MBEDTLS_BYTE_0(2 * ssl->conf->dtls_srtp_profile_list_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]823
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]824 for (protection_profiles_index = 0;
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]825 protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]826 protection_profiles_index++) {
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]827 profile_value = mbedtls_ssl_check_srtp_profile_value
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]828 (ssl->conf->dtls_srtp_profile_list[protection_profiles_index]);
829 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
830 MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_write_use_srtp_ext, add profile: %04x",
831 profile_value));
832 MBEDTLS_PUT_UINT16_BE(profile_value, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]833 p += 2;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]834 } else {
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]835 /*
836 * Note: we shall never arrive here as protection profiles
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]837 * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]838 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]839 MBEDTLS_SSL_DEBUG_MSG(3,
840 ("client hello, "
841 "illegal DTLS-SRTP protection profile %d",
842 ssl->conf->dtls_srtp_profile_list[protection_profiles_index]
843 ));
844 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]845 }
846 }
847
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]848 *p++ = mki_len & 0xFF;
849
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]850 if (mki_len != 0) {
851 memcpy(p, ssl->dtls_srtp_info.mki_value, mki_len);
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]852 /*
853 * Increment p to point to the current position.
854 */
855 p += mki_len;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]856 MBEDTLS_SSL_DEBUG_BUF(3, "sending mki", ssl->dtls_srtp_info.mki_value,
857 ssl->dtls_srtp_info.mki_len);
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]858 }
859
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]860 /*
861 * total extension length: extension type (2 bytes)
862 * + extension length (2 bytes)
863 * + protection profile length (2 bytes)
864 * + 2 * number of protection profiles
865 * + srtp_mki vector length(1 byte)
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]866 * + mki value
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]867 */
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]868 *olen = p - buf;
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]869
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]870 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]871}
872#endif /* MBEDTLS_SSL_DTLS_SRTP */
873
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]874/*
875 * Generate random bytes for ClientHello
876 */
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]877MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]878static int ssl_generate_random(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]879{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]880 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]881 unsigned char *p = ssl->handshake->randbytes;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]882#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]883 mbedtls_time_t t;
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]884#endif
885
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200[diff] [blame]886 /*
887 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
888 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]889#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]890 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
891 ssl->handshake->verify_cookie != NULL) {
892 return 0;
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200[diff] [blame]893 }
894#endif
895
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]896#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]897 t = mbedtls_time(NULL);
898 MBEDTLS_PUT_UINT32_BE(t, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]899 p += 4;
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]900
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]901 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
902 (long long) t));
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]903#else
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]904 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) {
905 return ret;
906 }
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]907
908 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]909#endif /* MBEDTLS_HAVE_TIME */
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]910
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]911 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 28)) != 0) {
912 return ret;
913 }
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]914
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]915 return 0;
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]916}
917
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]918/**
919 * \brief Validate cipher suite against config in SSL context.
920 *
921 * \param suite_info cipher suite to validate
922 * \param ssl SSL context
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]923 * \param min_minor_ver Minimal minor version to accept a cipher suite
924 * \param max_minor_ver Maximal minor version to accept a cipher suite
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]925 *
926 * \return 0 if valid, else 1
927 */
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]928MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]929static int ssl_validate_ciphersuite(
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]930 const mbedtls_ssl_ciphersuite_t *suite_info,
931 const mbedtls_ssl_context *ssl,
932 int min_minor_ver, int max_minor_ver)
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]933{
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]934 (void) ssl;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]935 if (suite_info == NULL) {
936 return 1;
937 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]938
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]939 if (suite_info->min_minor_ver > max_minor_ver ||
940 suite_info->max_minor_ver < min_minor_ver) {
941 return 1;
942 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]943
944#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]945 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
946 (suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS)) {
947 return 1;
948 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]949#endif
950
951#if defined(MBEDTLS_ARC4_C)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]952 if (ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
953 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128) {
954 return 1;
955 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]956#endif
957
958#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]959 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
960 mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
961 return 1;
962 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]963#endif
964
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]965 /* Don't suggest PSK-based ciphersuite if no PSK is available. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]966#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]967 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
968 ssl_conf_has_static_psk(ssl->conf) == 0) {
969 return 1;
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]970 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]971#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]972
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]973 return 0;
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]974}
975
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]976MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]977static int ssl_write_client_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]978{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]979 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]980 size_t i, n, olen, ext_len = 0;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]981
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]982 unsigned char *buf;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]983 unsigned char *p, *q;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]984 const unsigned char *end;
985
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]986 unsigned char offer_compress;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]987 const int *ciphersuites;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]988 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]989#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
990 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
991 int uses_ec = 0;
992#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]993
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]994 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]995
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]996 if (ssl->conf->f_rng == NULL) {
997 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
998 return MBEDTLS_ERR_SSL_NO_RNG;
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]999 }
1000
David Horstmannee0a0e72022-10-25 17:20:00 +0100[diff] [blame]1001 int renegotiating = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1002#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1003 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
David Horstmannee0a0e72022-10-25 17:20:00 +0100[diff] [blame]1004 renegotiating = 1;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1005 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1006#endif
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1007 if (!renegotiating) {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1008 ssl->major_ver = ssl->conf->min_major_ver;
1009 ssl->minor_ver = ssl->conf->min_minor_ver;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1010 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1011
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1012 if (ssl->conf->max_major_ver == 0) {
1013 MBEDTLS_SSL_DEBUG_MSG(1,
1014 (
1015 "configured max major version is invalid, consider using mbedtls_ssl_config_defaults()"));
1016 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]1017 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1018
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1019 buf = ssl->out_msg;
1020 end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN;
1021
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1022 /*
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1023 * Check if there's enough space for the first part of the ClientHello
1024 * consisting of the 38 bytes described below, the session identifier (at
1025 * most 32 bytes) and its length (1 byte).
1026 *
1027 * Use static upper bounds instead of the actual values
1028 * to allow the compiler to optimize this away.
1029 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1030 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 38 + 1 + 32);
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1031
1032 /*
1033 * The 38 first bytes of the ClientHello:
1034 * 0 . 0 handshake type (written later)
1035 * 1 . 3 handshake length (written later)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1036 * 4 . 5 highest version supported
1037 * 6 . 9 current UNIX time
1038 * 10 . 37 random bytes
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1039 *
1040 * The current UNIX time (4 bytes) and following 28 random bytes are written
1041 * by ssl_generate_random() into ssl->handshake->randbytes buffer and then
1042 * copied from there into the output buffer.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1043 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1044
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1045 p = buf + 4;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1046 mbedtls_ssl_write_version(ssl->conf->max_major_ver,
1047 ssl->conf->max_minor_ver,
1048 ssl->conf->transport, p);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]1049 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1050
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1051 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, max version: [%d:%d]",
1052 buf[4], buf[5]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1053
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1054 if ((ret = ssl_generate_random(ssl)) != 0) {
1055 MBEDTLS_SSL_DEBUG_RET(1, "ssl_generate_random", ret);
1056 return ret;
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]1057 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1058
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1059 memcpy(p, ssl->handshake->randbytes, 32);
1060 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", p, 32);
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]1061 p += 32;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1062
1063 /*
1064 * 38 . 38 session id length
1065 * 39 . 39+n session id
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1066 * 39+n . 39+n DTLS only: cookie length (1 byte)
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1067 * 40+n . .. DTLS only: cookie
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1068 * .. . .. ciphersuitelist length (2 bytes)
1069 * .. . .. ciphersuitelist
1070 * .. . .. compression methods length (1 byte)
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1071 * .. . .. compression methods
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1072 * .. . .. extensions length (2 bytes)
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1073 * .. . .. extensions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1074 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1075 n = ssl->session_negotiate->id_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1076
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1077 if (n < 16 || n > 32 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1078#if defined(MBEDTLS_SSL_RENEGOTIATION)
1079 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1080#endif
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1081 ssl->handshake->resume == 0) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1082 n = 0;
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]1083 }
1084
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1085#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]1086 /*
1087 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
1088 * generate and include a Session ID in the TLS ClientHello."
1089 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1090 if (!renegotiating) {
1091 if (ssl->session_negotiate->ticket != NULL &&
1092 ssl->session_negotiate->ticket_len != 0) {
1093 ret = ssl->conf->f_rng(ssl->conf->p_rng,
1094 ssl->session_negotiate->id, 32);
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]1095
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1096 if (ret != 0) {
1097 return ret;
1098 }
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]1099
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1100 ssl->session_negotiate->id_len = n = 32;
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]1101 }
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]1102 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1103#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1104
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1105 /*
1106 * The first check of the output buffer size above (
1107 * MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );)
1108 * has checked that there is enough space in the output buffer for the
1109 * session identifier length byte and the session identifier (n <= 32).
1110 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1111 *p++ = (unsigned char) n;
1112
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1113 for (i = 0; i < n; i++) {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1114 *p++ = ssl->session_negotiate->id[i];
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1115 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1116
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1117 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
1118 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 39, n);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1119
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1120 /*
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1121 * With 'n' being the length of the session identifier
1122 *
1123 * 39+n . 39+n DTLS only: cookie length (1 byte)
1124 * 40+n . .. DTLS only: cookie
1125 * .. . .. ciphersuitelist length (2 bytes)
1126 * .. . .. ciphersuitelist
1127 * .. . .. compression methods length (1 byte)
1128 * .. . .. compression methods
1129 * .. . .. extensions length (2 bytes)
1130 * .. . .. extensions
1131 */
1132
1133 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1134 * DTLS cookie
1135 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1136#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1137 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1138 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1);
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1139
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1140 if (ssl->handshake->verify_cookie == NULL) {
1141 MBEDTLS_SSL_DEBUG_MSG(3, ("no verify cookie to send"));
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1142 *p++ = 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1143 } else {
1144 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
1145 ssl->handshake->verify_cookie,
1146 ssl->handshake->verify_cookie_len);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1147
1148 *p++ = ssl->handshake->verify_cookie_len;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1149
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1150 MBEDTLS_SSL_CHK_BUF_PTR(p, end,
1151 ssl->handshake->verify_cookie_len);
1152 memcpy(p, ssl->handshake->verify_cookie,
1153 ssl->handshake->verify_cookie_len);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1154 p += ssl->handshake->verify_cookie_len;
1155 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1156 }
1157#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1158
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1159 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1160 * Ciphersuite list
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1161 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1162 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1163
1164 /* Skip writing ciphersuite length for now */
1165 n = 0;
1166 q = p;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1167
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1168 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1169 p += 2;
1170
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1171 for (i = 0; ciphersuites[i] != 0; i++) {
1172 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuites[i]);
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1173
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1174 if (ssl_validate_ciphersuite(ciphersuite_info, ssl,
1175 ssl->conf->min_minor_ver,
1176 ssl->conf->max_minor_ver) != 0) {
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1177 continue;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1178 }
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1179
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1180 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, add ciphersuite: %#04x (%s)",
1181 (unsigned int) ciphersuites[i], ciphersuite_info->name));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1182
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]1183#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1184 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1185 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec(ciphersuite_info);
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]1186#endif
1187
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1188 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1189
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1190 n++;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1191 MBEDTLS_PUT_UINT16_BE(ciphersuites[i], p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]1192 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1193 }
1194
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1195 MBEDTLS_SSL_DEBUG_MSG(3,
1196 ("client hello, got %" MBEDTLS_PRINTF_SIZET
1197 " ciphersuites (excluding SCSVs)", n));
Ron Eldor714785d2017-08-28 13:55:55 +0300[diff] [blame]1198
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]1199 /*
1200 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1201 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1202 if (!renegotiating) {
1203 MBEDTLS_SSL_DEBUG_MSG(3, ("adding EMPTY_RENEGOTIATION_INFO_SCSV"));
1204 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
1205 MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]1206 p += 2;
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]1207 n++;
1208 }
1209
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1210 /* Some versions of OpenSSL don't handle it correctly if not at end */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1211#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1212 if (ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK) {
1213 MBEDTLS_SSL_DEBUG_MSG(3, ("adding FALLBACK_SCSV"));
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1214
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1215 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
1216 MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_FALLBACK_SCSV_VALUE, p, 0);
Joe Subbiani2f98d792021-08-20 11:44:44 +0100[diff] [blame]1217 p += 2;
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1218 n++;
1219 }
1220#endif
1221
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1222 *q++ = (unsigned char) (n >> 7);
1223 *q++ = (unsigned char) (n << 1);
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1224
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1225#if defined(MBEDTLS_ZLIB_SUPPORT)
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1226 offer_compress = 1;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1227#else
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1228 offer_compress = 0;
1229#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1230
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1231 /*
Johannes H4e5d23f2018-01-06 09:46:57 +0100[diff] [blame]1232 * We don't support compression with DTLS right now: if many records come
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1233 * in the same datagram, uncompressing one could overwrite the next one.
1234 * We don't want to add complexity for handling that case unless there is
1235 * an actual need for it.
1236 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1237#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1238 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1239 offer_compress = 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1240 }
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1241#endif
1242
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1243 if (offer_compress) {
1244 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, compress len.: %d", 2));
1245 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, compress alg.: %d %d",
1246 MBEDTLS_SSL_COMPRESS_DEFLATE,
1247 MBEDTLS_SSL_COMPRESS_NULL));
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1248
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1249 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3);
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1250 *p++ = 2;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1251 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
1252 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1253 } else {
1254 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, compress len.: %d", 1));
1255 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, compress alg.: %d",
1256 MBEDTLS_SSL_COMPRESS_NULL));
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1257
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1258 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1259 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1260 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1261 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1262
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1263 /* First write extensions, then the total length */
1264
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1265 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1266
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1267#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1268 if ((ret = ssl_write_hostname_ext(ssl, p + 2 + ext_len,
1269 end, &olen)) != 0) {
1270 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_hostname_ext", ret);
1271 return ret;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1272 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1273 ext_len += olen;
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]1274#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1275
Hanno Becker40f8b512017-10-12 14:58:55 +0100[diff] [blame]1276 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
1277 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1278#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1279 if ((ret = ssl_write_renegotiation_ext(ssl, p + 2 + ext_len,
1280 end, &olen)) != 0) {
1281 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_renegotiation_ext", ret);
1282 return ret;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1283 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1284 ext_len += olen;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1285#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1286
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1287#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1288 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1289 if ((ret = ssl_write_signature_algorithms_ext(ssl, p + 2 + ext_len,
1290 end, &olen)) != 0) {
1291 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_signature_algorithms_ext", ret);
1292 return ret;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1293 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1294 ext_len += olen;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1295#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1296
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]1297#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1298 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1299 if (uses_ec) {
1300 if ((ret = ssl_write_supported_elliptic_curves_ext(ssl, p + 2 + ext_len,
1301 end, &olen)) != 0) {
1302 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_elliptic_curves_ext", ret);
1303 return ret;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1304 }
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]1305 ext_len += olen;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1306
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1307 if ((ret = ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len,
1308 end, &olen)) != 0) {
1309 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_point_formats_ext", ret);
1310 return ret;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1311 }
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]1312 ext_len += olen;
1313 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1314#endif
1315
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]1316#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1317 if ((ret = ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len,
1318 end, &olen)) != 0) {
1319 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_ecjpake_kkpp_ext", ret);
1320 return ret;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1321 }
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]1322 ext_len += olen;
1323#endif
1324
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1325#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1326 if ((ret = ssl_write_cid_ext(ssl, p + 2 + ext_len, end, &olen)) != 0) {
1327 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_cid_ext", ret);
1328 return ret;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1329 }
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]1330 ext_len += olen;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1331#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]1332
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1333#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1334 if ((ret = ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len,
1335 end, &olen)) != 0) {
1336 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_max_fragment_length_ext", ret);
1337 return ret;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1338 }
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1339 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1340#endif
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1341
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1342#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1343 if ((ret = ssl_write_truncated_hmac_ext(ssl, p + 2 + ext_len,
1344 end, &olen)) != 0) {
1345 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_truncated_hmac_ext", ret);
1346 return ret;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1347 }
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1348 ext_len += olen;
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1349#endif
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1350
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1351#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1352 if ((ret = ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len,
1353 end, &olen)) != 0) {
1354 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_encrypt_then_mac_ext", ret);
1355 return ret;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1356 }
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1357 ext_len += olen;
1358#endif
1359
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1360#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1361 if ((ret = ssl_write_extended_ms_ext(ssl, p + 2 + ext_len,
1362 end, &olen)) != 0) {
1363 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_extended_ms_ext", ret);
1364 return ret;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1365 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1366 ext_len += olen;
1367#endif
1368
Simon Butcher5624ec82015-09-29 01:06:06 +0100[diff] [blame]1369#if defined(MBEDTLS_SSL_ALPN)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1370 if ((ret = ssl_write_alpn_ext(ssl, p + 2 + ext_len,
1371 end, &olen)) != 0) {
1372 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_alpn_ext", ret);
1373 return ret;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1374 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1375 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1376#endif
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1377
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1378#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1379 if ((ret = ssl_write_use_srtp_ext(ssl, p + 2 + ext_len,
1380 end, &olen)) != 0) {
1381 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_use_srtp_ext", ret);
1382 return ret;
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]1383 }
Johan Pascalc3ccd982020-10-28 17:18:18 +0100[diff] [blame]1384 ext_len += olen;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1385#endif
1386
Simon Butcher5624ec82015-09-29 01:06:06 +0100[diff] [blame]1387#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1388 if ((ret = ssl_write_session_ticket_ext(ssl, p + 2 + ext_len,
1389 end, &olen)) != 0) {
1390 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_session_ticket_ext", ret);
1391 return ret;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1392 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1393 ext_len += olen;
1394#endif
1395
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1396 /* olen unused if all extensions are disabled */
1397 ((void) olen);
1398
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1399 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
1400 ext_len));
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1401
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1402 if (ext_len > 0) {
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]1403 /* No need to check for space here, because the extension
1404 * writing functions already took care of that. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1405 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani24647c52021-08-20 15:56:22 +0100[diff] [blame]1406 p += 2 + ext_len;
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]1407 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1408
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1409 ssl->out_msglen = p - buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1410 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1411 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1412
1413 ssl->state++;
1414
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1415#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1416 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1417 mbedtls_ssl_send_flight_completed(ssl);
1418 }
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]1419#endif
1420
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1421 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
1422 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
1423 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1424 }
1425
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1426#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1427 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
1428 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
1429 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
1430 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1431 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]1432#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1433
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1434 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1435
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1436 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1437}
1438
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]1439MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1440static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
1441 const unsigned char *buf,
1442 size_t len)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1443{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1444#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1445 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1446 /* Check verify-data in constant-time. The length OTOH is no secret */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1447 if (len != 1 + ssl->verify_data_len * 2 ||
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1448 buf[0] != ssl->verify_data_len * 2 ||
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1449 mbedtls_ct_memcmp(buf + 1,
1450 ssl->own_verify_data, ssl->verify_data_len) != 0 ||
1451 mbedtls_ct_memcmp(buf + 1 + ssl->verify_data_len,
1452 ssl->peer_verify_data, ssl->verify_data_len) != 0) {
1453 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1454 mbedtls_ssl_send_alert_message(
1455 ssl,
1456 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1457 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1458 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1459 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1460 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1461#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1462 {
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1463 if (len != 1 || buf[0] != 0x00) {
1464 MBEDTLS_SSL_DEBUG_MSG(1,
1465 ("non-zero length renegotiation info"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1466 mbedtls_ssl_send_alert_message(
1467 ssl,
1468 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1469 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1470 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1471 }
1472
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1473 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1474 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1475
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1476 return 0;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1477}
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1478
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1479#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]1480MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1481static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
1482 const unsigned char *buf,
1483 size_t len)
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1484{
1485 /*
1486 * server should use the extension only if we did,
1487 * and if so the server's value should match ours (and len is always 1)
1488 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1489 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1490 len != 1 ||
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1491 buf[0] != ssl->conf->mfl_code) {
1492 MBEDTLS_SSL_DEBUG_MSG(1,
1493 ("non-matching max fragment length extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1494 mbedtls_ssl_send_alert_message(
1495 ssl,
1496 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1497 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1498 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1499 }
1500
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1501 return 0;
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1502}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1503#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1504
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1505#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]1506MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1507static int ssl_parse_truncated_hmac_ext(mbedtls_ssl_context *ssl,
1508 const unsigned char *buf,
1509 size_t len)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1510{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1511 if (ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
1512 len != 0) {
1513 MBEDTLS_SSL_DEBUG_MSG(1,
1514 ("non-matching truncated HMAC extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1515 mbedtls_ssl_send_alert_message(
1516 ssl,
1517 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1518 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1519 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1520 }
1521
1522 ((void) buf);
1523
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1524 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1525
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1526 return 0;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1527}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1528#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1529
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1530#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]1531MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1532static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
1533 const unsigned char *buf,
1534 size_t len)
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1535{
1536 size_t peer_cid_len;
1537
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1538 if ( /* CID extension only makes sense in DTLS */
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1539 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
1540 /* The server must only send the CID extension if we have offered it. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1541 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
1542 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension unexpected"));
1543 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1544 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
1545 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Hanno Becker22626482019-05-03 12:46:59 +0100[diff] [blame]1546 }
1547
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1548 if (len == 0) {
1549 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
1550 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1551 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1552 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1553 }
1554
1555 peer_cid_len = *buf++;
1556 len--;
1557
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1558 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
1559 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
1560 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1561 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1562 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1563 }
1564
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1565 if (len != peer_cid_len) {
1566 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
1567 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1568 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1569 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1570 }
1571
Hanno Becker5a299902019-05-03 12:47:49 +0100[diff] [blame]1572 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1573 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1574 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1575
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1576 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
1577 MBEDTLS_SSL_DEBUG_BUF(3, "Server CID", buf, peer_cid_len);
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1578
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1579 return 0;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1580}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1581#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1582
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1583#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]1584MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1585static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
1586 const unsigned char *buf,
1587 size_t len)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1588{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1589 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1590 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1591 len != 0) {
1592 MBEDTLS_SSL_DEBUG_MSG(1,
1593 ("non-matching encrypt-then-MAC extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1594 mbedtls_ssl_send_alert_message(
1595 ssl,
1596 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1597 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
1598 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1599 }
1600
1601 ((void) buf);
1602
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1603 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1604
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1605 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1606}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1607#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1608
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1609#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]1610MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1611static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
1612 const unsigned char *buf,
1613 size_t len)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1614{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1615 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1616 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1617 len != 0) {
1618 MBEDTLS_SSL_DEBUG_MSG(1,
1619 ("non-matching extended master secret extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1620 mbedtls_ssl_send_alert_message(
1621 ssl,
1622 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1623 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
1624 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1625 }
1626
1627 ((void) buf);
1628
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1629 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1630
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1631 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1632}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1633#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1634
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1635#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]1636MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1637static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
1638 const unsigned char *buf,
1639 size_t len)
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1640{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1641 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
1642 len != 0) {
1643 MBEDTLS_SSL_DEBUG_MSG(1,
1644 ("non-matching session ticket extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1645 mbedtls_ssl_send_alert_message(
1646 ssl,
1647 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1648 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
1649 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]1650 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1651
1652 ((void) buf);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]1653
1654 ssl->handshake->new_session_ticket = 1;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1655
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1656 return 0;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1657}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1658#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1659
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1660#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1661 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]1662MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1663static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl,
1664 const unsigned char *buf,
1665 size_t len)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1666{
1667 size_t list_size;
1668 const unsigned char *p;
1669
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1670 if (len == 0 || (size_t) (buf[0] + 1) != len) {
1671 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1672 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1673 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1674 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1675 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]1676 list_size = buf[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1677
Manuel Pégourié-Gonnardfd35af12014-06-23 14:10:13 +0200[diff] [blame]1678 p = buf + 1;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1679 while (list_size > 0) {
1680 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1681 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1682#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]1683 ssl->handshake->ecdh_ctx.point_format = p[0];
Gilles Peskine064a85c2017-05-10 10:46:40 +0200[diff] [blame]1684#endif
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1685#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1686 ssl->handshake->ecjpake_ctx.point_format = p[0];
1687#endif
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1688 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
1689 return 0;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1690 }
1691
1692 list_size--;
1693 p++;
1694 }
1695
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1696 MBEDTLS_SSL_DEBUG_MSG(1, ("no point format in common"));
1697 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1698 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1699 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1700}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]1701#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1702 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1703
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1704#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]1705MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1706static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
1707 const unsigned char *buf,
1708 size_t len)
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1709{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1710 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1711
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1712 if (ssl->handshake->ciphersuite_info->key_exchange !=
1713 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
1714 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
1715 return 0;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1716 }
1717
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]1718 /* If we got here, we no longer need our cached extension */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1719 mbedtls_free(ssl->handshake->ecjpake_cache);
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]1720 ssl->handshake->ecjpake_cache = NULL;
1721 ssl->handshake->ecjpake_cache_len = 0;
1722
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1723 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
1724 buf, len)) != 0) {
1725 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1726 mbedtls_ssl_send_alert_message(
1727 ssl,
1728 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1729 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1730 return ret;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1731 }
1732
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1733 return 0;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1734}
1735#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1736
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1737#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]1738MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1739static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
1740 const unsigned char *buf, size_t len)
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1741{
1742 size_t list_len, name_len;
1743 const char **p;
1744
1745 /* If we didn't send it, the server shouldn't send it */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1746 if (ssl->conf->alpn_list == NULL) {
1747 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching ALPN extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1748 mbedtls_ssl_send_alert_message(
1749 ssl,
1750 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1751 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
1752 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1753 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1754
1755 /*
1756 * opaque ProtocolName<1..2^8-1>;
1757 *
1758 * struct {
1759 * ProtocolName protocol_name_list<2..2^16-1>
1760 * } ProtocolNameList;
1761 *
1762 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1763 */
1764
1765 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1766 if (len < 4) {
1767 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1768 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1769 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1770 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1771
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1772 list_len = (buf[0] << 8) | buf[1];
1773 if (list_len != len - 2) {
1774 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1775 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1776 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1777 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1778
1779 name_len = buf[2];
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1780 if (name_len != list_len - 1) {
1781 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1782 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1783 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1784 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1785
1786 /* Check that the server chosen protocol was in our list and save it */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1787 for (p = ssl->conf->alpn_list; *p != NULL; p++) {
1788 if (name_len == strlen(*p) &&
1789 memcmp(buf + 3, *p, name_len) == 0) {
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1790 ssl->alpn_chosen = *p;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1791 return 0;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1792 }
1793 }
1794
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1795 MBEDTLS_SSL_DEBUG_MSG(1, ("ALPN extension: no matching protocol"));
1796 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1797 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1798 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1799}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1800#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1801
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1802#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]1803MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1804static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
1805 const unsigned char *buf,
1806 size_t len)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1807{
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1808 mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1809 size_t i, mki_len = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1810 uint16_t server_protection_profile_value = 0;
1811
1812 /* If use_srtp is not configured, just ignore the extension */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1813 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
1814 (ssl->conf->dtls_srtp_profile_list == NULL) ||
1815 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
1816 return 0;
1817 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1818
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]1819 /* RFC 5764 section 4.1.1
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1820 * uint8 SRTPProtectionProfile[2];
1821 *
1822 * struct {
1823 * SRTPProtectionProfiles SRTPProtectionProfiles;
1824 * opaque srtp_mki<0..255>;
1825 * } UseSRTPData;
1826
1827 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
1828 *
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1829 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1830 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1831 mki_len = ssl->dtls_srtp_info.mki_len;
1832 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1833
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1834 /*
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]1835 * Length is 5 + optional mki_value : one protection profile length (2 bytes)
1836 * + protection profile (2 bytes)
1837 * + mki_len(1 byte)
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]1838 * and optional srtp_mki
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1839 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1840 if ((len < 5) || (len != (buf[4] + 5u))) {
1841 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1842 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1843
1844 /*
1845 * get the server protection profile
1846 */
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1847
1848 /*
1849 * protection profile length must be 0x0002 as we must have only
1850 * one protection profile in server Hello
1851 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1852 if ((buf[0] != 0) || (buf[1] != 2)) {
1853 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1854 }
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1855
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1856 server_protection_profile_value = (buf[2] << 8) | buf[3];
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1857 server_protection = mbedtls_ssl_check_srtp_profile_value(
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1858 server_protection_profile_value);
1859 if (server_protection != MBEDTLS_TLS_SRTP_UNSET) {
1860 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
1861 mbedtls_ssl_get_srtp_profile_as_string(
1862 server_protection)));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1863 }
1864
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1865 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1866
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1867 /*
1868 * Check we have the server profile in our list
1869 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1870 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
1871 if (server_protection == ssl->conf->dtls_srtp_profile_list[i]) {
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]1872 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1873 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1874 mbedtls_ssl_get_srtp_profile_as_string(
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1875 server_protection)));
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1876 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1877 }
1878 }
1879
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1880 /* If no match was found : server problem, it shall never answer with incompatible profile */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1881 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
1882 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1883 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1884 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1885 }
Johan Pascal20c7db32020-10-26 22:45:58 +0100[diff] [blame]1886
1887 /* If server does not use mki in its reply, make sure the client won't keep
1888 * one as negotiated */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1889 if (len == 5) {
Johan Pascal20c7db32020-10-26 22:45:58 +0100[diff] [blame]1890 ssl->dtls_srtp_info.mki_len = 0;
1891 }
1892
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1893 /*
1894 * RFC5764:
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1895 * If the client detects a nonzero-length MKI in the server's response
1896 * that is different than the one the client offered, then the client
1897 * MUST abort the handshake and SHOULD send an invalid_parameter alert.
1898 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1899 if (len > 5 && (buf[4] != mki_len ||
1900 (memcmp(ssl->dtls_srtp_info.mki_value, &buf[5], mki_len)))) {
1901 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1902 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1903 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1904 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1905#if defined(MBEDTLS_DEBUG_C)
1906 if (len > 5) {
1907 MBEDTLS_SSL_DEBUG_BUF(3, "received mki", ssl->dtls_srtp_info.mki_value,
1908 ssl->dtls_srtp_info.mki_len);
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]1909 }
1910#endif
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1911 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1912}
1913#endif /* MBEDTLS_SSL_DTLS_SRTP */
1914
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1915/*
1916 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1917 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1918#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]1919MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1920static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1921{
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1922 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1923 int major_ver, minor_ver;
1924 unsigned char cookie_len;
1925
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1926 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse hello verify request"));
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1927
Gilles Peskineb64bf062019-09-27 14:02:44 +0200[diff] [blame]1928 /* Check that there is enough room for:
1929 * - 2 bytes of version
1930 * - 1 byte of cookie_len
1931 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1932 if (mbedtls_ssl_hs_hdr_len(ssl) + 3 > ssl->in_msglen) {
1933 MBEDTLS_SSL_DEBUG_MSG(1,
1934 ("incoming HelloVerifyRequest message is too short"));
1935 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1936 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1937 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Gilles Peskineb64bf062019-09-27 14:02:44 +0200[diff] [blame]1938 }
1939
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1940 /*
1941 * struct {
1942 * ProtocolVersion server_version;
1943 * opaque cookie<0..2^8-1>;
1944 * } HelloVerifyRequest;
1945 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1946 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
1947 mbedtls_ssl_read_version(&major_ver, &minor_ver, ssl->conf->transport, p);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1948 p += 2;
1949
Manuel Pégourié-Gonnardb35fe562014-08-09 17:00:46 +0200[diff] [blame]1950 /*
1951 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1952 * even is lower than our min version.
1953 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1954 if (major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1955 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1956 major_ver > ssl->conf->max_major_ver ||
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1957 minor_ver > ssl->conf->max_minor_ver) {
1958 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server version"));
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1959
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1960 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1961 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1962
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1963 return MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1964 }
1965
1966 cookie_len = *p++;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1967 if ((ssl->in_msg + ssl->in_msglen) - p < cookie_len) {
1968 MBEDTLS_SSL_DEBUG_MSG(1,
1969 ("cookie length does not match incoming message size"));
1970 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1971 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1972 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1973 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1974 MBEDTLS_SSL_DEBUG_BUF(3, "cookie", p, cookie_len);
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1975
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1976 mbedtls_free(ssl->handshake->verify_cookie);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1977
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1978 ssl->handshake->verify_cookie = mbedtls_calloc(1, cookie_len);
1979 if (ssl->handshake->verify_cookie == NULL) {
1980 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc failed (%d bytes)", cookie_len));
1981 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1982 }
1983
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1984 memcpy(ssl->handshake->verify_cookie, p, cookie_len);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1985 ssl->handshake->verify_cookie_len = cookie_len;
1986
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]1987 /* Start over at ClientHello */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1988 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1989 mbedtls_ssl_reset_checksum(ssl);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1990
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1991 mbedtls_ssl_recv_flight_completed(ssl);
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1992
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1993 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse hello verify request"));
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1994
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1995 return 0;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1996}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1997#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1998
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]1999static int is_compression_bad(mbedtls_ssl_context *ssl, unsigned char comp)
David Horstmann0955f822022-11-07 14:24:21 +0000[diff] [blame]2000{
David Horstmannb4105662022-11-07 16:33:57 +0000[diff] [blame]2001 int bad_comp = 0;
David Horstmann0955f822022-11-07 14:24:21 +0000[diff] [blame]2002
2003 /* Suppress warnings in some configurations */
David Horstmann08a37512022-11-07 15:55:00 +0000[diff] [blame]2004 (void) ssl;
David Horstmann0955f822022-11-07 14:24:21 +0000[diff] [blame]2005#if defined(MBEDTLS_ZLIB_SUPPORT)
2006 /* See comments in ssl_write_client_hello() */
2007#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2008 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2009 comp != MBEDTLS_SSL_COMPRESS_NULL) {
David Horstmannb4105662022-11-07 16:33:57 +0000[diff] [blame]2010 bad_comp = 1;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2011 }
David Horstmann0955f822022-11-07 14:24:21 +0000[diff] [blame]2012#endif
2013
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2014 if (comp != MBEDTLS_SSL_COMPRESS_NULL &&
2015 comp != MBEDTLS_SSL_COMPRESS_DEFLATE) {
David Horstmannb4105662022-11-07 16:33:57 +0000[diff] [blame]2016 bad_comp = 1;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2017 }
David Horstmann0955f822022-11-07 14:24:21 +0000[diff] [blame]2018#else /* MBEDTLS_ZLIB_SUPPORT */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2019 if (comp != MBEDTLS_SSL_COMPRESS_NULL) {
David Horstmannb4105662022-11-07 16:33:57 +0000[diff] [blame]2020 bad_comp = 1;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2021 }
2022#endif /* MBEDTLS_ZLIB_SUPPORT */
David Horstmannb4105662022-11-07 16:33:57 +0000[diff] [blame]2023 return bad_comp;
David Horstmann0955f822022-11-07 14:24:21 +0000[diff] [blame]2024}
2025
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]2026MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2027static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2028{
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]2029 int ret, i;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2030 size_t n;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]2031 size_t ext_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2032 unsigned char *buf, *ext;
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]2033 unsigned char comp;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2034#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2035 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]2036#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2037 int handshake_failure = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2038 const mbedtls_ssl_ciphersuite_t *suite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2039
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2040 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2041
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2042 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2043 /* No alert on a read error. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2044 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2045 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2046 }
2047
Hanno Becker79594fd2019-05-08 09:38:41 +0100[diff] [blame]2048 buf = ssl->in_msg;
2049
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2050 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2051#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2052 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]2053 ssl->renego_records_seen++;
2054
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2055 if (ssl->conf->renego_max_records >= 0 &&
2056 ssl->renego_records_seen > ssl->conf->renego_max_records) {
2057 MBEDTLS_SSL_DEBUG_MSG(1,
2058 ("renegotiation requested, but not honored by server"));
2059 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]2060 }
2061
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2062 MBEDTLS_SSL_DEBUG_MSG(1,
2063 ("non-handshake message during renegotiation"));
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2064
2065 ssl->keep_current_message = 1;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2066 return MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO;
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]2067 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2068#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]2069
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2070 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2071 mbedtls_ssl_send_alert_message(
2072 ssl,
2073 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2074 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
2075 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2076 }
2077
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2078#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2079 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
2080 if (buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST) {
2081 MBEDTLS_SSL_DEBUG_MSG(2, ("received hello verify request"));
2082 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
2083 return ssl_parse_hello_verify_request(ssl);
2084 } else {
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]2085 /* We made it through the verification process */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2086 mbedtls_free(ssl->handshake->verify_cookie);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]2087 ssl->handshake->verify_cookie = NULL;
2088 ssl->handshake->verify_cookie_len = 0;
2089 }
2090 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2091#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2092
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2093 if (ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len(ssl) ||
2094 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO) {
2095 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
2096 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2097 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2098 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2099 }
2100
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]2101 /*
2102 * 0 . 1 server_version
2103 * 2 . 33 random (maybe including 4 bytes of Unix time)
2104 * 34 . 34 session_id length = n
2105 * 35 . 34+n session_id
2106 * 35+n . 36+n cipher_suite
2107 * 37+n . 37+n compression_method
2108 *
2109 * 38+n . 39+n extensions length (optional)
2110 * 40+n . .. extensions
2111 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2112 buf += mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]2113
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2114 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", buf + 0, 2);
2115 mbedtls_ssl_read_version(&ssl->major_ver, &ssl->minor_ver,
2116 ssl->conf->transport, buf + 0);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2117
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2118 if (ssl->major_ver < ssl->conf->min_major_ver ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2119 ssl->minor_ver < ssl->conf->min_minor_ver ||
2120 ssl->major_ver > ssl->conf->max_major_ver ||
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2121 ssl->minor_ver > ssl->conf->max_minor_ver) {
2122 MBEDTLS_SSL_DEBUG_MSG(1,
2123 (
2124 "server version out of bounds - min: [%d:%d], server: [%d:%d], max: [%d:%d]",
2125 ssl->conf->min_major_ver,
2126 ssl->conf->min_minor_ver,
2127 ssl->major_ver, ssl->minor_ver,
2128 ssl->conf->max_major_ver,
2129 ssl->conf->max_minor_ver));
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]2130
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2131 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2132 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]2133
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2134 return MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION;
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]2135 }
2136
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2137 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %lu",
2138 ((unsigned long) buf[2] << 24) |
2139 ((unsigned long) buf[3] << 16) |
2140 ((unsigned long) buf[4] << 8) |
2141 ((unsigned long) buf[5])));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2142
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2143 memcpy(ssl->handshake->randbytes + 32, buf + 2, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2144
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]2145 n = buf[34];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2146
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2147 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 2, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2148
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2149 if (n > 32) {
2150 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
2151 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2152 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2153 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2154 }
2155
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2156 if (ssl->in_hslen > mbedtls_ssl_hs_hdr_len(ssl) + 39 + n) {
2157 ext_len = ((buf[38 + n] << 8)
2158 | (buf[39 + n]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2159
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2160 if ((ext_len > 0 && ext_len < 4) ||
2161 ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 40 + n + ext_len) {
2162 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2163 mbedtls_ssl_send_alert_message(
2164 ssl,
2165 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2166 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2167 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2168 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2169 } else if (ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl) + 38 + n) {
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]2170 ext_len = 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2171 } else {
2172 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
2173 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2174 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2175 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]2176 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2177
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]2178 /* ciphersuite (used later) */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2179 i = (buf[35 + n] << 8) | buf[36 + n];
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]2180
2181 /*
2182 * Read and check compression
2183 */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]2184 comp = buf[37 + n];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2185
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2186 if (is_compression_bad(ssl, comp)) {
2187 MBEDTLS_SSL_DEBUG_MSG(1,
2188 ("server hello, bad compression: %d", comp));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2189 mbedtls_ssl_send_alert_message(
2190 ssl,
2191 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2192 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2193 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]2194 }
2195
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2196 /*
2197 * Initialize update checksum functions
2198 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2199 ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(i);
2200 if (ssl->handshake->ciphersuite_info == NULL) {
2201 MBEDTLS_SSL_DEBUG_MSG(1,
2202 ("ciphersuite info for %04x not found", (unsigned int) i));
2203 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2204 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
2205 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]2206 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2207
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2208 mbedtls_ssl_optimize_checksum(ssl, ssl->handshake->ciphersuite_info);
Manuel Pégourié-Gonnard3c599f12014-03-10 13:25:07 +0100[diff] [blame]2209
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2210 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
2211 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 35, n);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2212
2213 /*
2214 * Check if the session can be resumed
2215 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2216 if (ssl->handshake->resume == 0 || n == 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2217#if defined(MBEDTLS_SSL_RENEGOTIATION)
2218 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]2219#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2220 ssl->session_negotiate->ciphersuite != i ||
2221 ssl->session_negotiate->compression != comp ||
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2222 ssl->session_negotiate->id_len != n ||
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2223 memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2224 ssl->state++;
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]2225 ssl->handshake->resume = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2226#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2227 ssl->session_negotiate->start = mbedtls_time(NULL);
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2228#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2229 ssl->session_negotiate->ciphersuite = i;
2230 ssl->session_negotiate->compression = comp;
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2231 ssl->session_negotiate->id_len = n;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2232 memcpy(ssl->session_negotiate->id, buf + 35, n);
2233 } else {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2234 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2235 }
2236
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2237 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
2238 ssl->handshake->resume ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2239
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2240 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %04x", (unsigned) i));
2241 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: %d",
2242 buf[37 + n]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2243
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]2244 /*
2245 * Perform cipher suite validation in same way as in ssl_write_client_hello.
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]2246 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2247 i = 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2248 while (1) {
2249 if (ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0) {
2250 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2251 mbedtls_ssl_send_alert_message(
2252 ssl,
2253 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2254 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2255 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2256 }
2257
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2258 if (ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
2259 ssl->session_negotiate->ciphersuite) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2260 break;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]2261 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2262 }
2263
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2264 suite_info = mbedtls_ssl_ciphersuite_from_id(
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2265 ssl->session_negotiate->ciphersuite);
2266 if (ssl_validate_ciphersuite(suite_info, ssl, ssl->minor_ver,
2267 ssl->minor_ver) != 0) {
2268 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2269 mbedtls_ssl_send_alert_message(
2270 ssl,
2271 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2272 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2273 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]2274 }
2275
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2276 MBEDTLS_SSL_DEBUG_MSG(3,
2277 ("server hello, chosen ciphersuite: %s", suite_info->name));
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]2278
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2279#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2280 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
2281 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
Manuel Pégourié-Gonnardda19f4c2018-06-12 12:40:54 +0200[diff] [blame]2282 ssl->handshake->ecrs_enabled = 1;
2283 }
2284#endif
2285
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2286 if (comp != MBEDTLS_SSL_COMPRESS_NULL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2287#if defined(MBEDTLS_ZLIB_SUPPORT)
2288 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2289#endif
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2290 ) {
2291 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2292 mbedtls_ssl_send_alert_message(
2293 ssl,
2294 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2295 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2296 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2297 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2298 ssl->session_negotiate->compression = comp;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2299
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]2300 ext = buf + 40 + n;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2301
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2302 MBEDTLS_SSL_DEBUG_MSG(2,
2303 ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
2304 ext_len));
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]2305
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2306 while (ext_len) {
2307 unsigned int ext_id = ((ext[0] << 8)
2308 | (ext[1]));
2309 unsigned int ext_size = ((ext[2] << 8)
2310 | (ext[3]));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2311
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2312 if (ext_size + 4 > ext_len) {
2313 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2314 mbedtls_ssl_send_alert_message(
2315 ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2316 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2317 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2318 }
2319
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2320 switch (ext_id) {
2321 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
2322 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2323#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2324 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]2325#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2326
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2327 if ((ret = ssl_parse_renegotiation_info(ssl, ext + 4,
2328 ext_size)) != 0) {
2329 return ret;
2330 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2331
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2332 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2333
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2334#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2335 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
2336 MBEDTLS_SSL_DEBUG_MSG(3,
2337 ("found max_fragment_length extension"));
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]2338
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2339 if ((ret = ssl_parse_max_fragment_length_ext(ssl,
2340 ext + 4, ext_size)) != 0) {
2341 return ret;
2342 }
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]2343
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2344 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2345#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]2346
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2347#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2348 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
2349 MBEDTLS_SSL_DEBUG_MSG(3, ("found truncated_hmac extension"));
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]2350
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2351 if ((ret = ssl_parse_truncated_hmac_ext(ssl,
2352 ext + 4, ext_size)) != 0) {
2353 return ret;
2354 }
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]2355
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2356 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2357#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]2358
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2359#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2360 case MBEDTLS_TLS_EXT_CID:
2361 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]2362
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2363 if ((ret = ssl_parse_cid_ext(ssl,
2364 ext + 4,
2365 ext_size)) != 0) {
2366 return ret;
2367 }
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]2368
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2369 break;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2370#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]2371
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2372#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2373 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
2374 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt_then_mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2375
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2376 if ((ret = ssl_parse_encrypt_then_mac_ext(ssl,
2377 ext + 4, ext_size)) != 0) {
2378 return ret;
2379 }
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2380
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2381 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2382#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2383
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2384#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2385 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
2386 MBEDTLS_SSL_DEBUG_MSG(3,
2387 ("found extended_master_secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2388
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2389 if ((ret = ssl_parse_extended_ms_ext(ssl,
2390 ext + 4, ext_size)) != 0) {
2391 return ret;
2392 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2393
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2394 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2395#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2396
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2397#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2398 case MBEDTLS_TLS_EXT_SESSION_TICKET:
2399 MBEDTLS_SSL_DEBUG_MSG(3, ("found session_ticket extension"));
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]2400
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2401 if ((ret = ssl_parse_session_ticket_ext(ssl,
2402 ext + 4, ext_size)) != 0) {
2403 return ret;
2404 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]2405
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2406 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2407#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]2408
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]2409#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2410 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2411 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
2412 MBEDTLS_SSL_DEBUG_MSG(3,
2413 ("found supported_point_formats extension"));
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2414
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2415 if ((ret = ssl_parse_supported_point_formats_ext(ssl,
2416 ext + 4, ext_size)) != 0) {
2417 return ret;
2418 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2419
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2420 break;
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]2421#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
2422 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2423
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]2424#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2425 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
2426 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake_kkpp extension"));
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]2427
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2428 if ((ret = ssl_parse_ecjpake_kkpp(ssl,
2429 ext + 4, ext_size)) != 0) {
2430 return ret;
2431 }
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]2432
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2433 break;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]2434#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2435
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2436#if defined(MBEDTLS_SSL_ALPN)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2437 case MBEDTLS_TLS_EXT_ALPN:
2438 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]2439
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2440 if ((ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size)) != 0) {
2441 return ret;
2442 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]2443
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2444 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2445#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]2446
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2447#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2448 case MBEDTLS_TLS_EXT_USE_SRTP:
2449 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2450
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2451 if ((ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size)) != 0) {
2452 return ret;
2453 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2454
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2455 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2456#endif /* MBEDTLS_SSL_DTLS_SRTP */
2457
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2458 default:
2459 MBEDTLS_SSL_DEBUG_MSG(3,
2460 ("unknown extension found: %u (ignoring)", ext_id));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2461 }
2462
2463 ext_len -= 4 + ext_size;
2464 ext += 4 + ext_size;
2465
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2466 if (ext_len > 0 && ext_len < 4) {
2467 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
2468 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2469 }
2470 }
2471
Andrzej Kurek77473eb2022-07-06 03:26:55 -0400[diff] [blame]2472 /*
2473 * mbedtls_ssl_derive_keys() has to be called after the parsing of the
2474 * extensions. It sets the transform data for the resumed session which in
2475 * case of DTLS includes the server CID extracted from the CID extension.
2476 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2477 if (ssl->handshake->resume) {
2478 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
2479 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
Andrzej Kurekc87d97b2022-06-14 07:12:33 -0400[diff] [blame]2480 mbedtls_ssl_send_alert_message(
2481 ssl,
2482 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2483 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
2484 return ret;
Andrzej Kurekc87d97b2022-06-14 07:12:33 -0400[diff] [blame]2485 }
2486 }
2487
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2488 /*
2489 * Renegotiation security checks
2490 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2491 if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2492 ssl->conf->allow_legacy_renegotiation ==
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2493 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
2494 MBEDTLS_SSL_DEBUG_MSG(1,
2495 ("legacy renegotiation, breaking off handshake"));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2496 handshake_failure = 1;
2497 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2498#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2499 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2500 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2501 renegotiation_info_seen == 0) {
2502 MBEDTLS_SSL_DEBUG_MSG(1,
2503 ("renegotiation_info extension missing (secure)"));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2504 handshake_failure = 1;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2505 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2506 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2507 ssl->conf->allow_legacy_renegotiation ==
2508 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
2509 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2510 handshake_failure = 1;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2511 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2512 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2513 renegotiation_info_seen == 1) {
2514 MBEDTLS_SSL_DEBUG_MSG(1,
2515 ("renegotiation_info extension present (legacy)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2516 handshake_failure = 1;
2517 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2518#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2519
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2520 if (handshake_failure == 1) {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2521 mbedtls_ssl_send_alert_message(
2522 ssl,
2523 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2524 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2525 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2526 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2527
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2528 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2529
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2530 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2531}
2532
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2533#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2534 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]2535MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2536static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl,
2537 unsigned char **p,
2538 unsigned char *end)
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2539{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2540 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Gilles Peskinee8a2fc82020-12-08 22:46:11 +0100[diff] [blame]2541 size_t dhm_actual_bitlen;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2542
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2543 /*
2544 * Ephemeral DH parameters:
2545 *
2546 * struct {
2547 * opaque dh_p<1..2^16-1>;
2548 * opaque dh_g<1..2^16-1>;
2549 * opaque dh_Ys<1..2^16-1>;
2550 * } ServerDHParams;
2551 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2552 if ((ret = mbedtls_dhm_read_params(&ssl->handshake->dhm_ctx,
2553 p, end)) != 0) {
2554 MBEDTLS_SSL_DEBUG_RET(2, ("mbedtls_dhm_read_params"), ret);
2555 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2556 }
2557
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2558 dhm_actual_bitlen = mbedtls_mpi_bitlen(&ssl->handshake->dhm_ctx.P);
2559 if (dhm_actual_bitlen < ssl->conf->dhm_min_bitlen) {
2560 MBEDTLS_SSL_DEBUG_MSG(1, ("DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u",
2561 dhm_actual_bitlen,
2562 ssl->conf->dhm_min_bitlen));
2563 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2564 }
2565
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2566 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
2567 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
2568 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2569
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2570 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2571}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2572#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2573 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2574
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2575#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2576 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2577 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2578 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2579 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]2580MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2581static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2582{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2583 const mbedtls_ecp_curve_info *curve_info;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500[diff] [blame]2584 mbedtls_ecp_group_id grp_id;
2585#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
2586 grp_id = ssl->handshake->ecdh_ctx.grp.id;
2587#else
2588 grp_id = ssl->handshake->ecdh_ctx.grp_id;
aditya-deshpande-arm1d00c3d2022-11-08 16:08:13 +0000[diff] [blame]2589#endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2590
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2591 curve_info = mbedtls_ecp_curve_info_from_grp_id(grp_id);
2592 if (curve_info == NULL) {
2593 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2594 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2595 }
2596
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2597 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s", curve_info->name));
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2598
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]2599#if defined(MBEDTLS_ECP_C)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2600 if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
2601 return -1;
2602 }
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2603#else
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2604 if (ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
2605 ssl->handshake->ecdh_ctx.grp.nbits > 521) {
2606 return -1;
2607 }
aditya-deshpande-arm1d00c3d2022-11-08 16:08:13 +0000[diff] [blame]2608#endif /* MBEDTLS_ECP_C */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2609
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2610 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
2611 MBEDTLS_DEBUG_ECDH_QP);
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2612
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2613 return 0;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2614}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2615#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2616 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2617 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2618 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2619 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2620
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2621#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2622 (defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2623 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED))
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]2624MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2625static int ssl_parse_server_ecdh_params_psa(mbedtls_ssl_context *ssl,
2626 unsigned char **p,
2627 unsigned char *end)
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2628{
2629 uint16_t tls_id;
Gilles Peskine42459802019-12-19 13:31:53 +0100[diff] [blame]2630 size_t ecdh_bits = 0;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2631 uint8_t ecpoint_len;
2632 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2633
2634 /*
2635 * Parse ECC group
2636 */
2637
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2638 if (end - *p < 4) {
2639 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2640 }
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2641
2642 /* First byte is curve_type; only named_curve is handled */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2643 if (*(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) {
2644 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2645 }
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2646
2647 /* Next two bytes are the namedcurve value */
2648 tls_id = *(*p)++;
2649 tls_id <<= 8;
2650 tls_id |= *(*p)++;
2651
Manuel Pégourié-Gonnard01784872022-01-25 11:46:19 +0100[diff] [blame]2652 /* Check it's a curve we offered */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2653 if (mbedtls_ssl_check_curve_tls_id(ssl, tls_id) != 0) {
2654 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2655 }
Manuel Pégourié-Gonnard01784872022-01-25 11:46:19 +0100[diff] [blame]2656
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2657 /* Convert EC group to PSA key type. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2658 if ((handshake->ecdh_psa_type =
2659 mbedtls_psa_parse_tls_ecc_group(tls_id, &ecdh_bits)) == 0) {
2660 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2661 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2662 if (ecdh_bits > 0xffff) {
2663 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2664 }
Gilles Peskine42459802019-12-19 13:31:53 +0100[diff] [blame]2665 handshake->ecdh_bits = (uint16_t) ecdh_bits;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2666
2667 /*
2668 * Put peer's ECDH public key in the format understood by PSA.
2669 */
2670
2671 ecpoint_len = *(*p)++;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2672 if ((size_t) (end - *p) < ecpoint_len) {
2673 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2674 }
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2675
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2676 if (mbedtls_psa_tls_ecpoint_to_psa_ec(
2677 *p, ecpoint_len,
2678 handshake->ecdh_psa_peerkey,
2679 sizeof(handshake->ecdh_psa_peerkey),
2680 &handshake->ecdh_psa_peerkey_len) != 0) {
2681 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2682 }
2683
2684 *p += ecpoint_len;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2685 return 0;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]2686}
2687#endif /* MBEDTLS_USE_PSA_CRYPTO &&
2688 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2689 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
2690
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2691#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2692 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2693 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]2694MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2695static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
2696 unsigned char **p,
2697 unsigned char *end)
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2698{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2699 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2700
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2701 /*
2702 * Ephemeral ECDH parameters:
2703 *
2704 * struct {
2705 * ECParameters curve_params;
2706 * ECPoint public;
2707 * } ServerECDHParams;
2708 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2709 if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx,
2710 (const unsigned char **) p, end)) != 0) {
2711 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2712#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2713 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard1c1c20e2018-09-12 10:34:43 +0200[diff] [blame]2714 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2715 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2716#endif
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2717 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2718 }
2719
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2720 if (ssl_check_server_ecdh_params(ssl) != 0) {
2721 MBEDTLS_SSL_DEBUG_MSG(1,
2722 ("bad server key exchange message (ECDHE curve)"));
2723 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2724 }
2725
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2726 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2727}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2728#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2729 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2730 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2731
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2732#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]2733MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2734static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
2735 unsigned char **p,
2736 unsigned char *end)
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2737{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2738 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
irwir6527bd62019-09-21 18:51:25 +0300[diff] [blame]2739 uint16_t len;
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]2740 ((void) ssl);
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2741
2742 /*
2743 * PSK parameters:
2744 *
2745 * opaque psk_identity_hint<0..2^16-1>;
2746 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2747 if (end - (*p) < 2) {
2748 MBEDTLS_SSL_DEBUG_MSG(1,
2749 ("bad server key exchange message (psk_identity_hint length)"));
2750 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
Krzysztof Stachowiak740b2182018-03-13 11:31:14 +0100[diff] [blame]2751 }
Manuel Pégourié-Gonnard59b9fe22013-10-15 11:55:33 +0200[diff] [blame]2752 len = (*p)[0] << 8 | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2753 *p += 2;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2754
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2755 if (end - (*p) < len) {
2756 MBEDTLS_SSL_DEBUG_MSG(1,
2757 ("bad server key exchange message (psk_identity_hint length)"));
2758 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2759 }
2760
Manuel Pégourié-Gonnard9d624122016-02-22 11:10:14 +0100[diff] [blame]2761 /*
Tom Cosgrovee87c3352022-12-05 12:08:26 +0000[diff] [blame]2762 * Note: we currently ignore the PSK identity hint, as we only allow one
Tom Cosgrove49f99bc2022-12-04 16:44:21 +0000[diff] [blame]2763 * PSK to be provisioned on the client. This could be changed later if
Manuel Pégourié-Gonnard9d624122016-02-22 11:10:14 +0100[diff] [blame]2764 * someone needs that feature.
2765 */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2766 *p += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2767 ret = 0;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2768
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2769 return ret;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2770}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2771#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2772
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2773#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2774 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2775/*
2776 * Generate a pre-master secret and encrypt it with the server's RSA key
2777 */
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]2778MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2779static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl,
2780 size_t offset, size_t *olen,
2781 size_t pms_offset)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2782{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2783 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2784 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2785 unsigned char *p = ssl->handshake->premaster + pms_offset;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2786 mbedtls_pk_context *peer_pk;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2787
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2788 if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) {
2789 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms"));
2790 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]2791 }
2792
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2793 /*
2794 * Generate (part of) the pre-master as
2795 * struct {
2796 * ProtocolVersion client_version;
2797 * opaque random[46];
2798 * } PreMasterSecret;
2799 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2800 mbedtls_ssl_write_version(ssl->conf->max_major_ver,
2801 ssl->conf->max_minor_ver,
2802 ssl->conf->transport, p);
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2803
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2804 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) {
2805 MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
2806 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2807 }
2808
2809 ssl->handshake->pmslen = 48;
2810
Hanno Beckerc7d7e292019-02-06 16:49:54 +0000[diff] [blame]2811#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2812 peer_pk = &ssl->handshake->peer_pubkey;
2813#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2814 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Becker8273df82019-02-06 17:37:32 +0000[diff] [blame]2815 /* Should never happen */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2816 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2817 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2818 }
Hanno Beckerc7d7e292019-02-06 16:49:54 +0000[diff] [blame]2819 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2820#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2821
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2822 /*
2823 * Now write it out, encrypted
2824 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2825 if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) {
2826 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch"));
2827 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2828 }
2829
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2830 if ((ret = mbedtls_pk_encrypt(peer_pk,
2831 p, ssl->handshake->pmslen,
2832 ssl->out_msg + offset + len_bytes, olen,
2833 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
2834 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2835 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret);
2836 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2837 }
2838
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2839#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2840 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2841 if (len_bytes == 2) {
2842 MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset);
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2843 *olen += 2;
2844 }
2845#endif
2846
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2847#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2848 /* We don't need the peer's public key anymore. Free it. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2849 mbedtls_pk_free(peer_pk);
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2850#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2851 return 0;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2852}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2853#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2854 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2855
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2856#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard5c2a7ca2015-10-23 08:48:41 +0200[diff] [blame]2857#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2858 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2859 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]2860MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2861static int ssl_parse_signature_algorithm(mbedtls_ssl_context *ssl,
2862 unsigned char **p,
2863 unsigned char *end,
2864 mbedtls_md_type_t *md_alg,
2865 mbedtls_pk_type_t *pk_alg)
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2866{
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]2867 ((void) ssl);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2868 *md_alg = MBEDTLS_MD_NONE;
2869 *pk_alg = MBEDTLS_PK_NONE;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2870
2871 /* Only in TLS 1.2 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2872 if (ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3) {
2873 return 0;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2874 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2875
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2876 if ((*p) + 2 > end) {
2877 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2878 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2879
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2880 /*
2881 * Get hash algorithm
2882 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2883 if ((*md_alg = mbedtls_ssl_md_alg_from_hash((*p)[0]))
2884 == MBEDTLS_MD_NONE) {
2885 MBEDTLS_SSL_DEBUG_MSG(1,
2886 ("Server used unsupported HashAlgorithm %d", *(p)[0]));
2887 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2888 }
2889
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2890 /*
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2891 * Get signature algorithm
2892 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2893 if ((*pk_alg = mbedtls_ssl_pk_alg_from_sig((*p)[1]))
2894 == MBEDTLS_PK_NONE) {
2895 MBEDTLS_SSL_DEBUG_MSG(1,
2896 ("server used unsupported SignatureAlgorithm %d", (*p)[1]));
2897 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2898 }
2899
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]2900 /*
2901 * Check if the hash is acceptable
2902 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2903 if (mbedtls_ssl_check_sig_hash(ssl, *md_alg) != 0) {
2904 MBEDTLS_SSL_DEBUG_MSG(1,
2905 ("server used HashAlgorithm %d that was not offered", *(p)[0]));
2906 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]2907 }
2908
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2909 MBEDTLS_SSL_DEBUG_MSG(2, ("Server used SignatureAlgorithm %d",
2910 (*p)[1]));
2911 MBEDTLS_SSL_DEBUG_MSG(2, ("Server used HashAlgorithm %d",
2912 (*p)[0]));
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2913 *p += 2;
2914
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2915 return 0;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2916}
Manuel Pégourié-Gonnard5c2a7ca2015-10-23 08:48:41 +0200[diff] [blame]2917#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2918 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2919 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2920#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2921
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2922#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2923 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]2924MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2925static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2926{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2927 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2928 const mbedtls_ecp_keypair *peer_key;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2929 mbedtls_pk_context *peer_pk;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2930
Hanno Beckerbe7f5082019-02-06 17:44:07 +0000[diff] [blame]2931#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2932 peer_pk = &ssl->handshake->peer_pubkey;
2933#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2934 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Becker8273df82019-02-06 17:37:32 +0000[diff] [blame]2935 /* Should never happen */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2936 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2937 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2938 }
Hanno Beckerbe7f5082019-02-06 17:44:07 +0000[diff] [blame]2939 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2940#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2941
Manuel Pégourié-Gonnard06e1fcd2022-06-16 10:48:06 +0200[diff] [blame]2942 /* This is a public key, so it can't be opaque, so can_do() is a good
2943 * enough check to ensure pk_ec() is safe to use below. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2944 if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECKEY)) {
2945 MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
2946 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2947 }
2948
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2949 peer_key = mbedtls_pk_ec(*peer_pk);
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2950
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2951 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key,
2952 MBEDTLS_ECDH_THEIRS)) != 0) {
2953 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
2954 return ret;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2955 }
2956
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2957 if (ssl_check_server_ecdh_params(ssl) != 0) {
2958 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
2959 return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2960 }
2961
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2962#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2963 /* We don't need the peer's public key anymore. Free it,
2964 * so that more RAM is available for upcoming expensive
2965 * operations like ECDHE. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2966 mbedtls_pk_free(peer_pk);
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2967#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2968
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2969 return ret;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2970}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2971#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2972 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2973
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]2974MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2975static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2976{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2977 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2978 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2979 ssl->handshake->ciphersuite_info;
Andres Amaya Garcia53c77cc2017-06-27 16:15:06 +0100[diff] [blame]2980 unsigned char *p = NULL, *end = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2981
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2982 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2983
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2984#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2985 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
2986 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2987 ssl->state++;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2988 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2989 }
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +0200[diff] [blame]2990 ((void) p);
2991 ((void) end);
2992#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2993
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2994#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2995 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]2996 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2997 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
2998 if ((ret = ssl_get_ecdh_params_from_cert(ssl)) != 0) {
2999 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3000 mbedtls_ssl_send_alert_message(
3001 ssl,
3002 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3003 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
3004 return ret;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]3005 }
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]3006
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3007 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]3008 ssl->state++;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3009 return 0;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]3010 }
3011 ((void) p);
3012 ((void) end);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3013#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3014 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]3015
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3016#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3017 if (ssl->handshake->ecrs_enabled &&
3018 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3019 goto start_processing;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3020 }
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]3021#endif
3022
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3023 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3024 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3025 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3026 }
3027
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3028 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3029 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3030 mbedtls_ssl_send_alert_message(
3031 ssl,
3032 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3033 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
3034 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3035 }
3036
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]3037 /*
3038 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
3039 * doesn't use a psk_identity_hint
3040 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3041 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE) {
3042 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3043 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3044 /* Current message is probably either
3045 * CertificateRequest or ServerHelloDone */
3046 ssl->keep_current_message = 1;
Paul Bakker188c8de2013-04-19 09:13:37 +0200[diff] [blame]3047 goto exit;
3048 }
3049
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3050 MBEDTLS_SSL_DEBUG_MSG(1,
3051 ("server key exchange message must not be skipped"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3052 mbedtls_ssl_send_alert_message(
3053 ssl,
3054 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3055 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3056
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3057 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3058 }
3059
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3060#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3061 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3062 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3063 }
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3064
3065start_processing:
3066#endif
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3067 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]3068 end = ssl->in_msg + ssl->in_hslen;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3069 MBEDTLS_SSL_DEBUG_BUF(3, "server key exchange", p, end - p);
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]3070
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3071#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3072 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3073 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3074 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3075 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
3076 if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) {
3077 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3078 mbedtls_ssl_send_alert_message(
3079 ssl,
3080 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3081 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
3082 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]3083 }
Shaun Case0e7791f2021-12-20 21:14:10 -0800[diff] [blame]3084 } /* FALLTHROUGH */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3085#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]3086
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3087#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
3088 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3089 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3090 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]3091 ; /* nothing more to do */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3092 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3093#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
3094 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3095#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3096 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3097 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
3098 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
3099 if (ssl_parse_server_dh_params(ssl, &p, end) != 0) {
3100 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3101 mbedtls_ssl_send_alert_message(
3102 ssl,
3103 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3104 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
3105 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3106 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3107 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3108#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3109 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]3110#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3111 (defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3112 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED))
3113 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3114 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
3115 if (ssl_parse_server_ecdh_params_psa(ssl, &p, end) != 0) {
3116 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3117 mbedtls_ssl_send_alert_message(
3118 ssl,
3119 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3120 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
3121 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]3122 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3123 } else
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]3124#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3125 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3126 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3127#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3128 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
3129 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3130 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3131 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3132 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
3133 if (ssl_parse_server_ecdh_params(ssl, &p, end) != 0) {
3134 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3135 mbedtls_ssl_send_alert_message(
3136 ssl,
3137 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3138 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
3139 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3140 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3141 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3142#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3143 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
3144 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3145#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3146 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
3147 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
3148 p, end - p);
3149 if (ret != 0) {
3150 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3151 mbedtls_ssl_send_alert_message(
3152 ssl,
3153 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3154 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
3155 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3156 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3157 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3158#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3159 {
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3160 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3161 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3162 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3163
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3164#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3165 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]3166 size_t sig_len, hashlen;
Ronald Cron3a95d2b2021-10-18 09:47:58 +0200[diff] [blame]3167#if defined(MBEDTLS_USE_PSA_CRYPTO)
3168 unsigned char hash[PSA_HASH_MAX_SIZE];
3169#else
3170 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
3171#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3172 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
3173 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3174 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]3175 size_t params_len = p - params;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]3176 void *rs_ctx = NULL;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]3177
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3178 mbedtls_pk_context *peer_pk;
Hanno Beckera6899bb2019-02-06 18:26:03 +0000[diff] [blame]3179
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]3180 /*
3181 * Handle the digitally-signed structure
3182 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3183#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3184 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
3185 if (ssl_parse_signature_algorithm(ssl, &p, end,
3186 &md_alg, &pk_alg) != 0) {
3187 MBEDTLS_SSL_DEBUG_MSG(1,
3188 ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3189 mbedtls_ssl_send_alert_message(
3190 ssl,
3191 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3192 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
3193 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]3194 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3195
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3196 if (pk_alg !=
3197 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info)) {
3198 MBEDTLS_SSL_DEBUG_MSG(1,
3199 ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3200 mbedtls_ssl_send_alert_message(
3201 ssl,
3202 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3203 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
3204 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3205 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3206 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3207#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3208#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3209 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3210 if (ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3) {
3211 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3212
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]3213 /* Default hash for ECDSA is SHA-1 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3214 if (pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3215 md_alg = MBEDTLS_MD_SHA1;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3216 }
3217 } else
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]3218#endif
3219 {
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3220 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3221 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]3222 }
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3223
3224 /*
3225 * Read signature
3226 */
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +0100[diff] [blame]3227
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3228 if (p > end - 2) {
3229 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3230 mbedtls_ssl_send_alert_message(
3231 ssl,
3232 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3233 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3234 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +0100[diff] [blame]3235 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3236 sig_len = (p[0] << 8) | p[1];
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3237 p += 2;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3238
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3239 if (p != end - sig_len) {
3240 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3241 mbedtls_ssl_send_alert_message(
3242 ssl,
3243 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3244 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3245 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3246 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3247
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3248 MBEDTLS_SSL_DEBUG_BUF(3, "signature", p, sig_len);
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]3249
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]3250 /*
3251 * Compute the hash that has been signed
3252 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3253#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3254 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3255 if (md_alg == MBEDTLS_MD_NONE) {
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3256 hashlen = 36;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3257 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls(ssl, hash, params,
3258 params_len);
3259 if (ret != 0) {
3260 return ret;
3261 }
3262 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3263#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3264 MBEDTLS_SSL_PROTO_TLS1_1 */
3265#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3266 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3267 if (md_alg != MBEDTLS_MD_NONE) {
3268 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
3269 params, params_len,
3270 md_alg);
3271 if (ret != 0) {
3272 return ret;
3273 }
3274 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3275#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
3276 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]3277 {
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3278 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3279 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3280 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]3281
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3282 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]3283
Hanno Beckera6899bb2019-02-06 18:26:03 +0000[diff] [blame]3284#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3285 peer_pk = &ssl->handshake->peer_pubkey;
3286#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3287 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Becker8273df82019-02-06 17:37:32 +0000[diff] [blame]3288 /* Should never happen */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3289 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3290 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]3291 }
Hanno Beckera6899bb2019-02-06 18:26:03 +0000[diff] [blame]3292 peer_pk = &ssl->session_negotiate->peer_cert->pk;
3293#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]3294
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]3295 /*
3296 * Verify signature
3297 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3298 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
3299 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3300 mbedtls_ssl_send_alert_message(
3301 ssl,
3302 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3303 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
3304 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]3305 }
3306
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3307#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3308 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]3309 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3310 }
aditya-deshpande-arm1d00c3d2022-11-08 16:08:13 +0000[diff] [blame]3311#endif /* MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED */
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]3312
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3313 if ((ret = mbedtls_pk_verify_restartable(peer_pk,
3314 md_alg, hash, hashlen, p, sig_len, rs_ctx)) != 0) {
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3315#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3316 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
3317 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
3318 return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
David Horstmann0448de52022-11-02 18:05:24 +0000[diff] [blame]3319 }
aditya-deshpande-arm1d00c3d2022-11-08 16:08:13 +0000[diff] [blame]3320#endif /* MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED */
David Horstmann0448de52022-11-02 18:05:24 +0000[diff] [blame]3321 mbedtls_ssl_send_alert_message(
3322 ssl,
3323 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3324 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
3325 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
3326 return ret;
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]3327 }
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]3328
3329#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3330 /* We don't need the peer's public key anymore. Free it,
3331 * so that more RAM is available for upcoming expensive
3332 * operations like ECDHE. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3333 mbedtls_pk_free(peer_pk);
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]3334#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3335 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3336#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3337
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3338exit:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3339 ssl->state++;
3340
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3341 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3342
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3343 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3344}
3345
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3346#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]3347MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3348static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3349{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3350 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3351 ssl->handshake->ciphersuite_info;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3352
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3353 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3354
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3355 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3356 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3357 ssl->state++;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3358 return 0;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3359 }
3360
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3361 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3362 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3363}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3364#else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]3365MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3366static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3367{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3368 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3369 unsigned char *buf;
3370 size_t n = 0;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]3371 size_t cert_type_len = 0, dn_len = 0;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3372 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3373 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3374
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3375 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3376
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3377 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3378 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3379 ssl->state++;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3380 return 0;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]3381 }
3382
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3383 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3384 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3385 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3386 }
3387
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3388 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3389 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3390 mbedtls_ssl_send_alert_message(
3391 ssl,
3392 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3393 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
3394 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3395 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3396
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3397 ssl->state++;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3398 ssl->client_auth = (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3399
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3400 MBEDTLS_SSL_DEBUG_MSG(3, ("got %s certificate request",
3401 ssl->client_auth ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3402
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3403 if (ssl->client_auth == 0) {
Johan Pascala89ca862020-08-25 10:03:19 +0200[diff] [blame]3404 /* Current message is probably the ServerHelloDone */
3405 ssl->keep_current_message = 1;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3406 goto exit;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3407 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3408
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]3409 /*
3410 * struct {
3411 * ClientCertificateType certificate_types<1..2^8-1>;
3412 * SignatureAndHashAlgorithm
3413 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
3414 * DistinguishedName certificate_authorities<0..2^16-1>;
3415 * } CertificateRequest;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3416 *
3417 * Since we only support a single certificate on clients, let's just
3418 * ignore all the information that's supposed to help us pick a
3419 * certificate.
3420 *
3421 * We could check that our certificate matches the request, and bail out
3422 * if it doesn't, but it's simpler to just send the certificate anyway,
3423 * and give the server the opportunity to decide if it should terminate
3424 * the connection when it doesn't like our certificate.
3425 *
3426 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
3427 * point we only have one hash available (see comments in
Simon Butcherc0957bd2016-03-01 13:16:57 +0000[diff] [blame]3428 * write_certificate_verify), so let's just use what we have.
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3429 *
3430 * However, we still minimally parse the message to check it is at least
3431 * superficially sane.
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]3432 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3433 buf = ssl->in_msg;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]3434
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3435 /* certificate_types */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3436 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)) {
3437 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
3438 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3439 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3440 return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST;
Krzysztof Stachowiak73b183c2018-04-05 10:20:09 +0200[diff] [blame]3441 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3442 cert_type_len = buf[mbedtls_ssl_hs_hdr_len(ssl)];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3443 n = cert_type_len;
3444
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]3445 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]3446 * In the subsequent code there are two paths that read from buf:
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]3447 * * the length of the signature algorithms field (if minor version of
3448 * SSL is 3),
3449 * * distinguished name length otherwise.
3450 * Both reach at most the index:
3451 * ...hdr_len + 2 + n,
3452 * therefore the buffer length at this point must be greater than that
3453 * regardless of the actual code path.
3454 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3455 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 2 + n) {
3456 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
3457 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3458 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3459 return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3460 }
3461
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3462 /* supported_signature_algorithms */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3463#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3464 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3465 size_t sig_alg_len =
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3466 ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8)
3467 | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n]));
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3468#if defined(MBEDTLS_DEBUG_C)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3469 unsigned char *sig_alg;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3470 size_t i;
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3471#endif
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3472
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3473 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]3474 * The furthest access in buf is in the loop few lines below:
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3475 * sig_alg[i + 1],
3476 * where:
3477 * sig_alg = buf + ...hdr_len + 3 + n,
3478 * max(i) = sig_alg_len - 1.
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]3479 * Therefore the furthest access is:
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3480 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
3481 * which reduces to:
3482 * buf[...hdr_len + 3 + n + sig_alg_len],
3483 * which is one less than we need the buf to be.
3484 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3485 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)
3486 + 3 + n + sig_alg_len) {
3487 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3488 mbedtls_ssl_send_alert_message(
3489 ssl,
3490 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3491 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3492 return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST;
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3493 }
3494
3495#if defined(MBEDTLS_DEBUG_C)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3496 sig_alg = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n;
3497 for (i = 0; i < sig_alg_len; i += 2) {
3498 MBEDTLS_SSL_DEBUG_MSG(3,
3499 ("Supported Signature Algorithm found: %d,%d",
3500 sig_alg[i], sig_alg[i + 1]));
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3501 }
3502#endif
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3503
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3504 n += 2 + sig_alg_len;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]3505 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3506#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3507
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3508 /* certificate_authorities */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3509 dn_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8)
3510 | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n]));
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3511
3512 n += dn_len;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3513 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 3 + n) {
3514 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
3515 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3516 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3517 return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3518 }
3519
3520exit:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3521 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3522
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3523 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3524}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3525#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3526
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]3527MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3528static int ssl_parse_server_hello_done(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3529{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3530 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3531
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3532 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3533
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3534 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3535 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3536 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3537 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3538
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3539 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3540 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
3541 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3542 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3543
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3544 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) ||
3545 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE) {
3546 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
3547 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3548 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3549 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3550 }
3551
3552 ssl->state++;
3553
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3554#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3555 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3556 mbedtls_ssl_recv_flight_completed(ssl);
3557 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3558#endif
3559
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3560 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3561
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3562 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3563}
3564
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]3565MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3566static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3567{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3568 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3569
3570 size_t header_len;
3571 size_t content_len;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3572 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3573 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3574
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3575 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3576
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3577#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3578 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3579 /*
3580 * DHM key exchange -- send G^X mod P
3581 */
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3582 content_len = ssl->handshake->dhm_ctx.len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3583
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3584 MBEDTLS_PUT_UINT16_BE(content_len, ssl->out_msg, 4);
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3585 header_len = 6;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3586
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3587 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
3588 (int) mbedtls_mpi_size(&ssl->handshake->dhm_ctx.P),
3589 &ssl->out_msg[header_len], content_len,
3590 ssl->conf->f_rng, ssl->conf->p_rng);
3591 if (ret != 0) {
3592 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
3593 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3594 }
3595
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3596 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
3597 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3598
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3599 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3600 ssl->handshake->premaster,
3601 MBEDTLS_PREMASTER_SIZE,
3602 &ssl->handshake->pmslen,
3603 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3604 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3605 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3606 }
3607
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3608 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3609 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3610#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3611#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3612 (defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3613 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED))
3614 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3615 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
Andrzej Kurek4b1216b2022-02-24 13:38:48 -0500[diff] [blame]3616 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3617 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
Janos Follath53b8ec22019-08-08 10:28:27 +0100[diff] [blame]3618 psa_key_attributes_t key_attributes;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3619
3620 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3621
3622 unsigned char own_pubkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
3623 size_t own_pubkey_len;
3624 unsigned char *own_pubkey_ecpoint;
3625 size_t own_pubkey_ecpoint_len;
3626
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3627 header_len = 4;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3628
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3629 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Hanno Becker0a94a642019-01-11 14:35:30 +0000[diff] [blame]3630
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3631 /*
3632 * Generate EC private key for ECDHE exchange.
3633 */
3634
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3635 /* The master secret is obtained from the shared ECDH secret by
3636 * applying the TLS 1.2 PRF with a specific salt and label. While
3637 * the PSA Crypto API encourages combining key agreement schemes
3638 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
3639 * yet support the provisioning of salt + label to the KDF.
3640 * For the time being, we therefore need to split the computation
3641 * of the ECDH secret and the application of the TLS 1.2 PRF. */
Janos Follath53b8ec22019-08-08 10:28:27 +0100[diff] [blame]3642 key_attributes = psa_key_attributes_init();
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3643 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
3644 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
3645 psa_set_key_type(&key_attributes, handshake->ecdh_psa_type);
3646 psa_set_key_bits(&key_attributes, handshake->ecdh_bits);
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3647
3648 /* Generate ECDH private key. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3649 status = psa_generate_key(&key_attributes,
3650 &handshake->ecdh_psa_privkey);
3651 if (status != PSA_SUCCESS) {
3652 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
3653 }
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3654
3655 /* Export the public part of the ECDH private key from PSA
3656 * and convert it to ECPoint format used in ClientKeyExchange. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3657 status = psa_export_public_key(handshake->ecdh_psa_privkey,
3658 own_pubkey, sizeof(own_pubkey),
3659 &own_pubkey_len);
3660 if (status != PSA_SUCCESS) {
3661 psa_destroy_key(handshake->ecdh_psa_privkey);
Andrzej Kurek4b1216b2022-02-24 13:38:48 -0500[diff] [blame]3662 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3663 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Andrzej Kurek4b1216b2022-02-24 13:38:48 -0500[diff] [blame]3664 }
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3665
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3666 if (mbedtls_psa_tls_psa_ec_to_ecpoint(own_pubkey,
3667 own_pubkey_len,
3668 &own_pubkey_ecpoint,
3669 &own_pubkey_ecpoint_len) != 0) {
3670 psa_destroy_key(handshake->ecdh_psa_privkey);
Andrzej Kurek4b1216b2022-02-24 13:38:48 -0500[diff] [blame]3671 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3672 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3673 }
3674
3675 /* Copy ECPoint structure to outgoing message buffer. */
Andrzej Kurekade9e282019-05-07 08:19:33 -0400[diff] [blame]3676 ssl->out_msg[header_len] = (unsigned char) own_pubkey_ecpoint_len;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3677 memcpy(ssl->out_msg + header_len + 1,
3678 own_pubkey_ecpoint, own_pubkey_ecpoint_len);
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3679 content_len = own_pubkey_ecpoint_len + 1;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3680
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3681 /* The ECDH secret is the premaster secret used for key derivation. */
3682
Janos Follathdf3b0892019-08-08 11:12:24 +0100[diff] [blame]3683 /* Compute ECDH shared secret. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3684 status = psa_raw_key_agreement(PSA_ALG_ECDH,
3685 handshake->ecdh_psa_privkey,
3686 handshake->ecdh_psa_peerkey,
3687 handshake->ecdh_psa_peerkey_len,
3688 ssl->handshake->premaster,
3689 sizeof(ssl->handshake->premaster),
3690 &ssl->handshake->pmslen);
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3691
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3692 destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey);
Ronald Croncf56a0a2020-08-04 09:51:30 +0200[diff] [blame]3693 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Andrzej Kurek4b1216b2022-02-24 13:38:48 -0500[diff] [blame]3694
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3695 if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) {
3696 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
3697 }
3698 } else
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]3699#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3700 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3701 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3702#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3703 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3704 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3705 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3706 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3707 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3708 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3709 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3710 /*
3711 * ECDH key exchange -- send client public value
3712 */
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3713 header_len = 4;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3714
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3715#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3716 if (ssl->handshake->ecrs_enabled) {
3717 if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret) {
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3718 goto ecdh_calc_secret;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3719 }
Manuel Pégourié-Gonnard23e41622017-05-18 12:35:37 +0200[diff] [blame]3720
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3721 mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx);
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3722 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3723#endif
3724
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3725 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
3726 &content_len,
3727 &ssl->out_msg[header_len], 1000,
3728 ssl->conf->f_rng, ssl->conf->p_rng);
3729 if (ret != 0) {
3730 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3731#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3732 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3733 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3734 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3735#endif
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3736 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3737 }
3738
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3739 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3740 MBEDTLS_DEBUG_ECDH_Q);
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3741
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3742#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3743 if (ssl->handshake->ecrs_enabled) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3744 ssl->handshake->ecrs_n = content_len;
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200[diff] [blame]3745 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3746 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3747
3748ecdh_calc_secret:
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3749 if (ssl->handshake->ecrs_enabled) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3750 content_len = ssl->handshake->ecrs_n;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3751 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3752#endif
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3753 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
3754 &ssl->handshake->pmslen,
3755 ssl->handshake->premaster,
3756 MBEDTLS_MPI_MAX_SIZE,
3757 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3758 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3759#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3760 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3761 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3762 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3763#endif
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3764 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3765 }
3766
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3767 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3768 MBEDTLS_DEBUG_ECDH_Z);
3769 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3770#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3771 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3772 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3773 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3774#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3775 if (mbedtls_ssl_ciphersuite_uses_psk(ciphersuite_info)) {
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3776 /*
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3777 * opaque psk_identity<0..2^16-1>;
3778 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3779 if (ssl_conf_has_static_psk(ssl->conf) == 0) {
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]3780 /* We don't offer PSK suites if we don't have a PSK,
3781 * and we check that the server's choice is among the
3782 * ciphersuites we offered, so this should never happen. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3783 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3784 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3785
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3786 header_len = 4;
3787 content_len = ssl->conf->psk_identity_len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3788
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3789 if (header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
3790 MBEDTLS_SSL_DEBUG_MSG(1,
3791 ("psk identity too long or SSL buffer too short"));
3792 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3793 }
3794
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3795 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
3796 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3797
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3798 memcpy(ssl->out_msg + header_len,
3799 ssl->conf->psk_identity,
3800 ssl->conf->psk_identity_len);
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3801 header_len += ssl->conf->psk_identity_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3802
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3803#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3804 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3805 content_len = 0;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3806 } else
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3807#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3808#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3809 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]3810#if defined(MBEDTLS_USE_PSA_CRYPTO)
3811 /* Opaque PSKs are currently only supported for PSK-only suites. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3812 if (ssl_conf_has_static_raw_psk(ssl->conf) == 0) {
3813 MBEDTLS_SSL_DEBUG_MSG(1, ("opaque PSK not supported with RSA-PSK"));
3814 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnarda49a00c2022-06-14 10:45:19 +0200[diff] [blame]3815 }
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]3816#endif /* MBEDTLS_USE_PSA_CRYPTO */
3817
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3818 if ((ret = ssl_write_encrypted_pms(ssl, header_len,
3819 &content_len, 2)) != 0) {
3820 return ret;
3821 }
3822 } else
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3823#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3824#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3825 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]3826#if defined(MBEDTLS_USE_PSA_CRYPTO)
3827 /* Opaque PSKs are currently only supported for PSK-only suites. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3828 if (ssl_conf_has_static_raw_psk(ssl->conf) == 0) {
3829 MBEDTLS_SSL_DEBUG_MSG(1, ("opaque PSK not supported with DHE-PSK"));
3830 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnarda49a00c2022-06-14 10:45:19 +0200[diff] [blame]3831 }
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]3832#endif /* MBEDTLS_USE_PSA_CRYPTO */
3833
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3834 /*
3835 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3836 */
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3837 content_len = ssl->handshake->dhm_ctx.len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3838
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3839 if (header_len + 2 + content_len >
3840 MBEDTLS_SSL_OUT_CONTENT_LEN) {
3841 MBEDTLS_SSL_DEBUG_MSG(1,
3842 ("psk identity or DHM size too long or SSL buffer too short"));
3843 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3844 }
3845
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3846 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
3847 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3848
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3849 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
3850 (int) mbedtls_mpi_size(&ssl->handshake->dhm_ctx.P),
3851 &ssl->out_msg[header_len], content_len,
3852 ssl->conf->f_rng, ssl->conf->p_rng);
3853 if (ret != 0) {
3854 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
3855 return ret;
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3856 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3857 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3858#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3859#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3860 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]3861#if defined(MBEDTLS_USE_PSA_CRYPTO)
3862 /* Opaque PSKs are currently only supported for PSK-only suites. */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3863 if (ssl_conf_has_static_raw_psk(ssl->conf) == 0) {
3864 MBEDTLS_SSL_DEBUG_MSG(1, ("opaque PSK not supported with ECDHE-PSK"));
3865 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnarda49a00c2022-06-14 10:45:19 +0200[diff] [blame]3866 }
Hanno Beckerdfab8e22018-10-23 11:59:34 +0100[diff] [blame]3867#endif /* MBEDTLS_USE_PSA_CRYPTO */
3868
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3869 /*
3870 * ClientECDiffieHellmanPublic public;
3871 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3872 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
3873 &content_len,
3874 &ssl->out_msg[header_len],
3875 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3876 ssl->conf->f_rng, ssl->conf->p_rng);
3877 if (ret != 0) {
3878 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
3879 return ret;
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3880 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3881
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3882 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3883 MBEDTLS_DEBUG_ECDH_Q);
3884 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3885#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3886 {
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3887 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3888 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3889 }
3890
Hanno Beckerafd311e2018-10-23 15:26:40 +0100[diff] [blame]3891#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3892 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3893 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
Hanno Beckerafd311e2018-10-23 15:26:40 +0100[diff] [blame]3894 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3895 ssl_conf_has_static_raw_psk(ssl->conf) == 0) {
3896 MBEDTLS_SSL_DEBUG_MSG(1,
3897 ("skip PMS generation for opaque PSK"));
3898 } else
Hanno Beckerafd311e2018-10-23 15:26:40 +0100[diff] [blame]3899#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3900 MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3901 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3902 ciphersuite_info->key_exchange)) != 0) {
3903 MBEDTLS_SSL_DEBUG_RET(1,
3904 "mbedtls_ssl_psk_derive_premaster", ret);
3905 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3906 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3907 } else
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3908#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3909#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3910 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3911 header_len = 4;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3912 if ((ret = ssl_write_encrypted_pms(ssl, header_len,
3913 &content_len, 0)) != 0) {
3914 return ret;
3915 }
3916 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3917#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3918#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3919 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3920 header_len = 4;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3921
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3922 ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx,
3923 ssl->out_msg + header_len,
3924 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3925 &content_len,
3926 ssl->conf->f_rng, ssl->conf->p_rng);
3927 if (ret != 0) {
3928 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
3929 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3930 }
3931
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3932 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
3933 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3934 ssl->conf->f_rng, ssl->conf->p_rng);
3935 if (ret != 0) {
3936 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
3937 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3938 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3939 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3940#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3941 {
3942 ((void) ciphersuite_info);
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3943 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3944 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3945 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3946
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3947 ssl->out_msglen = header_len + content_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3948 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3949 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3950
3951 ssl->state++;
3952
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3953 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3954 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3955 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3956 }
3957
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3958 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3959
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3960 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3961}
3962
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3963#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]3964MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3965static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3966{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3967 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3968 ssl->handshake->ciphersuite_info;
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3969 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3970
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3971 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3972
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3973 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3974 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3975 return ret;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3976 }
3977
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3978 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3979 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3980 ssl->state++;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3981 return 0;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3982 }
3983
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3984 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3985 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3986}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3987#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]3988MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]3989static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3990{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3991 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3992 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3993 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3994 size_t n = 0, offset = 0;
3995 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3996 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3997 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]3998 size_t hashlen;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3999 void *rs_ctx = NULL;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4000
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4001 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4002
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4003#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4004 if (ssl->handshake->ecrs_enabled &&
4005 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]4006 goto sign;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]4007 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]4008#endif
4009
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4010 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
4011 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
4012 return ret;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]4013 }
4014
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4015 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4016 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4017 ssl->state++;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4018 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4019 }
4020
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4021 if (ssl->client_auth == 0 || mbedtls_ssl_own_cert(ssl) == NULL) {
4022 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
Johan Pascala89ca862020-08-25 10:03:19 +0200[diff] [blame]4023 ssl->state++;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4024 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4025 }
4026
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4027 if (mbedtls_ssl_own_key(ssl) == NULL) {
4028 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key for certificate"));
4029 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4030 }
4031
4032 /*
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]4033 * Make a signature of the handshake digests
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4034 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4035#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4036 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]4037 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4038 }
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]4039
4040sign:
4041#endif
4042
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4043 ssl->handshake->calc_verify(ssl, hash, &hashlen);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4044
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4045#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
4046 defined(MBEDTLS_SSL_PROTO_TLS1_1)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4047 if (ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3) {
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]4048 /*
4049 * digitally-signed struct {
4050 * opaque md5_hash[16];
4051 * opaque sha_hash[20];
4052 * };
4053 *
4054 * md5_hash
4055 * MD5(handshake_messages);
4056 *
4057 * sha_hash
4058 * SHA(handshake_messages);
4059 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4060 md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]4061
4062 /*
4063 * For ECDSA, default hash is SHA-1 only
4064 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4065 if (mbedtls_pk_can_do(mbedtls_ssl_own_key(ssl), MBEDTLS_PK_ECDSA)) {
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]4066 hash_start += 16;
4067 hashlen -= 16;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4068 md_alg = MBEDTLS_MD_SHA1;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]4069 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4070 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4071#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
4072 MBEDTLS_SSL_PROTO_TLS1_1 */
4073#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4074 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]4075 /*
4076 * digitally-signed struct {
4077 * opaque handshake_messages[handshake_messages_length];
4078 * };
4079 *
4080 * Taking shortcut here. We assume that the server always allows the
4081 * PRF Hash function and has sent it in the allowed signature
4082 * algorithms list received in the Certificate Request message.
4083 *
4084 * Until we encounter a server that does not, we will take this
4085 * shortcut.
4086 *
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]4087 * Reason: Otherwise we should have running hashes for SHA512 and
4088 * SHA224 in order to satisfy 'weird' needs from the server
4089 * side.
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]4090 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4091 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4092 md_alg = MBEDTLS_MD_SHA384;
4093 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4094 } else {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4095 md_alg = MBEDTLS_MD_SHA256;
4096 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]4097 }
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4098 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk(mbedtls_ssl_own_key(ssl));
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]4099
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +0200[diff] [blame]4100 /* Info from md_alg will be used instead */
4101 hashlen = 0;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]4102 offset = 2;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4103 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4104#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]4105 {
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4106 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4107 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]4108 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]4109
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4110#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4111 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]4112 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4113 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]4114#endif
4115
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4116 if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl),
4117 md_alg, hash_start, hashlen,
4118 ssl->out_msg + 6 + offset, &n,
4119 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx)) != 0) {
4120 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4121#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4122 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]4123 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4124 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]4125#endif
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4126 return ret;
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]4127 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]4128
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4129 MBEDTLS_PUT_UINT16_BE(n, ssl->out_msg, offset + 4);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4130
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]4131 ssl->out_msglen = 6 + n + offset;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4132 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4133 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4134
4135 ssl->state++;
4136
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4137 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4138 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4139 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4140 }
4141
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4142 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4143
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4144 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4145}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4146#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4147
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4148#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200[diff] [blame]4149MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4150static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4151{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4152 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4153 uint32_t lifetime;
4154 size_t ticket_len;
4155 unsigned char *ticket;
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]4156 const unsigned char *msg;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4157
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4158 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4159
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4160 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
4161 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
4162 return ret;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4163 }
4164
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4165 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
4166 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]4167 mbedtls_ssl_send_alert_message(
4168 ssl,
4169 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4170 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
4171 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4172 }
4173
4174 /*
4175 * struct {
4176 * uint32 ticket_lifetime_hint;
4177 * opaque ticket<0..2^16-1>;
4178 * } NewSessionTicket;
4179 *
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]4180 * 0 . 3 ticket_lifetime_hint
4181 * 4 . 5 ticket_len (n)
4182 * 6 . 5+n ticket content
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4183 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4184 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
4185 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len(ssl)) {
4186 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
4187 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4188 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
4189 return MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4190 }
4191
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4192 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4193
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4194 lifetime = (((uint32_t) msg[0]) << 24) | (msg[1] << 16) |
4195 (msg[2] << 8) | (msg[3]);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4196
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4197 ticket_len = (msg[4] << 8) | (msg[5]);
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]4198
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4199 if (ticket_len + 6 + mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_hslen) {
4200 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
4201 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4202 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
4203 return MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4204 }
4205
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4206 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len));
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4207
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]4208 /* We're not waiting for a NewSessionTicket message any more */
4209 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4210 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]4211
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4212 /*
4213 * Zero-length ticket means the server changed his mind and doesn't want
4214 * to send a ticket after all, so just forget it
4215 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4216 if (ticket_len == 0) {
4217 return 0;
4218 }
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4219
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4220 if (ssl->session != NULL && ssl->session->ticket != NULL) {
4221 mbedtls_platform_zeroize(ssl->session->ticket,
4222 ssl->session->ticket_len);
4223 mbedtls_free(ssl->session->ticket);
Hanno Beckerb2964cb2019-01-30 14:46:35 +0000[diff] [blame]4224 ssl->session->ticket = NULL;
4225 ssl->session->ticket_len = 0;
4226 }
4227
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4228 mbedtls_platform_zeroize(ssl->session_negotiate->ticket,
4229 ssl->session_negotiate->ticket_len);
4230 mbedtls_free(ssl->session_negotiate->ticket);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4231 ssl->session_negotiate->ticket = NULL;
4232 ssl->session_negotiate->ticket_len = 0;
4233
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4234 if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
4235 MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
4236 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4237 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
4238 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4239 }
4240
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4241 memcpy(ticket, msg + 6, ticket_len);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4242
4243 ssl->session_negotiate->ticket = ticket;
4244 ssl->session_negotiate->ticket_len = ticket_len;
4245 ssl->session_negotiate->ticket_lifetime = lifetime;
4246
4247 /*
4248 * RFC 5077 section 3.4:
4249 * "If the client receives a session ticket from the server, then it
4250 * discards any Session ID that was sent in the ServerHello."
4251 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4252 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket in use, discarding session id"));
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]4253 ssl->session_negotiate->id_len = 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4254
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4255 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4256
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4257 return 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4258}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4259#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]4260
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4261/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4262 * SSL handshake -- client side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4263 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4264int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4265{
4266 int ret = 0;
4267
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4268 if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL) {
4269 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4270 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4271
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4272 MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %d", ssl->state));
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4273
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4274 if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
4275 return ret;
4276 }
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4277
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4278#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4279 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4280 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
4281 if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
4282 return ret;
4283 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]4284 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]4285#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]4286
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4287 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]4288 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4289#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4290 if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
4291 ssl->handshake->new_session_ticket != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4292 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]4293 }
4294#endif
4295
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4296 switch (ssl->state) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4297 case MBEDTLS_SSL_HELLO_REQUEST:
4298 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4299 break;
4300
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4301 /*
4302 * ==> ClientHello
4303 */
4304 case MBEDTLS_SSL_CLIENT_HELLO:
4305 ret = ssl_write_client_hello(ssl);
4306 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4307
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4308 /*
4309 * <== ServerHello
4310 * Certificate
4311 * ( ServerKeyExchange )
4312 * ( CertificateRequest )
4313 * ServerHelloDone
4314 */
4315 case MBEDTLS_SSL_SERVER_HELLO:
4316 ret = ssl_parse_server_hello(ssl);
4317 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4318
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4319 case MBEDTLS_SSL_SERVER_CERTIFICATE:
4320 ret = mbedtls_ssl_parse_certificate(ssl);
4321 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4322
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4323 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
4324 ret = ssl_parse_server_key_exchange(ssl);
4325 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4326
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4327 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
4328 ret = ssl_parse_certificate_request(ssl);
4329 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4330
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4331 case MBEDTLS_SSL_SERVER_HELLO_DONE:
4332 ret = ssl_parse_server_hello_done(ssl);
4333 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4334
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4335 /*
4336 * ==> ( Certificate/Alert )
4337 * ClientKeyExchange
4338 * ( CertificateVerify )
4339 * ChangeCipherSpec
4340 * Finished
4341 */
4342 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
4343 ret = mbedtls_ssl_write_certificate(ssl);
4344 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4345
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4346 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
4347 ret = ssl_write_client_key_exchange(ssl);
4348 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4349
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4350 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
4351 ret = ssl_write_certificate_verify(ssl);
4352 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4353
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4354 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
4355 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
4356 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4357
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4358 case MBEDTLS_SSL_CLIENT_FINISHED:
4359 ret = mbedtls_ssl_write_finished(ssl);
4360 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4361
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4362 /*
4363 * <== ( NewSessionTicket )
4364 * ChangeCipherSpec
4365 * Finished
4366 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4367#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4368 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
4369 ret = ssl_parse_new_session_ticket(ssl);
4370 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]4371#endif
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]4372
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4373 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4374 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
4375 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4376
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4377 case MBEDTLS_SSL_SERVER_FINISHED:
4378 ret = mbedtls_ssl_parse_finished(ssl);
4379 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4380
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4381 case MBEDTLS_SSL_FLUSH_BUFFERS:
4382 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
4383 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
4384 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4385
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4386 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
4387 mbedtls_ssl_handshake_wrapup(ssl);
4388 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]4389
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4390 default:
4391 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
4392 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4393 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4394
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100[diff] [blame]4395 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4396}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4397#endif /* MBEDTLS_SSL_CLI_C */