TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / 324b9e14d7e58fd4b4e75da00f002098bc47118d / . / lib / libmbedtls / mbedtls / library / ssl_cli.c
blob: 47b6d0cdc8e6d1ff19302c43eb15fb07eca677a7 [file] [log] [blame]
Edison Aic6672fd2018-02-28 15:01:47 +0800[diff] [blame]1// SPDX-License-Identifier: Apache-2.0
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2/*
3 * SSLv3/TLSv1 client-side functions
4 *
5 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
22#if !defined(MBEDTLS_CONFIG_FILE)
23#include "mbedtls/config.h"
24#else
25#include MBEDTLS_CONFIG_FILE
26#endif
27
28#if defined(MBEDTLS_SSL_CLI_C)
29
30#if defined(MBEDTLS_PLATFORM_C)
31#include "mbedtls/platform.h"
32#else
33#include <stdlib.h>
34#define mbedtls_calloc calloc
35#define mbedtls_free free
36#endif
37
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]38#include "mbedtls/ssl.h"
39#include "mbedtls/ssl_internal.h"
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]40#include "mbedtls/debug.h"
41#include "mbedtls/error.h"
42
43#if defined(MBEDTLS_USE_PSA_CRYPTO)
44#include "mbedtls/psa_util.h"
45#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]46
47#include <string.h>
48
49#include <stdint.h>
50
51#if defined(MBEDTLS_HAVE_TIME)
52#include "mbedtls/platform_time.h"
53#endif
54
55#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]56#include "mbedtls/platform_util.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]57#endif
58
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]59#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
60static int ssl_conf_has_static_psk( mbedtls_ssl_config const *conf )
61{
62 if( conf->psk_identity == NULL ||
63 conf->psk_identity_len == 0 )
64 {
65 return( 0 );
66 }
67
68 if( conf->psk != NULL && conf->psk_len != 0 )
69 return( 1 );
70
71#if defined(MBEDTLS_USE_PSA_CRYPTO)
72 if( conf->psk_opaque != 0 )
73 return( 1 );
74#endif /* MBEDTLS_USE_PSA_CRYPTO */
75
76 return( 0 );
77}
78
79#if defined(MBEDTLS_USE_PSA_CRYPTO)
80static int ssl_conf_has_static_raw_psk( mbedtls_ssl_config const *conf )
81{
82 if( conf->psk_identity == NULL ||
83 conf->psk_identity_len == 0 )
84 {
85 return( 0 );
86 }
87
88 if( conf->psk != NULL && conf->psk_len != 0 )
89 return( 1 );
90
91 return( 0 );
92}
93#endif /* MBEDTLS_USE_PSA_CRYPTO */
94
95#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
96
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]97#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
98static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
99 unsigned char *buf,
100 size_t *olen )
101{
102 unsigned char *p = buf;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]103 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]104 size_t hostname_len;
105
106 *olen = 0;
107
108 if( ssl->hostname == NULL )
109 return;
110
111 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
112 ssl->hostname ) );
113
114 hostname_len = strlen( ssl->hostname );
115
116 if( end < p || (size_t)( end - p ) < hostname_len + 9 )
117 {
118 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
119 return;
120 }
121
122 /*
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]123 * Sect. 3, RFC 6066 (TLS Extensions Definitions)
124 *
125 * In order to provide any of the server names, clients MAY include an
126 * extension of type "server_name" in the (extended) client hello. The
127 * "extension_data" field of this extension SHALL contain
128 * "ServerNameList" where:
129 *
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]130 * struct {
131 * NameType name_type;
132 * select (name_type) {
133 * case host_name: HostName;
134 * } name;
135 * } ServerName;
136 *
137 * enum {
138 * host_name(0), (255)
139 * } NameType;
140 *
141 * opaque HostName<1..2^16-1>;
142 *
143 * struct {
144 * ServerName server_name_list<1..2^16-1>
145 * } ServerNameList;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]146 *
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]147 */
148 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
149 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
150
151 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
152 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
153
154 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
155 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
156
157 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
158 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
159 *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
160
161 memcpy( p, ssl->hostname, hostname_len );
162
163 *olen = hostname_len + 9;
164}
165#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
166
167#if defined(MBEDTLS_SSL_RENEGOTIATION)
168static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
169 unsigned char *buf,
170 size_t *olen )
171{
172 unsigned char *p = buf;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]173 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]174
175 *olen = 0;
176
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]177 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
178 * initial ClientHello, in which case also adding the renegotiation
179 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]180 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
181 return;
182
183 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
184
185 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len )
186 {
187 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
188 return;
189 }
190
191 /*
192 * Secure renegotiation
193 */
194 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
195 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
196
197 *p++ = 0x00;
198 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
199 *p++ = ssl->verify_data_len & 0xFF;
200
201 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
202
203 *olen = 5 + ssl->verify_data_len;
204}
205#endif /* MBEDTLS_SSL_RENEGOTIATION */
206
207/*
208 * Only if we handle at least one key exchange that needs signatures.
209 */
210#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]211 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]212static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
213 unsigned char *buf,
214 size_t *olen )
215{
216 unsigned char *p = buf;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]217 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]218 size_t sig_alg_len = 0;
219 const int *md;
220#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
221 unsigned char *sig_alg_list = buf + 6;
222#endif
223
224 *olen = 0;
225
226 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
227 return;
228
229 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
230
231 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
232 {
233#if defined(MBEDTLS_ECDSA_C)
234 sig_alg_len += 2;
235#endif
236#if defined(MBEDTLS_RSA_C)
237 sig_alg_len += 2;
238#endif
239 }
240
241 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
242 {
243 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
244 return;
245 }
246
247 /*
248 * Prepare signature_algorithms extension (TLS 1.2)
249 */
250 sig_alg_len = 0;
251
252 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
253 {
254#if defined(MBEDTLS_ECDSA_C)
255 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
256 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
257#endif
258#if defined(MBEDTLS_RSA_C)
259 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
260 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
261#endif
262 }
263
264 /*
265 * enum {
266 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
267 * sha512(6), (255)
268 * } HashAlgorithm;
269 *
270 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
271 * SignatureAlgorithm;
272 *
273 * struct {
274 * HashAlgorithm hash;
275 * SignatureAlgorithm signature;
276 * } SignatureAndHashAlgorithm;
277 *
278 * SignatureAndHashAlgorithm
279 * supported_signature_algorithms<2..2^16-2>;
280 */
281 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
282 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
283
284 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
285 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
286
287 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
288 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
289
290 *olen = 6 + sig_alg_len;
291}
292#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]293 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]294
295#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
296 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
297static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
298 unsigned char *buf,
299 size_t *olen )
300{
301 unsigned char *p = buf;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]302 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]303 unsigned char *elliptic_curve_list = p + 6;
304 size_t elliptic_curve_len = 0;
305 const mbedtls_ecp_curve_info *info;
306#if defined(MBEDTLS_ECP_C)
307 const mbedtls_ecp_group_id *grp_id;
308#else
309 ((void) ssl);
310#endif
311
312 *olen = 0;
313
314 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
315
316#if defined(MBEDTLS_ECP_C)
317 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
318#else
319 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
320#endif
321 {
322#if defined(MBEDTLS_ECP_C)
323 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
324#endif
325 if( info == NULL )
326 {
327 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) );
328 return;
329 }
330
331 elliptic_curve_len += 2;
332 }
333
334 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
335 {
336 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
337 return;
338 }
339
340 elliptic_curve_len = 0;
341
342#if defined(MBEDTLS_ECP_C)
343 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
344#else
345 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
346#endif
347 {
348#if defined(MBEDTLS_ECP_C)
349 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
350#endif
351 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
352 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
353 }
354
355 if( elliptic_curve_len == 0 )
356 return;
357
358 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
359 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
360
361 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
362 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
363
364 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
365 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
366
367 *olen = 6 + elliptic_curve_len;
368}
369
370static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
371 unsigned char *buf,
372 size_t *olen )
373{
374 unsigned char *p = buf;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]375 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]376
377 *olen = 0;
378
379 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
380
381 if( end < p || (size_t)( end - p ) < 6 )
382 {
383 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
384 return;
385 }
386
387 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
388 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
389
390 *p++ = 0x00;
391 *p++ = 2;
392
393 *p++ = 1;
394 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
395
396 *olen = 6;
397}
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]398#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]399 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
400
401#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
402static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
403 unsigned char *buf,
404 size_t *olen )
405{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]406 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]407 unsigned char *p = buf;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]408 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]409 size_t kkpp_len;
410
411 *olen = 0;
412
413 /* Skip costly extension if we can't use EC J-PAKE anyway */
414 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
415 return;
416
417 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) );
418
419 if( end - p < 4 )
420 {
421 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
422 return;
423 }
424
425 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
426 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
427
428 /*
429 * We may need to send ClientHello multiple times for Hello verification.
430 * We don't want to compute fresh values every time (both for performance
431 * and consistency reasons), so cache the extension content.
432 */
433 if( ssl->handshake->ecjpake_cache == NULL ||
434 ssl->handshake->ecjpake_cache_len == 0 )
435 {
436 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
437
438 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
439 p + 2, end - p - 2, &kkpp_len,
440 ssl->conf->f_rng, ssl->conf->p_rng );
441 if( ret != 0 )
442 {
443 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
444 return;
445 }
446
447 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
448 if( ssl->handshake->ecjpake_cache == NULL )
449 {
450 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
451 return;
452 }
453
454 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
455 ssl->handshake->ecjpake_cache_len = kkpp_len;
456 }
457 else
458 {
459 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
460
461 kkpp_len = ssl->handshake->ecjpake_cache_len;
462
463 if( (size_t)( end - p - 2 ) < kkpp_len )
464 {
465 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
466 return;
467 }
468
469 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
470 }
471
472 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
473 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
474
475 *olen = kkpp_len + 4;
476}
477#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
478
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]479#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
480static void ssl_write_cid_ext( mbedtls_ssl_context *ssl,
481 unsigned char *buf,
482 size_t *olen )
483{
484 unsigned char *p = buf;
485 size_t ext_len;
486 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
487
488 /*
489 * Quoting draft-ietf-tls-dtls-connection-id-05
490 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
491 *
492 * struct {
493 * opaque cid<0..2^8-1>;
494 * } ConnectionId;
495 */
496
497 *olen = 0;
498 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
499 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
500 {
501 return;
502 }
503 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding CID extension" ) );
504
505 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
506 * which is at most 255, so the increment cannot overflow. */
507 if( end < p || (size_t)( end - p ) < (unsigned)( ssl->own_cid_len + 5 ) )
508 {
509 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
510 return;
511 }
512
513 /* Add extension ID + size */
514 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF );
515 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID ) & 0xFF );
516 ext_len = (size_t) ssl->own_cid_len + 1;
517 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
518 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
519
520 *p++ = (uint8_t) ssl->own_cid_len;
521 memcpy( p, ssl->own_cid, ssl->own_cid_len );
522
523 *olen = ssl->own_cid_len + 5;
524}
525#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
526
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]527#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
528static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
529 unsigned char *buf,
530 size_t *olen )
531{
532 unsigned char *p = buf;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]533 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]534
535 *olen = 0;
536
537 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
538 return;
539 }
540
541 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
542
543 if( end < p || (size_t)( end - p ) < 5 )
544 {
545 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
546 return;
547 }
548
549 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
550 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
551
552 *p++ = 0x00;
553 *p++ = 1;
554
555 *p++ = ssl->conf->mfl_code;
556
557 *olen = 5;
558}
559#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
560
561#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
562static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
563 unsigned char *buf, size_t *olen )
564{
565 unsigned char *p = buf;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]566 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]567
568 *olen = 0;
569
570 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
571 {
572 return;
573 }
574
575 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
576
577 if( end < p || (size_t)( end - p ) < 4 )
578 {
579 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
580 return;
581 }
582
583 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
584 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
585
586 *p++ = 0x00;
587 *p++ = 0x00;
588
589 *olen = 4;
590}
591#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
592
593#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
594static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
595 unsigned char *buf, size_t *olen )
596{
597 unsigned char *p = buf;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]598 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]599
600 *olen = 0;
601
602 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
603 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
604 {
605 return;
606 }
607
608 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
609 "extension" ) );
610
611 if( end < p || (size_t)( end - p ) < 4 )
612 {
613 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
614 return;
615 }
616
617 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
618 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
619
620 *p++ = 0x00;
621 *p++ = 0x00;
622
623 *olen = 4;
624}
625#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
626
627#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
628static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
629 unsigned char *buf, size_t *olen )
630{
631 unsigned char *p = buf;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]632 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]633
634 *olen = 0;
635
636 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
637 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
638 {
639 return;
640 }
641
642 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
643 "extension" ) );
644
645 if( end < p || (size_t)( end - p ) < 4 )
646 {
647 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
648 return;
649 }
650
651 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
652 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
653
654 *p++ = 0x00;
655 *p++ = 0x00;
656
657 *olen = 4;
658}
659#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
660
661#if defined(MBEDTLS_SSL_SESSION_TICKETS)
662static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
663 unsigned char *buf, size_t *olen )
664{
665 unsigned char *p = buf;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]666 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]667 size_t tlen = ssl->session_negotiate->ticket_len;
668
669 *olen = 0;
670
671 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
672 {
673 return;
674 }
675
676 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
677
678 if( end < p || (size_t)( end - p ) < 4 + tlen )
679 {
680 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
681 return;
682 }
683
684 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
685 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
686
687 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
688 *p++ = (unsigned char)( ( tlen ) & 0xFF );
689
690 *olen = 4;
691
692 if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
693 {
694 return;
695 }
696
697 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
698
699 memcpy( p, ssl->session_negotiate->ticket, tlen );
700
701 *olen += tlen;
702}
703#endif /* MBEDTLS_SSL_SESSION_TICKETS */
704
705#if defined(MBEDTLS_SSL_ALPN)
706static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
707 unsigned char *buf, size_t *olen )
708{
709 unsigned char *p = buf;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]710 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]711 size_t alpnlen = 0;
712 const char **cur;
713
714 *olen = 0;
715
716 if( ssl->conf->alpn_list == NULL )
717 {
718 return;
719 }
720
721 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
722
723 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
724 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
725
726 if( end < p || (size_t)( end - p ) < 6 + alpnlen )
727 {
728 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
729 return;
730 }
731
732 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
733 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
734
735 /*
736 * opaque ProtocolName<1..2^8-1>;
737 *
738 * struct {
739 * ProtocolName protocol_name_list<2..2^16-1>
740 * } ProtocolNameList;
741 */
742
743 /* Skip writing extension and list length for now */
744 p += 4;
745
746 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
747 {
748 *p = (unsigned char)( strlen( *cur ) & 0xFF );
749 memcpy( p + 1, *cur, *p );
750 p += 1 + *p;
751 }
752
753 *olen = p - buf;
754
755 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
756 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
757 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
758
759 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
760 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
761 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
762}
763#endif /* MBEDTLS_SSL_ALPN */
764
765/*
766 * Generate random bytes for ClientHello
767 */
768static int ssl_generate_random( mbedtls_ssl_context *ssl )
769{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]770 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]771 unsigned char *p = ssl->handshake->randbytes;
772#if defined(MBEDTLS_HAVE_TIME)
773 mbedtls_time_t t;
774#endif
775
776 /*
777 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
778 */
779#if defined(MBEDTLS_SSL_PROTO_DTLS)
780 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
781 ssl->handshake->verify_cookie != NULL )
782 {
783 return( 0 );
784 }
785#endif
786
787#if defined(MBEDTLS_HAVE_TIME)
788 t = mbedtls_time( NULL );
789 *p++ = (unsigned char)( t >> 24 );
790 *p++ = (unsigned char)( t >> 16 );
791 *p++ = (unsigned char)( t >> 8 );
792 *p++ = (unsigned char)( t );
793
794 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
795#else
796 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
797 return( ret );
798
799 p += 4;
800#endif /* MBEDTLS_HAVE_TIME */
801
802 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
803 return( ret );
804
805 return( 0 );
806}
807
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]808/**
809 * \brief Validate cipher suite against config in SSL context.
810 *
811 * \param suite_info cipher suite to validate
812 * \param ssl SSL context
813 * \param min_minor_ver Minimal minor version to accept a cipher suite
814 * \param max_minor_ver Maximal minor version to accept a cipher suite
815 *
816 * \return 0 if valid, else 1
817 */
818static int ssl_validate_ciphersuite( const mbedtls_ssl_ciphersuite_t * suite_info,
819 const mbedtls_ssl_context * ssl,
820 int min_minor_ver, int max_minor_ver )
821{
822 (void) ssl;
823 if( suite_info == NULL )
824 return( 1 );
825
826 if( suite_info->min_minor_ver > max_minor_ver ||
827 suite_info->max_minor_ver < min_minor_ver )
828 return( 1 );
829
830#if defined(MBEDTLS_SSL_PROTO_DTLS)
831 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
832 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
833 return( 1 );
834#endif
835
836#if defined(MBEDTLS_ARC4_C)
837 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
838 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
839 return( 1 );
840#endif
841
842#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
843 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
844 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
845 return( 1 );
846#endif
847
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]848 /* Don't suggest PSK-based ciphersuite if no PSK is available. */
849#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
850 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
851 ssl_conf_has_static_psk( ssl->conf ) == 0 )
852 {
853 return( 1 );
854 }
855#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
856
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]857 return( 0 );
858}
859
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]860static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
861{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]862 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]863 size_t i, n, olen, ext_len = 0;
864 unsigned char *buf;
865 unsigned char *p, *q;
866 unsigned char offer_compress;
867 const int *ciphersuites;
868 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]869#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
870 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
871 int uses_ec = 0;
872#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]873
874 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
875
876 if( ssl->conf->f_rng == NULL )
877 {
878 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
879 return( MBEDTLS_ERR_SSL_NO_RNG );
880 }
881
882#if defined(MBEDTLS_SSL_RENEGOTIATION)
883 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
884#endif
885 {
886 ssl->major_ver = ssl->conf->min_major_ver;
887 ssl->minor_ver = ssl->conf->min_minor_ver;
888 }
889
890 if( ssl->conf->max_major_ver == 0 )
891 {
892 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
893 "consider using mbedtls_ssl_config_defaults()" ) );
894 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
895 }
896
897 /*
898 * 0 . 0 handshake type
899 * 1 . 3 handshake length
900 * 4 . 5 highest version supported
901 * 6 . 9 current UNIX time
902 * 10 . 37 random bytes
903 */
904 buf = ssl->out_msg;
905 p = buf + 4;
906
907 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
908 ssl->conf->transport, p );
909 p += 2;
910
911 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
912 buf[4], buf[5] ) );
913
914 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
915 {
916 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
917 return( ret );
918 }
919
920 memcpy( p, ssl->handshake->randbytes, 32 );
921 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
922 p += 32;
923
924 /*
925 * 38 . 38 session id length
926 * 39 . 39+n session id
927 * 39+n . 39+n DTLS only: cookie length (1 byte)
928 * 40+n . .. DTSL only: cookie
929 * .. . .. ciphersuitelist length (2 bytes)
930 * .. . .. ciphersuitelist
931 * .. . .. compression methods length (1 byte)
932 * .. . .. compression methods
933 * .. . .. extensions length (2 bytes)
934 * .. . .. extensions
935 */
936 n = ssl->session_negotiate->id_len;
937
938 if( n < 16 || n > 32 ||
939#if defined(MBEDTLS_SSL_RENEGOTIATION)
940 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
941#endif
942 ssl->handshake->resume == 0 )
943 {
944 n = 0;
945 }
946
947#if defined(MBEDTLS_SSL_SESSION_TICKETS)
948 /*
949 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
950 * generate and include a Session ID in the TLS ClientHello."
951 */
952#if defined(MBEDTLS_SSL_RENEGOTIATION)
953 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
954#endif
955 {
956 if( ssl->session_negotiate->ticket != NULL &&
957 ssl->session_negotiate->ticket_len != 0 )
958 {
959 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
960
961 if( ret != 0 )
962 return( ret );
963
964 ssl->session_negotiate->id_len = n = 32;
965 }
966 }
967#endif /* MBEDTLS_SSL_SESSION_TICKETS */
968
969 *p++ = (unsigned char) n;
970
971 for( i = 0; i < n; i++ )
972 *p++ = ssl->session_negotiate->id[i];
973
974 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
975 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
976
977 /*
978 * DTLS cookie
979 */
980#if defined(MBEDTLS_SSL_PROTO_DTLS)
981 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
982 {
983 if( ssl->handshake->verify_cookie == NULL )
984 {
985 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
986 *p++ = 0;
987 }
988 else
989 {
990 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
991 ssl->handshake->verify_cookie,
992 ssl->handshake->verify_cookie_len );
993
994 *p++ = ssl->handshake->verify_cookie_len;
995 memcpy( p, ssl->handshake->verify_cookie,
996 ssl->handshake->verify_cookie_len );
997 p += ssl->handshake->verify_cookie_len;
998 }
999 }
1000#endif
1001
1002 /*
1003 * Ciphersuite list
1004 */
1005 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
1006
1007 /* Skip writing ciphersuite length for now */
1008 n = 0;
1009 q = p;
1010 p += 2;
1011
1012 for( i = 0; ciphersuites[i] != 0; i++ )
1013 {
1014 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
1015
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1016 if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
1017 ssl->conf->min_minor_ver,
1018 ssl->conf->max_minor_ver ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1019 continue;
1020
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1021 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
1022 ciphersuites[i] ) );
1023
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1024#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1025 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1026 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
1027#endif
1028
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1029 n++;
1030 *p++ = (unsigned char)( ciphersuites[i] >> 8 );
1031 *p++ = (unsigned char)( ciphersuites[i] );
1032 }
1033
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1034 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
1035
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1036 /*
1037 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1038 */
1039#if defined(MBEDTLS_SSL_RENEGOTIATION)
1040 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
1041#endif
1042 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1043 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1044 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
1045 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
1046 n++;
1047 }
1048
1049 /* Some versions of OpenSSL don't handle it correctly if not at end */
1050#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1051 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
1052 {
1053 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
1054 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
1055 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
1056 n++;
1057 }
1058#endif
1059
1060 *q++ = (unsigned char)( n >> 7 );
1061 *q++ = (unsigned char)( n << 1 );
1062
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1063#if defined(MBEDTLS_ZLIB_SUPPORT)
1064 offer_compress = 1;
1065#else
1066 offer_compress = 0;
1067#endif
1068
1069 /*
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1070 * We don't support compression with DTLS right now: if many records come
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1071 * in the same datagram, uncompressing one could overwrite the next one.
1072 * We don't want to add complexity for handling that case unless there is
1073 * an actual need for it.
1074 */
1075#if defined(MBEDTLS_SSL_PROTO_DTLS)
1076 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1077 offer_compress = 0;
1078#endif
1079
1080 if( offer_compress )
1081 {
1082 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
1083 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
1084 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) );
1085
1086 *p++ = 2;
1087 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
1088 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
1089 }
1090 else
1091 {
1092 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
1093 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
1094 MBEDTLS_SSL_COMPRESS_NULL ) );
1095
1096 *p++ = 1;
1097 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
1098 }
1099
1100 // First write extensions, then the total length
1101 //
1102#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1103 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
1104 ext_len += olen;
1105#endif
1106
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1107 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
1108 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1109#if defined(MBEDTLS_SSL_RENEGOTIATION)
1110 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1111 ext_len += olen;
1112#endif
1113
1114#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1115 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1116 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
1117 ext_len += olen;
1118#endif
1119
1120#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1121 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1122 if( uses_ec )
1123 {
1124 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
1125 ext_len += olen;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1126
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1127 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1128 ext_len += olen;
1129 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1130#endif
1131
1132#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1133 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
1134 ext_len += olen;
1135#endif
1136
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1137#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1138 ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen );
1139 ext_len += olen;
1140#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1141
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1142#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1143 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1144 ext_len += olen;
1145#endif
1146
1147#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1148 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1149 ext_len += olen;
1150#endif
1151
1152#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1153 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
1154 ext_len += olen;
1155#endif
1156
1157#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1158 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
1159 ext_len += olen;
1160#endif
1161
1162#if defined(MBEDTLS_SSL_ALPN)
1163 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
1164 ext_len += olen;
1165#endif
1166
1167#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1168 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1169 ext_len += olen;
1170#endif
1171
1172 /* olen unused if all extensions are disabled */
1173 ((void) olen);
1174
1175 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
1176 ext_len ) );
1177
1178 if( ext_len > 0 )
1179 {
1180 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1181 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1182 p += ext_len;
1183 }
1184
1185 ssl->out_msglen = p - buf;
1186 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1187 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
1188
1189 ssl->state++;
1190
1191#if defined(MBEDTLS_SSL_PROTO_DTLS)
1192 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1193 mbedtls_ssl_send_flight_completed( ssl );
1194#endif
1195
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1196 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1197 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1198 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1199 return( ret );
1200 }
1201
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1202#if defined(MBEDTLS_SSL_PROTO_DTLS)
1203 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
1204 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
1205 {
1206 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
1207 return( ret );
1208 }
1209#endif /* MBEDTLS_SSL_PROTO_DTLS */
1210
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1211 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
1212
1213 return( 0 );
1214}
1215
1216static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
1217 const unsigned char *buf,
1218 size_t len )
1219{
1220#if defined(MBEDTLS_SSL_RENEGOTIATION)
1221 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
1222 {
1223 /* Check verify-data in constant-time. The length OTOH is no secret */
1224 if( len != 1 + ssl->verify_data_len * 2 ||
1225 buf[0] != ssl->verify_data_len * 2 ||
1226 mbedtls_ssl_safer_memcmp( buf + 1,
1227 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
1228 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
1229 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
1230 {
1231 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
1232 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1233 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1234 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1235 }
1236 }
1237 else
1238#endif /* MBEDTLS_SSL_RENEGOTIATION */
1239 {
1240 if( len != 1 || buf[0] != 0x00 )
1241 {
1242 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
1243 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1244 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1245 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1246 }
1247
1248 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1249 }
1250
1251 return( 0 );
1252}
1253
1254#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1255static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
1256 const unsigned char *buf,
1257 size_t len )
1258{
1259 /*
1260 * server should use the extension only if we did,
1261 * and if so the server's value should match ours (and len is always 1)
1262 */
1263 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
1264 len != 1 ||
1265 buf[0] != ssl->conf->mfl_code )
1266 {
1267 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) );
1268 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1269 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1270 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1271 }
1272
1273 return( 0 );
1274}
1275#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1276
1277#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1278static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
1279 const unsigned char *buf,
1280 size_t len )
1281{
1282 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
1283 len != 0 )
1284 {
1285 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) );
1286 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1287 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1288 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1289 }
1290
1291 ((void) buf);
1292
1293 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
1294
1295 return( 0 );
1296}
1297#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1298
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1299#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1300static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
1301 const unsigned char *buf,
1302 size_t len )
1303{
1304 size_t peer_cid_len;
1305
1306 if( /* CID extension only makes sense in DTLS */
1307 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
1308 /* The server must only send the CID extension if we have offered it. */
1309 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
1310 {
1311 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension unexpected" ) );
1312 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1313 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1314 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1315 }
1316
1317 if( len == 0 )
1318 {
1319 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
1320 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1321 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1322 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1323 }
1324
1325 peer_cid_len = *buf++;
1326 len--;
1327
1328 if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX )
1329 {
1330 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
1331 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1332 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1333 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1334 }
1335
1336 if( len != peer_cid_len )
1337 {
1338 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
1339 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1340 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1341 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1342 }
1343
1344 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
1345 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
1346 memcpy( ssl->handshake->peer_cid, buf, peer_cid_len );
1347
1348 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) );
1349 MBEDTLS_SSL_DEBUG_BUF( 3, "Server CID", buf, peer_cid_len );
1350
1351 return( 0 );
1352}
1353#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1354
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1355#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1356static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
1357 const unsigned char *buf,
1358 size_t len )
1359{
1360 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
1361 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1362 len != 0 )
1363 {
1364 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) );
1365 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1366 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1367 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1368 }
1369
1370 ((void) buf);
1371
1372 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
1373
1374 return( 0 );
1375}
1376#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1377
1378#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1379static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
1380 const unsigned char *buf,
1381 size_t len )
1382{
1383 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
1384 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1385 len != 0 )
1386 {
1387 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) );
1388 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1389 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1390 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1391 }
1392
1393 ((void) buf);
1394
1395 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
1396
1397 return( 0 );
1398}
1399#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1400
1401#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1402static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
1403 const unsigned char *buf,
1404 size_t len )
1405{
1406 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
1407 len != 0 )
1408 {
1409 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) );
1410 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1411 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1412 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1413 }
1414
1415 ((void) buf);
1416
1417 ssl->handshake->new_session_ticket = 1;
1418
1419 return( 0 );
1420}
1421#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1422
1423#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1424 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1425static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
1426 const unsigned char *buf,
1427 size_t len )
1428{
1429 size_t list_size;
1430 const unsigned char *p;
1431
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1432 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1433 {
1434 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1435 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1436 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1437 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1438 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1439 list_size = buf[0];
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1440
1441 p = buf + 1;
1442 while( list_size > 0 )
1443 {
1444 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1445 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
1446 {
1447#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
1448 ssl->handshake->ecdh_ctx.point_format = p[0];
1449#endif
1450#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1451 ssl->handshake->ecjpake_ctx.point_format = p[0];
1452#endif
1453 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
1454 return( 0 );
1455 }
1456
1457 list_size--;
1458 p++;
1459 }
1460
1461 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
1462 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1463 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1464 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1465}
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1466#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1467 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1468
1469#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1470static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
1471 const unsigned char *buf,
1472 size_t len )
1473{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1474 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1475
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1476 if( ssl->handshake->ciphersuite_info->key_exchange !=
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1477 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
1478 {
1479 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
1480 return( 0 );
1481 }
1482
1483 /* If we got here, we no longer need our cached extension */
1484 mbedtls_free( ssl->handshake->ecjpake_cache );
1485 ssl->handshake->ecjpake_cache = NULL;
1486 ssl->handshake->ecjpake_cache_len = 0;
1487
1488 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
1489 buf, len ) ) != 0 )
1490 {
1491 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
1492 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1493 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1494 return( ret );
1495 }
1496
1497 return( 0 );
1498}
1499#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1500
1501#if defined(MBEDTLS_SSL_ALPN)
1502static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
1503 const unsigned char *buf, size_t len )
1504{
1505 size_t list_len, name_len;
1506 const char **p;
1507
1508 /* If we didn't send it, the server shouldn't send it */
1509 if( ssl->conf->alpn_list == NULL )
1510 {
1511 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
1512 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1513 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1514 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1515 }
1516
1517 /*
1518 * opaque ProtocolName<1..2^8-1>;
1519 *
1520 * struct {
1521 * ProtocolName protocol_name_list<2..2^16-1>
1522 * } ProtocolNameList;
1523 *
1524 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1525 */
1526
1527 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1528 if( len < 4 )
1529 {
1530 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1531 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1532 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1533 }
1534
1535 list_len = ( buf[0] << 8 ) | buf[1];
1536 if( list_len != len - 2 )
1537 {
1538 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1539 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1540 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1541 }
1542
1543 name_len = buf[2];
1544 if( name_len != list_len - 1 )
1545 {
1546 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1547 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1548 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1549 }
1550
1551 /* Check that the server chosen protocol was in our list and save it */
1552 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
1553 {
1554 if( name_len == strlen( *p ) &&
1555 memcmp( buf + 3, *p, name_len ) == 0 )
1556 {
1557 ssl->alpn_chosen = *p;
1558 return( 0 );
1559 }
1560 }
1561
1562 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
1563 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1564 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1565 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1566}
1567#endif /* MBEDTLS_SSL_ALPN */
1568
1569/*
1570 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1571 */
1572#if defined(MBEDTLS_SSL_PROTO_DTLS)
1573static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
1574{
1575 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
1576 int major_ver, minor_ver;
1577 unsigned char cookie_len;
1578
1579 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
1580
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1581 /* Check that there is enough room for:
1582 * - 2 bytes of version
1583 * - 1 byte of cookie_len
1584 */
1585 if( mbedtls_ssl_hs_hdr_len( ssl ) + 3 > ssl->in_msglen )
1586 {
1587 MBEDTLS_SSL_DEBUG_MSG( 1,
1588 ( "incoming HelloVerifyRequest message is too short" ) );
1589 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1590 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1591 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1592 }
1593
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1594 /*
1595 * struct {
1596 * ProtocolVersion server_version;
1597 * opaque cookie<0..2^8-1>;
1598 * } HelloVerifyRequest;
1599 */
1600 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
1601 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
1602 p += 2;
1603
1604 /*
1605 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1606 * even is lower than our min version.
1607 */
1608 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
1609 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
1610 major_ver > ssl->conf->max_major_ver ||
1611 minor_ver > ssl->conf->max_minor_ver )
1612 {
1613 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
1614
1615 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1616 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1617
1618 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1619 }
1620
1621 cookie_len = *p++;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1622 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
1623 {
1624 MBEDTLS_SSL_DEBUG_MSG( 1,
1625 ( "cookie length does not match incoming message size" ) );
1626 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1627 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1628 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1629 }
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1630 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1631
1632 mbedtls_free( ssl->handshake->verify_cookie );
1633
1634 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
1635 if( ssl->handshake->verify_cookie == NULL )
1636 {
1637 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
1638 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
1639 }
1640
1641 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
1642 ssl->handshake->verify_cookie_len = cookie_len;
1643
1644 /* Start over at ClientHello */
1645 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1646 mbedtls_ssl_reset_checksum( ssl );
1647
1648 mbedtls_ssl_recv_flight_completed( ssl );
1649
1650 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
1651
1652 return( 0 );
1653}
1654#endif /* MBEDTLS_SSL_PROTO_DTLS */
1655
1656static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
1657{
1658 int ret, i;
1659 size_t n;
1660 size_t ext_len;
1661 unsigned char *buf, *ext;
1662 unsigned char comp;
1663#if defined(MBEDTLS_ZLIB_SUPPORT)
1664 int accept_comp;
1665#endif
1666#if defined(MBEDTLS_SSL_RENEGOTIATION)
1667 int renegotiation_info_seen = 0;
1668#endif
1669 int handshake_failure = 0;
1670 const mbedtls_ssl_ciphersuite_t *suite_info;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1671
1672 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
1673
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1674 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1675 {
1676 /* No alert on a read error. */
1677 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
1678 return( ret );
1679 }
1680
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1681 buf = ssl->in_msg;
1682
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1683 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
1684 {
1685#if defined(MBEDTLS_SSL_RENEGOTIATION)
1686 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1687 {
1688 ssl->renego_records_seen++;
1689
1690 if( ssl->conf->renego_max_records >= 0 &&
1691 ssl->renego_records_seen > ssl->conf->renego_max_records )
1692 {
1693 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
1694 "but not honored by server" ) );
1695 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1696 }
1697
1698 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
1699
1700 ssl->keep_current_message = 1;
1701 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
1702 }
1703#endif /* MBEDTLS_SSL_RENEGOTIATION */
1704
1705 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1706 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1707 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
1708 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1709 }
1710
1711#if defined(MBEDTLS_SSL_PROTO_DTLS)
1712 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1713 {
1714 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
1715 {
1716 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
1717 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1718 return( ssl_parse_hello_verify_request( ssl ) );
1719 }
1720 else
1721 {
1722 /* We made it through the verification process */
1723 mbedtls_free( ssl->handshake->verify_cookie );
1724 ssl->handshake->verify_cookie = NULL;
1725 ssl->handshake->verify_cookie_len = 0;
1726 }
1727 }
1728#endif /* MBEDTLS_SSL_PROTO_DTLS */
1729
1730 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
1731 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
1732 {
1733 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1734 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1735 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1736 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1737 }
1738
1739 /*
1740 * 0 . 1 server_version
1741 * 2 . 33 random (maybe including 4 bytes of Unix time)
1742 * 34 . 34 session_id length = n
1743 * 35 . 34+n session_id
1744 * 35+n . 36+n cipher_suite
1745 * 37+n . 37+n compression_method
1746 *
1747 * 38+n . 39+n extensions length (optional)
1748 * 40+n . .. extensions
1749 */
1750 buf += mbedtls_ssl_hs_hdr_len( ssl );
1751
1752 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
1753 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
1754 ssl->conf->transport, buf + 0 );
1755
1756 if( ssl->major_ver < ssl->conf->min_major_ver ||
1757 ssl->minor_ver < ssl->conf->min_minor_ver ||
1758 ssl->major_ver > ssl->conf->max_major_ver ||
1759 ssl->minor_ver > ssl->conf->max_minor_ver )
1760 {
1761 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
1762 " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
1763 ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
1764 ssl->major_ver, ssl->minor_ver,
1765 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
1766
1767 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1768 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1769
1770 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1771 }
1772
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1773 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
1774 ( (uint32_t) buf[2] << 24 ) |
1775 ( (uint32_t) buf[3] << 16 ) |
1776 ( (uint32_t) buf[4] << 8 ) |
1777 ( (uint32_t) buf[5] ) ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1778
1779 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
1780
1781 n = buf[34];
1782
1783 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
1784
1785 if( n > 32 )
1786 {
1787 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1788 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1789 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1790 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1791 }
1792
1793 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
1794 {
1795 ext_len = ( ( buf[38 + n] << 8 )
1796 | ( buf[39 + n] ) );
1797
1798 if( ( ext_len > 0 && ext_len < 4 ) ||
1799 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
1800 {
1801 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1802 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1803 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1804 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1805 }
1806 }
1807 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
1808 {
1809 ext_len = 0;
1810 }
1811 else
1812 {
1813 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1814 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1815 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1816 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1817 }
1818
1819 /* ciphersuite (used later) */
1820 i = ( buf[35 + n] << 8 ) | buf[36 + n];
1821
1822 /*
1823 * Read and check compression
1824 */
1825 comp = buf[37 + n];
1826
1827#if defined(MBEDTLS_ZLIB_SUPPORT)
1828 /* See comments in ssl_write_client_hello() */
1829#if defined(MBEDTLS_SSL_PROTO_DTLS)
1830 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1831 accept_comp = 0;
1832 else
1833#endif
1834 accept_comp = 1;
1835
1836 if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
1837 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
1838#else /* MBEDTLS_ZLIB_SUPPORT */
1839 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
1840#endif/* MBEDTLS_ZLIB_SUPPORT */
1841 {
1842 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) );
1843 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1844 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1845 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
1846 }
1847
1848 /*
1849 * Initialize update checksum functions
1850 */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1851 ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i );
1852 if( ssl->handshake->ciphersuite_info == NULL )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1853 {
1854 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
1855 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1856 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
1857 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1858 }
1859
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1860 mbedtls_ssl_optimize_checksum( ssl, ssl->handshake->ciphersuite_info );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1861
1862 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1863 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
1864
1865 /*
1866 * Check if the session can be resumed
1867 */
1868 if( ssl->handshake->resume == 0 || n == 0 ||
1869#if defined(MBEDTLS_SSL_RENEGOTIATION)
1870 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
1871#endif
1872 ssl->session_negotiate->ciphersuite != i ||
1873 ssl->session_negotiate->compression != comp ||
1874 ssl->session_negotiate->id_len != n ||
1875 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
1876 {
1877 ssl->state++;
1878 ssl->handshake->resume = 0;
1879#if defined(MBEDTLS_HAVE_TIME)
1880 ssl->session_negotiate->start = mbedtls_time( NULL );
1881#endif
1882 ssl->session_negotiate->ciphersuite = i;
1883 ssl->session_negotiate->compression = comp;
1884 ssl->session_negotiate->id_len = n;
1885 memcpy( ssl->session_negotiate->id, buf + 35, n );
1886 }
1887 else
1888 {
1889 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
1890
1891 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
1892 {
1893 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
1894 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1895 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
1896 return( ret );
1897 }
1898 }
1899
1900 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
1901 ssl->handshake->resume ? "a" : "no" ) );
1902
1903 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
1904 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
1905
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1906 /*
1907 * Perform cipher suite validation in same way as in ssl_write_client_hello.
1908 */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1909 i = 0;
1910 while( 1 )
1911 {
1912 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
1913 {
1914 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1915 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1916 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1917 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1918 }
1919
1920 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
1921 ssl->session_negotiate->ciphersuite )
1922 {
1923 break;
1924 }
1925 }
1926
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1927 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
1928 if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver, ssl->minor_ver ) != 0 )
1929 {
1930 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1931 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1932 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1933 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1934 }
1935
1936 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
1937
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1938#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1939 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
1940 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
1941 {
1942 ssl->handshake->ecrs_enabled = 1;
1943 }
1944#endif
1945
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1946 if( comp != MBEDTLS_SSL_COMPRESS_NULL
1947#if defined(MBEDTLS_ZLIB_SUPPORT)
1948 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
1949#endif
1950 )
1951 {
1952 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1953 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1954 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1955 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1956 }
1957 ssl->session_negotiate->compression = comp;
1958
1959 ext = buf + 40 + n;
1960
1961 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
1962
1963 while( ext_len )
1964 {
1965 unsigned int ext_id = ( ( ext[0] << 8 )
1966 | ( ext[1] ) );
1967 unsigned int ext_size = ( ( ext[2] << 8 )
1968 | ( ext[3] ) );
1969
1970 if( ext_size + 4 > ext_len )
1971 {
1972 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1973 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1974 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1975 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1976 }
1977
1978 switch( ext_id )
1979 {
1980 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1981 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1982#if defined(MBEDTLS_SSL_RENEGOTIATION)
1983 renegotiation_info_seen = 1;
1984#endif
1985
1986 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
1987 ext_size ) ) != 0 )
1988 return( ret );
1989
1990 break;
1991
1992#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1993 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1994 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
1995
1996 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
1997 ext + 4, ext_size ) ) != 0 )
1998 {
1999 return( ret );
2000 }
2001
2002 break;
2003#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2004
2005#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2006 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
2007 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
2008
2009 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
2010 ext + 4, ext_size ) ) != 0 )
2011 {
2012 return( ret );
2013 }
2014
2015 break;
2016#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
2017
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2018#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2019 case MBEDTLS_TLS_EXT_CID:
2020 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );
2021
2022 if( ( ret = ssl_parse_cid_ext( ssl,
2023 ext + 4,
2024 ext_size ) ) != 0 )
2025 {
2026 return( ret );
2027 }
2028
2029 break;
2030#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
2031
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2032#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2033 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
2034 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
2035
2036 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
2037 ext + 4, ext_size ) ) != 0 )
2038 {
2039 return( ret );
2040 }
2041
2042 break;
2043#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
2044
2045#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2046 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
2047 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
2048
2049 if( ( ret = ssl_parse_extended_ms_ext( ssl,
2050 ext + 4, ext_size ) ) != 0 )
2051 {
2052 return( ret );
2053 }
2054
2055 break;
2056#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
2057
2058#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2059 case MBEDTLS_TLS_EXT_SESSION_TICKET:
2060 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
2061
2062 if( ( ret = ssl_parse_session_ticket_ext( ssl,
2063 ext + 4, ext_size ) ) != 0 )
2064 {
2065 return( ret );
2066 }
2067
2068 break;
2069#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2070
2071#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2072 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2073 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
2074 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
2075
2076 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
2077 ext + 4, ext_size ) ) != 0 )
2078 {
2079 return( ret );
2080 }
2081
2082 break;
2083#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
2084 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2085
2086#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2087 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
2088 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
2089
2090 if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
2091 ext + 4, ext_size ) ) != 0 )
2092 {
2093 return( ret );
2094 }
2095
2096 break;
2097#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2098
2099#if defined(MBEDTLS_SSL_ALPN)
2100 case MBEDTLS_TLS_EXT_ALPN:
2101 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
2102
2103 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
2104 return( ret );
2105
2106 break;
2107#endif /* MBEDTLS_SSL_ALPN */
2108
2109 default:
2110 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
2111 ext_id ) );
2112 }
2113
2114 ext_len -= 4 + ext_size;
2115 ext += 4 + ext_size;
2116
2117 if( ext_len > 0 && ext_len < 4 )
2118 {
2119 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
2120 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
2121 }
2122 }
2123
2124 /*
2125 * Renegotiation security checks
2126 */
2127 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2128 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
2129 {
2130 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
2131 handshake_failure = 1;
2132 }
2133#if defined(MBEDTLS_SSL_RENEGOTIATION)
2134 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2135 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
2136 renegotiation_info_seen == 0 )
2137 {
2138 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
2139 handshake_failure = 1;
2140 }
2141 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2142 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2143 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
2144 {
2145 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
2146 handshake_failure = 1;
2147 }
2148 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2149 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2150 renegotiation_info_seen == 1 )
2151 {
2152 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
2153 handshake_failure = 1;
2154 }
2155#endif /* MBEDTLS_SSL_RENEGOTIATION */
2156
2157 if( handshake_failure == 1 )
2158 {
2159 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2160 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2161 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
2162 }
2163
2164 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
2165
2166 return( 0 );
2167}
2168
2169#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2170 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2171static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p,
2172 unsigned char *end )
2173{
2174 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2175
2176 /*
2177 * Ephemeral DH parameters:
2178 *
2179 * struct {
2180 * opaque dh_p<1..2^16-1>;
2181 * opaque dh_g<1..2^16-1>;
2182 * opaque dh_Ys<1..2^16-1>;
2183 * } ServerDHParams;
2184 */
2185 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
2186 {
2187 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
2188 return( ret );
2189 }
2190
2191 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
2192 {
2193 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
2194 ssl->handshake->dhm_ctx.len * 8,
2195 ssl->conf->dhm_min_bitlen ) );
2196 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2197 }
2198
2199 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2200 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2201 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2202
2203 return( ret );
2204}
2205#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2206 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2207
2208#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2209 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2210 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2211 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2212 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2213static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
2214{
2215 const mbedtls_ecp_curve_info *curve_info;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2216 mbedtls_ecp_group_id grp_id;
2217#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
2218 grp_id = ssl->handshake->ecdh_ctx.grp.id;
2219#else
2220 grp_id = ssl->handshake->ecdh_ctx.grp_id;
2221#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2222
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2223 curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2224 if( curve_info == NULL )
2225 {
2226 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2227 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2228 }
2229
2230 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
2231
2232#if defined(MBEDTLS_ECP_C)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2233 if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2234#else
2235 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
2236 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
2237#endif
2238 return( -1 );
2239
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2240 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
2241 MBEDTLS_DEBUG_ECDH_QP );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2242
2243 return( 0 );
2244}
2245#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2246 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2247 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2248 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2249 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2250
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2251#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
2252 ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2253 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
2254static int ssl_parse_server_ecdh_params_psa( mbedtls_ssl_context *ssl,
2255 unsigned char **p,
2256 unsigned char *end )
2257{
2258 uint16_t tls_id;
2259 size_t ecdh_bits = 0;
2260 uint8_t ecpoint_len;
2261 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2262
2263 /*
2264 * Parse ECC group
2265 */
2266
2267 if( end - *p < 4 )
2268 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2269
2270 /* First byte is curve_type; only named_curve is handled */
2271 if( *(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE )
2272 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2273
2274 /* Next two bytes are the namedcurve value */
2275 tls_id = *(*p)++;
2276 tls_id <<= 8;
2277 tls_id |= *(*p)++;
2278
2279 /* Convert EC group to PSA key type. */
2280 if( ( handshake->ecdh_psa_type =
2281 mbedtls_psa_parse_tls_ecc_group( tls_id, &ecdh_bits ) ) == 0 )
2282 {
2283 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2284 }
2285 if( ecdh_bits > 0xffff )
2286 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2287 handshake->ecdh_bits = (uint16_t) ecdh_bits;
2288
2289 /*
2290 * Put peer's ECDH public key in the format understood by PSA.
2291 */
2292
2293 ecpoint_len = *(*p)++;
2294 if( (size_t)( end - *p ) < ecpoint_len )
2295 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2296
2297 if( mbedtls_psa_tls_ecpoint_to_psa_ec(
2298 *p, ecpoint_len,
2299 handshake->ecdh_psa_peerkey,
2300 sizeof( handshake->ecdh_psa_peerkey ),
2301 &handshake->ecdh_psa_peerkey_len ) != 0 )
2302 {
2303 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
2304 }
2305
2306 *p += ecpoint_len;
2307 return( 0 );
2308}
2309#endif /* MBEDTLS_USE_PSA_CRYPTO &&
2310 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2311 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
2312
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2313#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2314 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2315 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2316static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
2317 unsigned char **p,
2318 unsigned char *end )
2319{
2320 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2321
2322 /*
2323 * Ephemeral ECDH parameters:
2324 *
2325 * struct {
2326 * ECParameters curve_params;
2327 * ECPoint public;
2328 * } ServerECDHParams;
2329 */
2330 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
2331 (const unsigned char **) p, end ) ) != 0 )
2332 {
2333 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2334#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2335 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2336 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2337#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2338 return( ret );
2339 }
2340
2341 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2342 {
2343 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
2344 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2345 }
2346
2347 return( ret );
2348}
2349#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2350 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2351 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2352
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2353#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2354static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
2355 unsigned char **p,
2356 unsigned char *end )
2357{
2358 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2359 uint16_t len;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2360 ((void) ssl);
2361
2362 /*
2363 * PSK parameters:
2364 *
2365 * opaque psk_identity_hint<0..2^16-1>;
2366 */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2367 if( end - (*p) < 2 )
2368 {
2369 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
2370 "(psk_identity_hint length)" ) );
2371 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2372 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2373 len = (*p)[0] << 8 | (*p)[1];
2374 *p += 2;
2375
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2376 if( end - (*p) < len )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2377 {
2378 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
2379 "(psk_identity_hint length)" ) );
2380 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2381 }
2382
2383 /*
2384 * Note: we currently ignore the PKS identity hint, as we only allow one
2385 * PSK to be provisionned on the client. This could be changed later if
2386 * someone needs that feature.
2387 */
2388 *p += len;
2389 ret = 0;
2390
2391 return( ret );
2392}
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2393#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2394
2395#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2396 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2397/*
2398 * Generate a pre-master secret and encrypt it with the server's RSA key
2399 */
2400static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
2401 size_t offset, size_t *olen,
2402 size_t pms_offset )
2403{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2404 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2405 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
2406 unsigned char *p = ssl->handshake->premaster + pms_offset;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2407 mbedtls_pk_context * peer_pk;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2408
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2409 if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2410 {
2411 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
2412 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2413 }
2414
2415 /*
2416 * Generate (part of) the pre-master as
2417 * struct {
2418 * ProtocolVersion client_version;
2419 * opaque random[46];
2420 * } PreMasterSecret;
2421 */
2422 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
2423 ssl->conf->transport, p );
2424
2425 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
2426 {
2427 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
2428 return( ret );
2429 }
2430
2431 ssl->handshake->pmslen = 48;
2432
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2433#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2434 peer_pk = &ssl->handshake->peer_pubkey;
2435#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2436 if( ssl->session_negotiate->peer_cert == NULL )
2437 {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2438 /* Should never happen */
2439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2440 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2441 }
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2442 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2443#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2444
2445 /*
2446 * Now write it out, encrypted
2447 */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2448 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_RSA ) )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2449 {
2450 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
2451 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2452 }
2453
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2454 if( ( ret = mbedtls_pk_encrypt( peer_pk,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2455 p, ssl->handshake->pmslen,
2456 ssl->out_msg + offset + len_bytes, olen,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2457 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2458 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2459 {
2460 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
2461 return( ret );
2462 }
2463
2464#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2465 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2466 if( len_bytes == 2 )
2467 {
2468 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
2469 ssl->out_msg[offset+1] = (unsigned char)( *olen );
2470 *olen += 2;
2471 }
2472#endif
2473
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2474#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2475 /* We don't need the peer's public key anymore. Free it. */
2476 mbedtls_pk_free( peer_pk );
2477#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2478 return( 0 );
2479}
2480#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2481 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2482
2483#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2484#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2485 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2486 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2487static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
2488 unsigned char **p,
2489 unsigned char *end,
2490 mbedtls_md_type_t *md_alg,
2491 mbedtls_pk_type_t *pk_alg )
2492{
2493 ((void) ssl);
2494 *md_alg = MBEDTLS_MD_NONE;
2495 *pk_alg = MBEDTLS_PK_NONE;
2496
2497 /* Only in TLS 1.2 */
2498 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
2499 {
2500 return( 0 );
2501 }
2502
2503 if( (*p) + 2 > end )
2504 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2505
2506 /*
2507 * Get hash algorithm
2508 */
2509 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE )
2510 {
2511 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported "
2512 "HashAlgorithm %d", *(p)[0] ) );
2513 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2514 }
2515
2516 /*
2517 * Get signature algorithm
2518 */
2519 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE )
2520 {
2521 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported "
2522 "SignatureAlgorithm %d", (*p)[1] ) );
2523 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2524 }
2525
2526 /*
2527 * Check if the hash is acceptable
2528 */
2529 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
2530 {
2531 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered",
2532 *(p)[0] ) );
2533 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2534 }
2535
2536 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
2537 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
2538 *p += 2;
2539
2540 return( 0 );
2541}
2542#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2543 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2544 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2545#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2546
2547#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2548 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2549static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
2550{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2551 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2552 const mbedtls_ecp_keypair *peer_key;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2553 mbedtls_pk_context * peer_pk;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2554
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2555#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2556 peer_pk = &ssl->handshake->peer_pubkey;
2557#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2558 if( ssl->session_negotiate->peer_cert == NULL )
2559 {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2560 /* Should never happen */
2561 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2562 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2563 }
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2564 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2565#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2566
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2567 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECKEY ) )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2568 {
2569 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2570 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2571 }
2572
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2573 peer_key = mbedtls_pk_ec( *peer_pk );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2574
2575 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
2576 MBEDTLS_ECDH_THEIRS ) ) != 0 )
2577 {
2578 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
2579 return( ret );
2580 }
2581
2582 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2583 {
2584 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
2585 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
2586 }
2587
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2588#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2589 /* We don't need the peer's public key anymore. Free it,
2590 * so that more RAM is available for upcoming expensive
2591 * operations like ECDHE. */
2592 mbedtls_pk_free( peer_pk );
2593#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2594
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2595 return( ret );
2596}
2597#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2598 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2599
2600static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
2601{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2602 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2603 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2604 ssl->handshake->ciphersuite_info;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2605 unsigned char *p = NULL, *end = NULL;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2606
2607 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
2608
2609#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2610 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
2611 {
2612 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2613 ssl->state++;
2614 return( 0 );
2615 }
2616 ((void) p);
2617 ((void) end);
2618#endif
2619
2620#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2621 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2622 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2623 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
2624 {
2625 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
2626 {
2627 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
2628 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2629 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2630 return( ret );
2631 }
2632
2633 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2634 ssl->state++;
2635 return( 0 );
2636 }
2637 ((void) p);
2638 ((void) end);
2639#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2640 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2641
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2642#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2643 if( ssl->handshake->ecrs_enabled &&
2644 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing )
2645 {
2646 goto start_processing;
2647 }
2648#endif
2649
2650 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2651 {
2652 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2653 return( ret );
2654 }
2655
2656 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2657 {
2658 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2659 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2660 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2661 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2662 }
2663
2664 /*
2665 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2666 * doesn't use a psk_identity_hint
2667 */
2668 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
2669 {
2670 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2671 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2672 {
2673 /* Current message is probably either
2674 * CertificateRequest or ServerHelloDone */
2675 ssl->keep_current_message = 1;
2676 goto exit;
2677 }
2678
2679 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must "
2680 "not be skipped" ) );
2681 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2682 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2683
2684 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2685 }
2686
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2687#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2688 if( ssl->handshake->ecrs_enabled )
2689 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
2690
2691start_processing:
2692#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2693 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
2694 end = ssl->in_msg + ssl->in_hslen;
2695 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
2696
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2697#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2698 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2699 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2700 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2701 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2702 {
2703 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
2704 {
2705 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2706 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2707 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2708 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2709 }
2710 } /* FALLTROUGH */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2711#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2712
2713#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2714 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2715 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2716 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2717 ; /* nothing more to do */
2718 else
2719#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2720 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2721#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2722 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2723 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2724 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
2725 {
2726 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
2727 {
2728 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2729 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2730 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2731 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2732 }
2733 }
2734 else
2735#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2736 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2737#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
2738 ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2739 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
2740 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2741 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
2742 {
2743 if( ssl_parse_server_ecdh_params_psa( ssl, &p, end ) != 0 )
2744 {
2745 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2746 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2747 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2748 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2749 }
2750 }
2751 else
2752#endif /* MBEDTLS_USE_PSA_CRYPTO &&
2753 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2754 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2755#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2756 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2757 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2758 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2759 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2760 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
2761 {
2762 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
2763 {
2764 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2765 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2766 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2767 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2768 }
2769 }
2770 else
2771#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2772 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2773 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2774#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2775 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2776 {
2777 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
2778 p, end - p );
2779 if( ret != 0 )
2780 {
2781 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
2782 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2783 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2784 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2785 }
2786 }
2787 else
2788#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2789 {
2790 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2791 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2792 }
2793
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2794#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2795 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
2796 {
2797 size_t sig_len, hashlen;
2798 unsigned char hash[64];
2799 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2800 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
2801 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
2802 size_t params_len = p - params;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2803 void *rs_ctx = NULL;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2804
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2805 mbedtls_pk_context * peer_pk;
2806
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2807 /*
2808 * Handle the digitally-signed structure
2809 */
2810#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2811 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2812 {
2813 if( ssl_parse_signature_algorithm( ssl, &p, end,
2814 &md_alg, &pk_alg ) != 0 )
2815 {
2816 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2817 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2818 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2819 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2820 }
2821
2822 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
2823 {
2824 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2825 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2826 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2827 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2828 }
2829 }
2830 else
2831#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2832#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2833 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2834 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
2835 {
2836 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
2837
2838 /* Default hash for ECDSA is SHA-1 */
2839 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
2840 md_alg = MBEDTLS_MD_SHA1;
2841 }
2842 else
2843#endif
2844 {
2845 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2846 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2847 }
2848
2849 /*
2850 * Read signature
2851 */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2852
2853 if( p > end - 2 )
2854 {
2855 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2856 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2857 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2858 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2859 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2860 sig_len = ( p[0] << 8 ) | p[1];
2861 p += 2;
2862
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2863 if( p != end - sig_len )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2864 {
2865 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2866 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2867 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2868 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2869 }
2870
2871 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
2872
2873 /*
2874 * Compute the hash that has been signed
2875 */
2876#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2877 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2878 if( md_alg == MBEDTLS_MD_NONE )
2879 {
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2880 hashlen = 36;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2881 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params,
2882 params_len );
2883 if( ret != 0 )
2884 return( ret );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2885 }
2886 else
2887#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2888 MBEDTLS_SSL_PROTO_TLS1_1 */
2889#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2890 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2891 if( md_alg != MBEDTLS_MD_NONE )
2892 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2893 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
2894 params, params_len,
2895 md_alg );
2896 if( ret != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2897 return( ret );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2898 }
2899 else
2900#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2901 MBEDTLS_SSL_PROTO_TLS1_2 */
2902 {
2903 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2904 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2905 }
2906
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2907 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2908
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2909#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2910 peer_pk = &ssl->handshake->peer_pubkey;
2911#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2912 if( ssl->session_negotiate->peer_cert == NULL )
2913 {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2914 /* Should never happen */
2915 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2916 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2917 }
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2918 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2919#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2920
2921 /*
2922 * Verify signature
2923 */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2924 if( !mbedtls_pk_can_do( peer_pk, pk_alg ) )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2925 {
2926 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2927 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2928 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2929 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2930 }
2931
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2932#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2933 if( ssl->handshake->ecrs_enabled )
2934 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
2935#endif
2936
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2937 if( ( ret = mbedtls_pk_verify_restartable( peer_pk,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2938 md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2939 {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2940#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2941 if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
2942#endif
2943 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2944 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2945 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2946#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]2947 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2948 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2949#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2950 return( ret );
2951 }
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2952
2953#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2954 /* We don't need the peer's public key anymore. Free it,
2955 * so that more RAM is available for upcoming expensive
2956 * operations like ECDHE. */
2957 mbedtls_pk_free( peer_pk );
2958#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2959 }
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2960#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2961
2962exit:
2963 ssl->state++;
2964
2965 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
2966
2967 return( 0 );
2968}
2969
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2970#if ! defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2971static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
2972{
2973 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2974 ssl->handshake->ciphersuite_info;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2975
2976 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2977
2978 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
2979 {
2980 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
2981 ssl->state++;
2982 return( 0 );
2983 }
2984
2985 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2986 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2987}
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2988#else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2989static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
2990{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2991 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2992 unsigned char *buf;
2993 size_t n = 0;
2994 size_t cert_type_len = 0, dn_len = 0;
2995 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]2996 ssl->handshake->ciphersuite_info;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]2997
2998 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2999
3000 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
3001 {
3002 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
3003 ssl->state++;
3004 return( 0 );
3005 }
3006
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3007 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3008 {
3009 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3010 return( ret );
3011 }
3012
3013 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3014 {
3015 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3016 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3017 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
3018 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3019 }
3020
3021 ssl->state++;
3022 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
3023
3024 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
3025 ssl->client_auth ? "a" : "no" ) );
3026
3027 if( ssl->client_auth == 0 )
3028 {
3029 /* Current message is probably the ServerHelloDone */
3030 ssl->keep_current_message = 1;
3031 goto exit;
3032 }
3033
3034 /*
3035 * struct {
3036 * ClientCertificateType certificate_types<1..2^8-1>;
3037 * SignatureAndHashAlgorithm
3038 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
3039 * DistinguishedName certificate_authorities<0..2^16-1>;
3040 * } CertificateRequest;
3041 *
3042 * Since we only support a single certificate on clients, let's just
3043 * ignore all the information that's supposed to help us pick a
3044 * certificate.
3045 *
3046 * We could check that our certificate matches the request, and bail out
3047 * if it doesn't, but it's simpler to just send the certificate anyway,
3048 * and give the server the opportunity to decide if it should terminate
3049 * the connection when it doesn't like our certificate.
3050 *
3051 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
3052 * point we only have one hash available (see comments in
3053 * write_certificate_verify), so let's just use what we have.
3054 *
3055 * However, we still minimally parse the message to check it is at least
3056 * superficially sane.
3057 */
3058 buf = ssl->in_msg;
3059
3060 /* certificate_types */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3061 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) )
3062 {
3063 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3064 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3065 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3066 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3067 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3068 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
3069 n = cert_type_len;
3070
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3071 /*
3072 * In the subsequent code there are two paths that read from buf:
3073 * * the length of the signature algorithms field (if minor version of
3074 * SSL is 3),
3075 * * distinguished name length otherwise.
3076 * Both reach at most the index:
3077 * ...hdr_len + 2 + n,
3078 * therefore the buffer length at this point must be greater than that
3079 * regardless of the actual code path.
3080 */
3081 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3082 {
3083 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3084 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3085 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3086 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3087 }
3088
3089 /* supported_signature_algorithms */
3090#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3091 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3092 {
3093 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3094 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
3095#if defined(MBEDTLS_DEBUG_C)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3096 unsigned char* sig_alg;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3097 size_t i;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3098#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3099
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3100 /*
3101 * The furthest access in buf is in the loop few lines below:
3102 * sig_alg[i + 1],
3103 * where:
3104 * sig_alg = buf + ...hdr_len + 3 + n,
3105 * max(i) = sig_alg_len - 1.
3106 * Therefore the furthest access is:
3107 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
3108 * which reduces to:
3109 * buf[...hdr_len + 3 + n + sig_alg_len],
3110 * which is one less than we need the buf to be.
3111 */
3112 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n + sig_alg_len )
3113 {
3114 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3115 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3116 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3117 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3118 }
3119
3120#if defined(MBEDTLS_DEBUG_C)
3121 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3122 for( i = 0; i < sig_alg_len; i += 2 )
3123 {
3124 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d"
3125 ",%d", sig_alg[i], sig_alg[i + 1] ) );
3126 }
3127#endif
3128
3129 n += 2 + sig_alg_len;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3130 }
3131#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3132
3133 /* certificate_authorities */
3134 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3135 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
3136
3137 n += dn_len;
3138 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
3139 {
3140 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3141 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3142 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3143 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3144 }
3145
3146exit:
3147 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
3148
3149 return( 0 );
3150}
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3151#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3152
3153static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
3154{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3155 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3156
3157 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
3158
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3159 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3160 {
3161 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3162 return( ret );
3163 }
3164
3165 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3166 {
3167 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3168 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3169 }
3170
3171 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
3172 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
3173 {
3174 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3175 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3176 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3177 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
3178 }
3179
3180 ssl->state++;
3181
3182#if defined(MBEDTLS_SSL_PROTO_DTLS)
3183 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3184 mbedtls_ssl_recv_flight_completed( ssl );
3185#endif
3186
3187 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
3188
3189 return( 0 );
3190}
3191
3192static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
3193{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3194 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3195
3196 size_t header_len;
3197 size_t content_len;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3198 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3199 ssl->handshake->ciphersuite_info;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3200
3201 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
3202
3203#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3204 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
3205 {
3206 /*
3207 * DHM key exchange -- send G^X mod P
3208 */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3209 content_len = ssl->handshake->dhm_ctx.len;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3210
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3211 ssl->out_msg[4] = (unsigned char)( content_len >> 8 );
3212 ssl->out_msg[5] = (unsigned char)( content_len );
3213 header_len = 6;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3214
3215 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3216 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
3217 &ssl->out_msg[header_len], content_len,
3218 ssl->conf->f_rng, ssl->conf->p_rng );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3219 if( ret != 0 )
3220 {
3221 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
3222 return( ret );
3223 }
3224
3225 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
3226 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
3227
3228 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3229 ssl->handshake->premaster,
3230 MBEDTLS_PREMASTER_SIZE,
3231 &ssl->handshake->pmslen,
3232 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3233 {
3234 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
3235 return( ret );
3236 }
3237
3238 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
3239 }
3240 else
3241#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3242#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
3243 ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3244 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
3245 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3246 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
3247 {
3248 psa_status_t status;
3249 psa_key_attributes_t key_attributes;
3250
3251 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3252
3253 unsigned char own_pubkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
3254 size_t own_pubkey_len;
3255 unsigned char *own_pubkey_ecpoint;
3256 size_t own_pubkey_ecpoint_len;
3257
3258 header_len = 4;
3259
3260 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) );
3261
3262 /*
3263 * Generate EC private key for ECDHE exchange.
3264 */
3265
3266 /* The master secret is obtained from the shared ECDH secret by
3267 * applying the TLS 1.2 PRF with a specific salt and label. While
3268 * the PSA Crypto API encourages combining key agreement schemes
3269 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
3270 * yet support the provisioning of salt + label to the KDF.
3271 * For the time being, we therefore need to split the computation
3272 * of the ECDH secret and the application of the TLS 1.2 PRF. */
3273 key_attributes = psa_key_attributes_init();
3274 psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
3275 psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
3276 psa_set_key_type( &key_attributes, handshake->ecdh_psa_type );
3277 psa_set_key_bits( &key_attributes, handshake->ecdh_bits );
3278
3279 /* Generate ECDH private key. */
3280 status = psa_generate_key( &key_attributes,
3281 &handshake->ecdh_psa_privkey );
3282 if( status != PSA_SUCCESS )
3283 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3284
3285 /* Export the public part of the ECDH private key from PSA
3286 * and convert it to ECPoint format used in ClientKeyExchange. */
3287 status = psa_export_public_key( handshake->ecdh_psa_privkey,
3288 own_pubkey, sizeof( own_pubkey ),
3289 &own_pubkey_len );
3290 if( status != PSA_SUCCESS )
3291 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3292
3293 if( mbedtls_psa_tls_psa_ec_to_ecpoint( own_pubkey,
3294 own_pubkey_len,
3295 &own_pubkey_ecpoint,
3296 &own_pubkey_ecpoint_len ) != 0 )
3297 {
3298 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3299 }
3300
3301 /* Copy ECPoint structure to outgoing message buffer. */
3302 ssl->out_msg[header_len] = (unsigned char) own_pubkey_ecpoint_len;
3303 memcpy( ssl->out_msg + header_len + 1,
3304 own_pubkey_ecpoint, own_pubkey_ecpoint_len );
3305 content_len = own_pubkey_ecpoint_len + 1;
3306
3307 /* The ECDH secret is the premaster secret used for key derivation. */
3308
3309 /* Compute ECDH shared secret. */
3310 status = psa_raw_key_agreement( PSA_ALG_ECDH,
3311 handshake->ecdh_psa_privkey,
3312 handshake->ecdh_psa_peerkey,
3313 handshake->ecdh_psa_peerkey_len,
3314 ssl->handshake->premaster,
3315 sizeof( ssl->handshake->premaster ),
3316 &ssl->handshake->pmslen );
3317 if( status != PSA_SUCCESS )
3318 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3319
3320 status = psa_destroy_key( handshake->ecdh_psa_privkey );
3321 if( status != PSA_SUCCESS )
3322 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3323 handshake->ecdh_psa_privkey = 0;
3324 }
3325 else
3326#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3327 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3328 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3329#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3330 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3331 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3332 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3333 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3334 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3335 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3336 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
3337 {
3338 /*
3339 * ECDH key exchange -- send client public value
3340 */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3341 header_len = 4;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3342
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3343#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3344 if( ssl->handshake->ecrs_enabled )
3345 {
3346 if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret )
3347 goto ecdh_calc_secret;
3348
3349 mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx );
3350 }
3351#endif
3352
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3353 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3354 &content_len,
3355 &ssl->out_msg[header_len], 1000,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3356 ssl->conf->f_rng, ssl->conf->p_rng );
3357 if( ret != 0 )
3358 {
3359 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3360#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3361 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3362 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3363#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3364 return( ret );
3365 }
3366
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3367 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3368 MBEDTLS_DEBUG_ECDH_Q );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3369
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3370#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3371 if( ssl->handshake->ecrs_enabled )
3372 {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3373 ssl->handshake->ecrs_n = content_len;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3374 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
3375 }
3376
3377ecdh_calc_secret:
3378 if( ssl->handshake->ecrs_enabled )
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3379 content_len = ssl->handshake->ecrs_n;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3380#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3381 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3382 &ssl->handshake->pmslen,
3383 ssl->handshake->premaster,
3384 MBEDTLS_MPI_MAX_SIZE,
3385 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3386 {
3387 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3388#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3389 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3390 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3391#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3392 return( ret );
3393 }
3394
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3395 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3396 MBEDTLS_DEBUG_ECDH_Z );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3397 }
3398 else
3399#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3400 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3401 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3402 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3403#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3404 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
3405 {
3406 /*
3407 * opaque psk_identity<0..2^16-1>;
3408 */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3409 if( ssl_conf_has_static_psk( ssl->conf ) == 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3410 {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3411 /* We don't offer PSK suites if we don't have a PSK,
3412 * and we check that the server's choice is among the
3413 * ciphersuites we offered, so this should never happen. */
3414 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3415 }
3416
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3417 header_len = 4;
3418 content_len = ssl->conf->psk_identity_len;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3419
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3420 if( header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3421 {
3422 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
3423 "SSL buffer too short" ) );
3424 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3425 }
3426
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3427 ssl->out_msg[header_len++] = (unsigned char)( content_len >> 8 );
3428 ssl->out_msg[header_len++] = (unsigned char)( content_len );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3429
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3430 memcpy( ssl->out_msg + header_len,
3431 ssl->conf->psk_identity,
3432 ssl->conf->psk_identity_len );
3433 header_len += ssl->conf->psk_identity_len;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3434
3435#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3436 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
3437 {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3438 content_len = 0;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3439 }
3440 else
3441#endif
3442#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3443 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
3444 {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3445#if defined(MBEDTLS_USE_PSA_CRYPTO)
3446 /* Opaque PSKs are currently only supported for PSK-only suites. */
3447 if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
3448 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3449#endif /* MBEDTLS_USE_PSA_CRYPTO */
3450
3451 if( ( ret = ssl_write_encrypted_pms( ssl, header_len,
3452 &content_len, 2 ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3453 return( ret );
3454 }
3455 else
3456#endif
3457#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3458 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
3459 {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3460#if defined(MBEDTLS_USE_PSA_CRYPTO)
3461 /* Opaque PSKs are currently only supported for PSK-only suites. */
3462 if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
3463 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3464#endif /* MBEDTLS_USE_PSA_CRYPTO */
3465
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3466 /*
3467 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3468 */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3469 content_len = ssl->handshake->dhm_ctx.len;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3470
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3471 if( header_len + 2 + content_len >
3472 MBEDTLS_SSL_OUT_CONTENT_LEN )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3473 {
3474 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
3475 " or SSL buffer too short" ) );
3476 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3477 }
3478
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3479 ssl->out_msg[header_len++] = (unsigned char)( content_len >> 8 );
3480 ssl->out_msg[header_len++] = (unsigned char)( content_len );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3481
3482 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3483 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3484 &ssl->out_msg[header_len], content_len,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3485 ssl->conf->f_rng, ssl->conf->p_rng );
3486 if( ret != 0 )
3487 {
3488 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
3489 return( ret );
3490 }
3491 }
3492 else
3493#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3494#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3495 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
3496 {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3497#if defined(MBEDTLS_USE_PSA_CRYPTO)
3498 /* Opaque PSKs are currently only supported for PSK-only suites. */
3499 if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
3500 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3501#endif /* MBEDTLS_USE_PSA_CRYPTO */
3502
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3503 /*
3504 * ClientECDiffieHellmanPublic public;
3505 */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3506 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
3507 &content_len,
3508 &ssl->out_msg[header_len],
3509 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3510 ssl->conf->f_rng, ssl->conf->p_rng );
3511 if( ret != 0 )
3512 {
3513 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
3514 return( ret );
3515 }
3516
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3517 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3518 MBEDTLS_DEBUG_ECDH_Q );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3519 }
3520 else
3521#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3522 {
3523 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3524 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3525 }
3526
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3527#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
3528 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3529 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
3530 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
3531 ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
3532 {
3533 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque PSK" ) );
3534 }
3535 else
3536#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3537 MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3538 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3539 ciphersuite_info->key_exchange ) ) != 0 )
3540 {
3541 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
3542 return( ret );
3543 }
3544 }
3545 else
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3546#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3547#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3548 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
3549 {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3550 header_len = 4;
3551 if( ( ret = ssl_write_encrypted_pms( ssl, header_len,
3552 &content_len, 0 ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3553 return( ret );
3554 }
3555 else
3556#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3557#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3558 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3559 {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3560 header_len = 4;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3561
3562 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3563 ssl->out_msg + header_len,
3564 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3565 &content_len,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3566 ssl->conf->f_rng, ssl->conf->p_rng );
3567 if( ret != 0 )
3568 {
3569 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
3570 return( ret );
3571 }
3572
3573 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
3574 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3575 ssl->conf->f_rng, ssl->conf->p_rng );
3576 if( ret != 0 )
3577 {
3578 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
3579 return( ret );
3580 }
3581 }
3582 else
3583#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3584 {
3585 ((void) ciphersuite_info);
3586 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3587 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3588 }
3589
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3590 ssl->out_msglen = header_len + content_len;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3591 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3592 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
3593
3594 ssl->state++;
3595
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3596 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3597 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3598 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3599 return( ret );
3600 }
3601
3602 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
3603
3604 return( 0 );
3605}
3606
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3607#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3608static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
3609{
3610 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3611 ssl->handshake->ciphersuite_info;
3612 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3613
3614 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
3615
3616 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
3617 {
3618 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
3619 return( ret );
3620 }
3621
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3622 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3623 {
3624 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3625 ssl->state++;
3626 return( 0 );
3627 }
3628
3629 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3630 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3631}
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3632#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3633static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
3634{
3635 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3636 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3637 ssl->handshake->ciphersuite_info;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3638 size_t n = 0, offset = 0;
3639 unsigned char hash[48];
3640 unsigned char *hash_start = hash;
3641 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3642 size_t hashlen;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3643 void *rs_ctx = NULL;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3644
3645 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
3646
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3647#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3648 if( ssl->handshake->ecrs_enabled &&
3649 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign )
3650 {
3651 goto sign;
3652 }
3653#endif
3654
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3655 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
3656 {
3657 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
3658 return( ret );
3659 }
3660
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3661 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3662 {
3663 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3664 ssl->state++;
3665 return( 0 );
3666 }
3667
3668 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
3669 {
3670 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3671 ssl->state++;
3672 return( 0 );
3673 }
3674
3675 if( mbedtls_ssl_own_key( ssl ) == NULL )
3676 {
3677 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
3678 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3679 }
3680
3681 /*
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3682 * Make a signature of the handshake digests
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3683 */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3684#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3685 if( ssl->handshake->ecrs_enabled )
3686 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
3687
3688sign:
3689#endif
3690
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3691 ssl->handshake->calc_verify( ssl, hash, &hashlen );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3692
3693#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3694 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3695 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
3696 {
3697 /*
3698 * digitally-signed struct {
3699 * opaque md5_hash[16];
3700 * opaque sha_hash[20];
3701 * };
3702 *
3703 * md5_hash
3704 * MD5(handshake_messages);
3705 *
3706 * sha_hash
3707 * SHA(handshake_messages);
3708 */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3709 md_alg = MBEDTLS_MD_NONE;
3710
3711 /*
3712 * For ECDSA, default hash is SHA-1 only
3713 */
3714 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
3715 {
3716 hash_start += 16;
3717 hashlen -= 16;
3718 md_alg = MBEDTLS_MD_SHA1;
3719 }
3720 }
3721 else
3722#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3723 MBEDTLS_SSL_PROTO_TLS1_1 */
3724#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3725 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3726 {
3727 /*
3728 * digitally-signed struct {
3729 * opaque handshake_messages[handshake_messages_length];
3730 * };
3731 *
3732 * Taking shortcut here. We assume that the server always allows the
3733 * PRF Hash function and has sent it in the allowed signature
3734 * algorithms list received in the Certificate Request message.
3735 *
3736 * Until we encounter a server that does not, we will take this
3737 * shortcut.
3738 *
3739 * Reason: Otherwise we should have running hashes for SHA512 and SHA224
3740 * in order to satisfy 'weird' needs from the server side.
3741 */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3742 if( ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3743 {
3744 md_alg = MBEDTLS_MD_SHA384;
3745 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
3746 }
3747 else
3748 {
3749 md_alg = MBEDTLS_MD_SHA256;
3750 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
3751 }
3752 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
3753
3754 /* Info from md_alg will be used instead */
3755 hashlen = 0;
3756 offset = 2;
3757 }
3758 else
3759#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3760 {
3761 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3762 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3763 }
3764
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3765#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3766 if( ssl->handshake->ecrs_enabled )
3767 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
3768#endif
3769
3770 if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ),
3771 md_alg, hash_start, hashlen,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3772 ssl->out_msg + 6 + offset, &n,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3773 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3774 {
3775 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3776#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3777 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3778 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3779#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3780 return( ret );
3781 }
3782
3783 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
3784 ssl->out_msg[5 + offset] = (unsigned char)( n );
3785
3786 ssl->out_msglen = 6 + n + offset;
3787 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3788 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
3789
3790 ssl->state++;
3791
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3792 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3793 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3794 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3795 return( ret );
3796 }
3797
3798 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
3799
3800 return( ret );
3801}
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3802#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3803
3804#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3805static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
3806{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3807 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3808 uint32_t lifetime;
3809 size_t ticket_len;
3810 unsigned char *ticket;
3811 const unsigned char *msg;
3812
3813 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
3814
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3815 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3816 {
3817 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3818 return( ret );
3819 }
3820
3821 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3822 {
3823 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3824 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3825 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
3826 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3827 }
3828
3829 /*
3830 * struct {
3831 * uint32 ticket_lifetime_hint;
3832 * opaque ticket<0..2^16-1>;
3833 * } NewSessionTicket;
3834 *
3835 * 0 . 3 ticket_lifetime_hint
3836 * 4 . 5 ticket_len (n)
3837 * 6 . 5+n ticket content
3838 */
3839 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3840 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
3841 {
3842 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3843 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3844 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3845 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
3846 }
3847
3848 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
3849
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3850 lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) |
3851 ( msg[2] << 8 ) | ( msg[3] );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3852
3853 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
3854
3855 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
3856 {
3857 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3858 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3859 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3860 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
3861 }
3862
3863 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
3864
3865 /* We're not waiting for a NewSessionTicket message any more */
3866 ssl->handshake->new_session_ticket = 0;
3867 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
3868
3869 /*
3870 * Zero-length ticket means the server changed his mind and doesn't want
3871 * to send a ticket after all, so just forget it
3872 */
3873 if( ticket_len == 0 )
3874 return( 0 );
3875
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]3876 if( ssl->session != NULL && ssl->session->ticket != NULL )
3877 {
3878 mbedtls_platform_zeroize( ssl->session->ticket,
3879 ssl->session->ticket_len );
3880 mbedtls_free( ssl->session->ticket );
3881 ssl->session->ticket = NULL;
3882 ssl->session->ticket_len = 0;
3883 }
3884
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3885 mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
3886 ssl->session_negotiate->ticket_len );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3887 mbedtls_free( ssl->session_negotiate->ticket );
3888 ssl->session_negotiate->ticket = NULL;
3889 ssl->session_negotiate->ticket_len = 0;
3890
3891 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
3892 {
3893 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
3894 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3895 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
3896 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3897 }
3898
3899 memcpy( ticket, msg + 6, ticket_len );
3900
3901 ssl->session_negotiate->ticket = ticket;
3902 ssl->session_negotiate->ticket_len = ticket_len;
3903 ssl->session_negotiate->ticket_lifetime = lifetime;
3904
3905 /*
3906 * RFC 5077 section 3.4:
3907 * "If the client receives a session ticket from the server, then it
3908 * discards any Session ID that was sent in the ServerHello."
3909 */
3910 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
3911 ssl->session_negotiate->id_len = 0;
3912
3913 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
3914
3915 return( 0 );
3916}
3917#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3918
3919/*
3920 * SSL handshake -- client side -- single step
3921 */
3922int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
3923{
3924 int ret = 0;
3925
3926 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
3927 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3928
3929 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
3930
3931 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3932 return( ret );
3933
3934#if defined(MBEDTLS_SSL_PROTO_DTLS)
3935 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3936 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
3937 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3938 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3939 return( ret );
3940 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]3941#endif /* MBEDTLS_SSL_PROTO_DTLS */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]3942
3943 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
3944 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
3945#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3946 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
3947 ssl->handshake->new_session_ticket != 0 )
3948 {
3949 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
3950 }
3951#endif
3952
3953 switch( ssl->state )
3954 {
3955 case MBEDTLS_SSL_HELLO_REQUEST:
3956 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
3957 break;
3958
3959 /*
3960 * ==> ClientHello
3961 */
3962 case MBEDTLS_SSL_CLIENT_HELLO:
3963 ret = ssl_write_client_hello( ssl );
3964 break;
3965
3966 /*
3967 * <== ServerHello
3968 * Certificate
3969 * ( ServerKeyExchange )
3970 * ( CertificateRequest )
3971 * ServerHelloDone
3972 */
3973 case MBEDTLS_SSL_SERVER_HELLO:
3974 ret = ssl_parse_server_hello( ssl );
3975 break;
3976
3977 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3978 ret = mbedtls_ssl_parse_certificate( ssl );
3979 break;
3980
3981 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
3982 ret = ssl_parse_server_key_exchange( ssl );
3983 break;
3984
3985 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3986 ret = ssl_parse_certificate_request( ssl );
3987 break;
3988
3989 case MBEDTLS_SSL_SERVER_HELLO_DONE:
3990 ret = ssl_parse_server_hello_done( ssl );
3991 break;
3992
3993 /*
3994 * ==> ( Certificate/Alert )
3995 * ClientKeyExchange
3996 * ( CertificateVerify )
3997 * ChangeCipherSpec
3998 * Finished
3999 */
4000 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
4001 ret = mbedtls_ssl_write_certificate( ssl );
4002 break;
4003
4004 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
4005 ret = ssl_write_client_key_exchange( ssl );
4006 break;
4007
4008 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
4009 ret = ssl_write_certificate_verify( ssl );
4010 break;
4011
4012 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
4013 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
4014 break;
4015
4016 case MBEDTLS_SSL_CLIENT_FINISHED:
4017 ret = mbedtls_ssl_write_finished( ssl );
4018 break;
4019
4020 /*
4021 * <== ( NewSessionTicket )
4022 * ChangeCipherSpec
4023 * Finished
4024 */
4025#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4026 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
4027 ret = ssl_parse_new_session_ticket( ssl );
4028 break;
4029#endif
4030
4031 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4032 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
4033 break;
4034
4035 case MBEDTLS_SSL_SERVER_FINISHED:
4036 ret = mbedtls_ssl_parse_finished( ssl );
4037 break;
4038
4039 case MBEDTLS_SSL_FLUSH_BUFFERS:
4040 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
4041 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
4042 break;
4043
4044 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
4045 mbedtls_ssl_handshake_wrapup( ssl );
4046 break;
4047
4048 default:
4049 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
4050 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4051 }
4052
4053 return( ret );
4054}
4055#endif /* MBEDTLS_SSL_CLI_C */