TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 3c0072b58e1a6ff4678ef79ff367e6dae848278b / . / library / ssl_tls12_server.c
blob: 38f322c9324501e479396c59c3bb837567d3f4e9 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]2 * TLS server-side functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6 */
7
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]8#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]10#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]11
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]12#include "mbedtls/platform.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]13
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]14#include "mbedtls/ssl.h"
Chris Jones84a773f2021-03-05 18:38:47 +0000[diff] [blame]15#include "ssl_misc.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]16#include "mbedtls/debug.h"
17#include "mbedtls/error.h"
Andres Amaya Garcia84914062018-04-24 08:40:46 -0500[diff] [blame]18#include "mbedtls/platform_util.h"
Gabor Mezei22c9a6f2021-10-20 12:09:35 +0200[diff] [blame]19#include "constant_time_internal.h"
Gabor Mezei765862c2021-10-19 12:22:25 +0200[diff] [blame]20#include "mbedtls/constant_time.h"
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]21
22#include <string.h>
23
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]24#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]25/* Define a local translating function to save code size by not using too many
26 * arguments in each translating place. */
Andrzej Kurek1c7a9982023-05-30 09:21:20 -0400[diff] [blame]27#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \
28 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]29static int local_err_translation(psa_status_t status)
30{
31 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -0400[diff] [blame]32 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]33 psa_generic_status_to_mbedtls);
34}
35#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]36#endif
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]37#endif
38
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]39#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]40#include "mbedtls/ecp.h"
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]41#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]43#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]44#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]45#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]47#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]48int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
49 const unsigned char *info,
50 size_t ilen)
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]51{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]52 if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) {
53 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
54 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]55
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]56 mbedtls_free(ssl->cli_id);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]57
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]58 if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) {
59 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
60 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]61
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]62 memcpy(ssl->cli_id, info, ilen);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]63 ssl->cli_id_len = ilen;
64
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]65 return 0;
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]66}
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]67
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]68void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf,
69 mbedtls_ssl_cookie_write_t *f_cookie_write,
70 mbedtls_ssl_cookie_check_t *f_cookie_check,
71 void *p_cookie)
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]72{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]73 conf->f_cookie_write = f_cookie_write;
74 conf->f_cookie_check = f_cookie_check;
75 conf->p_cookie = p_cookie;
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]76}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]77#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]78
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]79#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]80MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]81static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf)
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]82{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]83 if (conf->f_psk != NULL) {
84 return 1;
85 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]86
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]87 if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) {
88 return 0;
89 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]90
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]91
92#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]93 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
94 return 1;
95 }
Neil Armstrong8ecd6682022-05-05 11:40:35 +0200[diff] [blame]96#endif /* MBEDTLS_USE_PSA_CRYPTO */
97
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]98 if (conf->psk != NULL && conf->psk_len != 0) {
99 return 1;
100 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]101
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]102 return 0;
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]103}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]104#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]105
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]106MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]107static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
108 const unsigned char *buf,
109 size_t len)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]110{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]111#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]112 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]113 /* Check verify-data in constant-time. The length OTOH is no secret */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]114 if (len != 1 + ssl->verify_data_len ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]115 buf[0] != ssl->verify_data_len ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]116 mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data,
117 ssl->verify_data_len) != 0) {
118 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
119 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
120 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
121 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]122 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]123 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]124#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]125 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]126 if (len != 1 || buf[0] != 0x0) {
127 MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info"));
128 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
129 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
130 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]131 }
132
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]133 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]134 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]135
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]136 return 0;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]137}
138
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]139#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]140 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]141 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]142/*
Jerry Yud491ea42022-01-13 16:15:25 +0800[diff] [blame]143 * Function for parsing a supported groups (TLS 1.3) or supported elliptic
144 * curves (TLS 1.2) extension.
145 *
146 * The "extension_data" field of a supported groups extension contains a
147 * "NamedGroupList" value (TLS 1.3 RFC8446):
148 * enum {
149 * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
150 * x25519(0x001D), x448(0x001E),
151 * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
152 * ffdhe6144(0x0103), ffdhe8192(0x0104),
153 * ffdhe_private_use(0x01FC..0x01FF),
154 * ecdhe_private_use(0xFE00..0xFEFF),
155 * (0xFFFF)
156 * } NamedGroup;
157 * struct {
158 * NamedGroup named_group_list<2..2^16-1>;
159 * } NamedGroupList;
160 *
161 * The "extension_data" field of a supported elliptic curves extension contains
162 * a "NamedCurveList" value (TLS 1.2 RFC 8422):
163 * enum {
164 * deprecated(1..22),
165 * secp256r1 (23), secp384r1 (24), secp521r1 (25),
166 * x25519(29), x448(30),
167 * reserved (0xFE00..0xFEFF),
168 * deprecated(0xFF01..0xFF02),
169 * (0xFFFF)
170 * } NamedCurve;
171 * struct {
172 * NamedCurve named_curve_list<2..2^16-1>
173 * } NamedCurveList;
174 *
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]175 * The TLS 1.3 supported groups extension was defined to be a compatible
176 * generalization of the TLS 1.2 supported elliptic curves extension. They both
177 * share the same extension identifier.
Jerry Yud491ea42022-01-13 16:15:25 +0800[diff] [blame]178 *
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]179 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]180MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]181static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
182 const unsigned char *buf,
183 size_t len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]184{
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]185 size_t list_size, our_size;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]186 const unsigned char *p;
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]187 uint16_t *curves_tls_id;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]188
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]189 if (len < 2) {
190 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
191 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
192 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
193 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]194 }
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]195 list_size = MBEDTLS_GET_UINT16_BE(buf, 0);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]196 if (list_size + 2 != len ||
197 list_size % 2 != 0) {
198 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
199 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
200 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
201 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]202 }
203
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]204 /* Should never happen unless client duplicates the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]205 if (ssl->handshake->curves_tls_id != NULL) {
206 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
207 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
208 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
209 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]210 }
211
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]212 /* Don't allow our peer to make us allocate too much memory,
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]213 * and leave room for a final 0 */
214 our_size = list_size / 2 + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]215 if (our_size > MBEDTLS_ECP_DP_MAX) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]216 our_size = MBEDTLS_ECP_DP_MAX;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]217 }
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]218
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]219 if ((curves_tls_id = mbedtls_calloc(our_size,
220 sizeof(*curves_tls_id))) == NULL) {
221 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
222 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
223 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]224 }
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]225
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]226 ssl->handshake->curves_tls_id = curves_tls_id;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]227
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]228 p = buf + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]229 while (list_size > 0 && our_size > 1) {
230 uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0);
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200[diff] [blame]231
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]232 if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) !=
233 MBEDTLS_ECP_DP_NONE) {
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]234 *curves_tls_id++ = curr_tls_id;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]235 our_size--;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]236 }
237
238 list_size -= 2;
239 p += 2;
240 }
241
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]242 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]243}
244
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]245MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]246static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
247 const unsigned char *buf,
248 size_t len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]249{
250 size_t list_size;
251 const unsigned char *p;
252
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]253 if (len == 0 || (size_t) (buf[0] + 1) != len) {
254 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
255 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
256 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
257 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]258 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]259 list_size = buf[0];
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]260
Manuel Pégourié-Gonnardc1b46d02015-09-16 11:18:32 +0200[diff] [blame]261 p = buf + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]262 while (list_size > 0) {
263 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
264 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]265#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
266 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]267 ssl->handshake->ecdh_ctx.point_format = p[0];
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]268#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]269#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]270 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
271 mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
272 p[0]);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]273#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]274 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
275 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]276 }
277
278 list_size--;
279 p++;
280 }
281
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]282 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]283}
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]284#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]285 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]286 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]287
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]288#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]289MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]290static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
291 const unsigned char *buf,
292 size_t len)
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]293{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]294 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]295
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]296#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]297 if (ssl->handshake->psa_pake_ctx_is_ok != 1)
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]298#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]299 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]300#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]301 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]302 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
303 return 0;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]304 }
305
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]306#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]307 if ((ret = mbedtls_psa_ecjpake_read_round(
308 &ssl->handshake->psa_pake_ctx, buf, len,
309 MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
310 psa_destroy_key(ssl->handshake->psa_pake_password);
311 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]312
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]313 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]314 mbedtls_ssl_send_alert_message(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]315 ssl,
316 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
317 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]318
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]319 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]320 }
321#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]322 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
323 buf, len)) != 0) {
324 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
325 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
326 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
327 return ret;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]328 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]329#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]330
331 /* Only mark the extension as OK when we're sure it is */
332 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
333
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]334 return 0;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]335}
336#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
337
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]338#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]339MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]340static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
341 const unsigned char *buf,
342 size_t len)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]343{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]344 if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) {
345 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
346 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
347 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
348 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]349 }
350
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]351 ssl->session_negotiate->mfl_code = buf[0];
352
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]353 return 0;
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]354}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]355#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]356
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]357#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]358MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]359static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
360 const unsigned char *buf,
361 size_t len)
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]362{
363 size_t peer_cid_len;
364
365 /* CID extension only makes sense in DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]366 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
367 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
368 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
369 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
370 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]371 }
372
373 /*
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]374 * struct {
375 * opaque cid<0..2^8-1>;
376 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]377 */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]378
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]379 if (len < 1) {
380 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
381 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
382 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
383 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]384 }
385
386 peer_cid_len = *buf++;
387 len--;
388
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]389 if (len != peer_cid_len) {
390 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
391 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
392 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
393 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]394 }
395
396 /* Ignore CID if the user has disabled its use. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]397 if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]398 /* Leave ssl->handshake->cid_in_use in its default
399 * value of MBEDTLS_SSL_CID_DISABLED. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]400 MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled"));
401 return 0;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]402 }
403
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]404 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
405 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
406 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
407 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
408 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]409 }
410
Hanno Becker08556bf2019-05-03 12:43:44 +0100[diff] [blame]411 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]412 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]413 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]414
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]415 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
416 MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len);
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]417
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]418 return 0;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]419}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]420#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]421
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]422#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]423MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]424static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
425 const unsigned char *buf,
426 size_t len)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]427{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]428 if (len != 0) {
429 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
430 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
431 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
432 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]433 }
434
435 ((void) buf);
436
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]437 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]438 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]439 }
440
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]441 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]442}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]443#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]444
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]445#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]446MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]447static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
448 const unsigned char *buf,
449 size_t len)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]450{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]451 if (len != 0) {
452 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
453 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
454 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
455 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]456 }
457
458 ((void) buf);
459
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]460 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]461 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]462 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]463
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]464 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]465}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]466#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]467
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]468#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]469MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]470static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
471 unsigned char *buf,
472 size_t len)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]473{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]474 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]475 mbedtls_ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]476
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]477 mbedtls_ssl_session_init(&session);
Manuel Pégourié-Gonnardbae389b2015-06-24 10:45:58 +0200[diff] [blame]478
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]479 if (ssl->conf->f_ticket_parse == NULL ||
480 ssl->conf->f_ticket_write == NULL) {
481 return 0;
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]482 }
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]483
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]484 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]485 ssl->handshake->new_session_ticket = 1;
486
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]487 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len));
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]488
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]489 if (len == 0) {
490 return 0;
491 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]492
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]493#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]494 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
495 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating"));
496 return 0;
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]497 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]498#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]499
500 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]501 * Failures are ok: just ignore the ticket and proceed.
502 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]503 if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session,
504 buf, len)) != 0) {
505 mbedtls_ssl_session_free(&session);
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]506
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]507 if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
508 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
509 } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
510 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
511 } else {
512 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret);
513 }
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]514
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]515 return 0;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]516 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]517
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]518 /*
519 * Keep the session ID sent by the client, since we MUST send it back to
520 * inform them we're accepting the ticket (RFC 5077 section 3.4)
521 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]522 session.id_len = ssl->session_negotiate->id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]523 memcpy(&session.id, ssl->session_negotiate->id, session.id_len);
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]524
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]525 mbedtls_ssl_session_free(ssl->session_negotiate);
526 memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session));
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]527
528 /* Zeroize instead of free as we copied the content */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]529 mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session));
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]530
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]531 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket"));
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]532
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]533 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]534
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]535 /* Don't send a new ticket after all, this one is OK */
536 ssl->handshake->new_session_ticket = 0;
537
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]538 return 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]539}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]540#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]541
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]542#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]543MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]544static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
545 const unsigned char *buf,
546 size_t len)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]547{
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]548 mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]549 size_t i, j;
Johan Pascalf6417ec2020-09-22 15:15:19 +0200[diff] [blame]550 size_t profile_length;
551 uint16_t mki_length;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]552 /*! 2 bytes for profile length and 1 byte for mki len */
553 const size_t size_of_lengths = 3;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]554
555 /* If use_srtp is not configured, just ignore the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]556 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
557 (ssl->conf->dtls_srtp_profile_list == NULL) ||
558 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
559 return 0;
Johan Pascal85269572020-08-25 10:01:54 +0200[diff] [blame]560 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]561
562 /* RFC5764 section 4.1.1
563 * uint8 SRTPProtectionProfile[2];
564 *
565 * struct {
566 * SRTPProtectionProfiles SRTPProtectionProfiles;
567 * opaque srtp_mki<0..255>;
568 * } UseSRTPData;
569
570 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]571 */
572
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]573 /*
574 * Min length is 5: at least one protection profile(2 bytes)
575 * and length(2 bytes) + srtp_mki length(1 byte)
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]576 * Check here that we have at least 2 bytes of protection profiles length
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]577 * and one of srtp_mki length
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]578 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]579 if (len < size_of_lengths) {
580 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
581 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
582 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]583 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]584
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]585 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]586
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]587 /* first 2 bytes are protection profile length(in bytes) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]588 profile_length = (buf[0] << 8) | buf[1];
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]589 buf += 2;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]590
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]591 /* The profile length cannot be bigger than input buffer size - lengths fields */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]592 if (profile_length > len - size_of_lengths ||
593 profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */
594 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
595 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
596 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]597 }
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]598 /*
599 * parse the extension list values are defined in
600 * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
601 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]602 for (j = 0; j < profile_length; j += 2) {
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]603 uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]604 client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]605
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]606 if (client_protection != MBEDTLS_TLS_SRTP_UNSET) {
607 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
608 mbedtls_ssl_get_srtp_profile_as_string(
609 client_protection)));
610 } else {
Johan Pascal85269572020-08-25 10:01:54 +0200[diff] [blame]611 continue;
612 }
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]613 /* check if suggested profile is in our list */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]614 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
615 if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) {
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]616 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]617 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
618 mbedtls_ssl_get_srtp_profile_as_string(
619 client_protection)));
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]620 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]621 }
622 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]623 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]624 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]625 }
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]626 }
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]627 buf += profile_length; /* buf points to the mki length */
628 mki_length = *buf;
629 buf++;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]630
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]631 if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH ||
632 mki_length + profile_length + size_of_lengths != len) {
633 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
634 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
635 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]636 }
637
638 /* Parse the mki only if present and mki is supported locally */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]639 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
640 mki_length > 0) {
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]641 ssl->dtls_srtp_info.mki_len = mki_length;
642
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]643 memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length);
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]644
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]645 MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value,
646 ssl->dtls_srtp_info.mki_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]647 }
648
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]649 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]650}
651#endif /* MBEDTLS_SSL_DTLS_SRTP */
652
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]653/*
654 * Auxiliary functions for ServerHello parsing and related actions
655 */
656
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]657#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]658/*
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100[diff] [blame]659 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]660 */
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]661#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]662MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]663static int ssl_check_key_curve(mbedtls_pk_context *pk,
664 uint16_t *curves_tls_id)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]665{
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]666 uint16_t *curr_tls_id = curves_tls_id;
Valerio Settif9362b72023-11-29 08:42:27 +0100[diff] [blame]667 mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk);
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]668 mbedtls_ecp_group_id curr_grp_id;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]669
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]670 while (*curr_tls_id != 0) {
671 curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
672 if (curr_grp_id == grp_id) {
673 return 0;
674 }
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]675 curr_tls_id++;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]676 }
677
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]678 return -1;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]679}
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]680#endif /* MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]681
682/*
683 * Try picking a certificate for this ciphersuite,
684 * return 0 on success and -1 on failure.
685 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]686MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]687static int ssl_pick_cert(mbedtls_ssl_context *ssl,
688 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]689{
Glenn Strauss041a3762022-03-15 06:08:29 -0400[diff] [blame]690 mbedtls_ssl_key_cert *cur, *list;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]691#if defined(MBEDTLS_USE_PSA_CRYPTO)
692 psa_algorithm_t pk_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]693 mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]694 psa_key_usage_t pk_usage =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]695 mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]696#else
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]697 mbedtls_pk_type_t pk_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]698 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]699#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +0200[diff] [blame]700 uint32_t flags;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]701
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]702#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]703 if (ssl->handshake->sni_key_cert != NULL) {
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]704 list = ssl->handshake->sni_key_cert;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]705 } else
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]706#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]707 list = ssl->conf->key_cert;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]708
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]709 int pk_alg_is_none = 0;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]710#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]711 pk_alg_is_none = (pk_alg == PSA_ALG_NONE);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]712#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]713 pk_alg_is_none = (pk_alg == MBEDTLS_PK_NONE);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]714#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]715 if (pk_alg_is_none) {
716 return 0;
Manuel Pégourié-Gonnarde540b492015-07-07 12:44:38 +0200[diff] [blame]717 }
718
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]719 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate"));
720
721 if (list == NULL) {
722 MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
723 return -1;
724 }
725
726 for (cur = list; cur != NULL; cur = cur->next) {
Andrzej Kurek7ed01e82020-03-18 11:51:59 -0400[diff] [blame]727 flags = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]728 MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate",
729 cur->cert);
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]730
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]731 int key_type_matches = 0;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]732#if defined(MBEDTLS_USE_PSA_CRYPTO)
733#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]734 key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
735 ssl->conf->f_async_decrypt_start != NULL ||
736 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
737 mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]738#else
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]739 key_type_matches = (
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]740 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]741#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
742#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]743 key_type_matches = mbedtls_pk_can_do(&cur->cert->pk, pk_alg);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]744#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]745 if (!key_type_matches) {
746 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]747 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]748 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]749
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]750 /*
751 * This avoids sending the client a cert it'll reject based on
752 * keyUsage or other extensions.
753 *
754 * It also allows the user to provision different certificates for
755 * different uses based on keyUsage, eg if they want to avoid signing
756 * and decrypting with the same RSA key.
757 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]758 if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
759 MBEDTLS_SSL_IS_SERVER, &flags) != 0) {
760 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
761 "(extended) key usage extension"));
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]762 continue;
763 }
764
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]765#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]766 if (pk_alg == MBEDTLS_PK_ECDSA &&
767 ssl_check_key_curve(&cur->cert->pk,
768 ssl->handshake->curves_tls_id) != 0) {
769 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve"));
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]770 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]771 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]772#endif
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]773
774 /* If we get there, we got a winner */
775 break;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]776 }
777
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]778 /* Do not update ssl->handshake->key_cert unless there is a match */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]779 if (cur != NULL) {
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]780 ssl->handshake->key_cert = cur;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]781 MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate",
782 ssl->handshake->key_cert->cert);
783 return 0;
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]784 }
785
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]786 return -1;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]787}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]788#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]789
790/*
791 * Check if a given ciphersuite is suitable for use with our config/keys/etc
792 * Sets ciphersuite_info only if the suite matches.
793 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]794MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]795static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
796 const mbedtls_ssl_ciphersuite_t **ciphersuite_info)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]797{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]798 const mbedtls_ssl_ciphersuite_t *suite_info;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]799
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]800#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]801 mbedtls_pk_type_t sig_type;
802#endif
803
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]804 suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
805 if (suite_info == NULL) {
806 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
807 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]808 }
809
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]810 MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)",
811 (unsigned int) suite_id, suite_info->name));
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]812
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]813 if (suite_info->min_tls_version > ssl->tls_version ||
814 suite_info->max_tls_version < ssl->tls_version) {
815 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version"));
816 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]817 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]818
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]819#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]820 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
821 (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) {
822 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake "
823 "not configured or ext missing"));
824 return 0;
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]825 }
826#endif
827
828
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]829#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]830 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]831 if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
832 (ssl->handshake->curves_tls_id == NULL ||
833 ssl->handshake->curves_tls_id[0] == 0)) {
834 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
835 "no common elliptic curve"));
836 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]837 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]838#endif
839
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]840#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]841 /* If the ciphersuite requires a pre-shared key and we don't
842 * have one, skip it now rather than failing later */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]843 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
844 ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
845 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key"));
846 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]847 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]848#endif
849
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]850#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]851 /*
852 * Final check: if ciphersuite requires us to have a
853 * certificate/key of a particular type:
854 * - select the appropriate certificate if we have one, or
855 * - try the next ciphersuite if we don't
856 * This must be done last since we modify the key_cert list.
857 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]858 if (ssl_pick_cert(ssl, suite_info) != 0) {
859 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
860 "no suitable certificate"));
861 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]862 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]863#endif
864
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]865#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
866 /* If the ciphersuite requires signing, check whether
867 * a suitable hash algorithm is present. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]868 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
869 if (sig_type != MBEDTLS_PK_NONE &&
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]870 mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]871 ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) {
872 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm "
873 "for signature algorithm %u", (unsigned) sig_type));
874 return 0;
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]875 }
876
877#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
878
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]879 *ciphersuite_info = suite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]880 return 0;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]881}
882
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]883/* This function doesn't alert on errors that happen early during
884 ClientHello parsing because they might indicate that the client is
885 not talking SSL/TLS at all and would not understand our alert. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]886MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]887static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]888{
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]889 int ret, got_common_suite;
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]890 size_t i, j;
891 size_t ciph_offset, comp_offset, ext_offset;
892 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]893#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]894 size_t cookie_offset, cookie_len;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]895#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]896 unsigned char *buf, *p, *ext;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]897#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]898 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]899#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]900 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]901 const int *ciphersuites;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]902 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]903
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]904 /* If there is no signature-algorithm extension present,
905 * we need to fall back to the default values for allowed
906 * signature-hash pairs. */
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]907#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]908 int sig_hash_alg_ext_present = 0;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]909#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]910
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]911 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]912
David Horstmanne0af39a2022-10-06 18:19:18 +0100[diff] [blame]913 int renegotiating;
914
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]915#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]916read_record_header:
917#endif
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]918 /*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]919 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]920 * otherwise read it ourselves manually in order to support SSLv2
921 * ClientHello, which doesn't use the same record layer format.
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]922 * Otherwise in a scenario of TLS 1.3/TLS 1.2 version negotiation, the
923 * ClientHello has been already fully fetched by the TLS 1.3 code and the
924 * flag ssl->keep_current_message is raised.
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]925 */
David Horstmanne0af39a2022-10-06 18:19:18 +0100[diff] [blame]926 renegotiating = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]927#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]928 renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]929#endif
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]930 if (!renegotiating && !ssl->keep_current_message) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]931 if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]932 /* No alert on a read error. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]933 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
934 return ret;
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]935 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]936 }
937
938 buf = ssl->in_hdr;
939
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]940 MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl));
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]941
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]942 /*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]943 * TLS Client Hello
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]944 *
945 * Record layer:
946 * 0 . 0 message type
947 * 1 . 2 protocol version
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]948 * 3 . 11 DTLS: epoch + record sequence number
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]949 * 3 . 4 message length
950 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]951 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message type: %d",
952 buf[0]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]953
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]954 if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
955 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
956 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]957 }
958
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]959 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d",
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]960 MBEDTLS_GET_UINT16_BE(ssl->in_len, 0)));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]961
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]962 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, protocol version: [%d:%d]",
963 buf[1], buf[2]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]964
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]965 /* For DTLS if this is the initial handshake, remember the client sequence
966 * number to use it in our next message (RFC 6347 4.2.1) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]967#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]968 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]969#if defined(MBEDTLS_SSL_RENEGOTIATION)
970 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
Manuel Pégourié-Gonnard3a173f42015-01-22 13:30:33 +0000[diff] [blame]971#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]972 ) {
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]973 /* Epoch should be 0 for initial handshakes */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]974 if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
975 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
976 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]977 }
978
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]979 memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2,
980 sizeof(ssl->cur_out_ctr) - 2);
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]981
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]982#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]983 if (mbedtls_ssl_dtls_replay_check(ssl) != 0) {
984 MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding"));
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]985 ssl->next_record_offset = 0;
986 ssl->in_left = 0;
987 goto read_record_header;
988 }
989
990 /* No MAC to check yet, so we can update right now */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]991 mbedtls_ssl_dtls_replay_update(ssl);
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]992#endif
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]993 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]994#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]995
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]996 msg_len = MBEDTLS_GET_UINT16_BE(ssl->in_len, 0);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]997
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]998#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]999 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1000 /* Set by mbedtls_ssl_read_record() */
Manuel Pégourié-Gonnardb89c4f32015-01-21 13:24:10 +0000[diff] [blame]1001 msg_len = ssl->in_hslen;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1002 } else
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1003#endif
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1004 {
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1005 if (ssl->keep_current_message) {
1006 ssl->keep_current_message = 0;
1007 } else {
1008 if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
1009 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1010 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1011 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1012
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1013 if ((ret = mbedtls_ssl_fetch_input(ssl,
1014 mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) {
1015 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
1016 return ret;
1017 }
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1018
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1019 /* Done reading this record, get ready for the next one */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1020#if defined(MBEDTLS_SSL_PROTO_DTLS)
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1021 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1022 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl);
1023 } else
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1024#endif
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1025 ssl->in_left = 0;
1026 }
Manuel Pégourié-Gonnardd6b721c2014-03-24 12:13:54 +0100[diff] [blame]1027 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1028
1029 buf = ssl->in_msg;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1030
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1031 MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len);
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1032
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]1033 ret = ssl->handshake->update_checksum(ssl, buf, msg_len);
1034 if (0 != ret) {
1035 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
1036 return ret;
1037 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1038
1039 /*
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1040 * Handshake layer:
1041 * 0 . 0 handshake type
1042 * 1 . 3 handshake length
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1043 * 4 . 5 DTLS only: message sequence number
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1044 * 6 . 8 DTLS only: fragment offset
1045 * 9 . 11 DTLS only: fragment length
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1046 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1047 if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) {
1048 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1049 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1050 }
1051
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1052 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0]));
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1053
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1054 if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
1055 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1056 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1057 }
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1058 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1059 size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1);
1060 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u",
1061 (unsigned) handshake_len));
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1062
1063 /* The record layer has a record size limit of 2^14 - 1 and
1064 * fragmentation is not supported, so buf[1] should be zero. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1065 if (buf[1] != 0) {
1066 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0",
1067 (unsigned) buf[1]));
1068 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1069 }
1070
1071 /* We don't support fragmentation of ClientHello (yet?) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1072 if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) {
1073 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u",
1074 (unsigned) msg_len,
1075 (unsigned) mbedtls_ssl_hs_hdr_len(ssl),
1076 (unsigned) handshake_len));
1077 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1078 }
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1079 }
1080
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1081#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1082 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1083 /*
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1084 * Copy the client's handshake message_seq on initial handshakes,
1085 * check sequence number on renego.
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1086 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1087#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1088 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]1089 /* This couldn't be done in ssl_prepare_handshake_record() */
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +0100[diff] [blame]1090 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1091 if (cli_msg_seq != ssl->handshake->in_msg_seq) {
1092 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
1093 "%u (expected %u)", cli_msg_seq,
1094 ssl->handshake->in_msg_seq));
1095 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]1096 }
1097
1098 ssl->handshake->in_msg_seq++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1099 } else
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1100#endif
1101 {
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +0100[diff] [blame]1102 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1103 ssl->handshake->out_msg_seq = cli_msg_seq;
1104 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
1105 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1106 {
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1107 /*
1108 * For now we don't support fragmentation, so make sure
1109 * fragment_offset == 0 and fragment_length == length
1110 */
1111 size_t fragment_offset, fragment_length, length;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1112 fragment_offset = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6);
1113 fragment_length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9);
1114 length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1);
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1115 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1116 4, ("fragment_offset=%u fragment_length=%u length=%u",
1117 (unsigned) fragment_offset, (unsigned) fragment_length,
1118 (unsigned) length));
1119 if (fragment_offset != 0 || length != fragment_length) {
1120 MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported"));
1121 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1122 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1123 }
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1124 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1125#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1126
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1127 buf += mbedtls_ssl_hs_hdr_len(ssl);
1128 msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1129
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1130 /*
Wenxing Hou3b9de382023-12-14 16:22:01 +0800[diff] [blame]1131 * ClientHello layout:
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1132 * 0 . 1 protocol version
1133 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
Wenxing Hou3b9de382023-12-14 16:22:01 +0800[diff] [blame]1134 * 34 . 34 session id length (1 byte)
1135 * 35 . 34+x session id, where x = session id length from byte 34
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1136 * 35+x . 35+x DTLS only: cookie length (1 byte)
1137 * 36+x . .. DTLS only: cookie
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1138 * .. . .. ciphersuite list length (2 bytes)
1139 * .. . .. ciphersuite list
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1140 * .. . .. compression alg. list length (1 byte)
1141 * .. . .. compression alg. list
1142 * .. . .. extensions length (2 bytes, optional)
1143 * .. . .. extensions (optional)
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1144 */
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1145
1146 /*
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]1147 * Minimal length (with everything empty and extensions omitted) is
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1148 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1149 * read at least up to session id length without worrying.
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1150 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1151 if (msg_len < 38) {
1152 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1153 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1154 }
1155
1156 /*
1157 * Check and save the protocol version
1158 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1159 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1160
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]1161 ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
1162 ssl->conf->transport);
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1163 ssl->session_negotiate->tls_version = ssl->tls_version;
Ronald Cron17ef8df2023-11-22 10:29:42 +0100[diff] [blame]1164 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1165
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1166 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
1167 MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2"));
1168 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1169 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1170 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1171 }
1172
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1173 /*
1174 * Save client random (inc. Unix time)
1175 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1176 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1177
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1178 memcpy(ssl->handshake->randbytes, buf + 2, 32);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1179
1180 /*
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1181 * Check the session ID length and save session ID
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1182 */
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1183 sess_len = buf[34];
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1184
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1185 if (sess_len > sizeof(ssl->session_negotiate->id) ||
1186 sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */
1187 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1188 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1189 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1190 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1191 }
1192
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1193 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1194
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1195 ssl->session_negotiate->id_len = sess_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1196 memset(ssl->session_negotiate->id, 0,
1197 sizeof(ssl->session_negotiate->id));
1198 memcpy(ssl->session_negotiate->id, buf + 35,
1199 ssl->session_negotiate->id_len);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1200
1201 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1202 * Check the cookie length and content
1203 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1204#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1205 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1206 cookie_offset = 35 + sess_len;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1207 cookie_len = buf[cookie_offset];
1208
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1209 if (cookie_offset + 1 + cookie_len + 2 > msg_len) {
1210 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1211 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1212 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1213 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1214 }
1215
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1216 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
1217 buf + cookie_offset + 1, cookie_len);
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1218
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1219#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1220 if (ssl->conf->f_cookie_check != NULL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1221#if defined(MBEDTLS_SSL_RENEGOTIATION)
1222 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1223#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1224 ) {
1225 if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
1226 buf + cookie_offset + 1, cookie_len,
1227 ssl->cli_id, ssl->cli_id_len) != 0) {
1228 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed"));
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1229 ssl->handshake->cookie_verify_result = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1230 } else {
1231 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed"));
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1232 ssl->handshake->cookie_verify_result = 0;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1233 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1234 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1235#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1236 {
1237 /* We know we didn't send a cookie, so it should be empty */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1238 if (cookie_len != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1239 /* This may be an attacker's probe, so don't send an alert */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1240 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1241 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1242 }
1243
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1244 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped"));
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1245 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1246
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1247 /*
1248 * Check the ciphersuitelist length (will be parsed later)
1249 */
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1250 ciph_offset = cookie_offset + 1 + cookie_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1251 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1252#endif /* MBEDTLS_SSL_PROTO_DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1253 ciph_offset = 35 + sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1254
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]1255 ciph_len = MBEDTLS_GET_UINT16_BE(buf, ciph_offset);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1256
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1257 if (ciph_len < 2 ||
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1258 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1259 (ciph_len % 2) != 0) {
1260 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1261 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1262 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1263 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1264 }
1265
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1266 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
1267 buf + ciph_offset + 2, ciph_len);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1268
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1269 /*
Thomas Daubney20f89a92022-06-20 15:12:19 +0100[diff] [blame]1270 * Check the compression algorithm's length.
1271 * The list contents are ignored because implementing
1272 * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only
1273 * option supported by Mbed TLS.
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1274 */
1275 comp_offset = ciph_offset + 2 + ciph_len;
1276
1277 comp_len = buf[comp_offset];
1278
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1279 if (comp_len < 1 ||
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1280 comp_len > 16 ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1281 comp_len + comp_offset + 1 > msg_len) {
1282 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1283 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1284 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1285 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1286 }
1287
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1288 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression",
1289 buf + comp_offset + 1, comp_len);
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1290
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1291 /*
1292 * Check the extension length
1293 */
1294 ext_offset = comp_offset + 1 + comp_len;
1295 if (msg_len > ext_offset) {
1296 if (msg_len < ext_offset + 2) {
1297 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1298 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1299 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1300 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1301 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1302
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]1303 ext_len = MBEDTLS_GET_UINT16_BE(buf, ext_offset);
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1304
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1305 if (msg_len != ext_offset + 2 + ext_len) {
1306 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1307 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1308 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1309 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1310 }
1311 } else {
1312 ext_len = 0;
1313 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1314
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1315 ext = buf + ext_offset + 2;
1316 MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len);
1317
1318 while (ext_len != 0) {
1319 unsigned int ext_id;
1320 unsigned int ext_size;
1321 if (ext_len < 4) {
1322 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1323 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1324 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1325 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1326 }
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]1327 ext_id = MBEDTLS_GET_UINT16_BE(ext, 0);
1328 ext_size = MBEDTLS_GET_UINT16_BE(ext, 2);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1329
1330 if (ext_size + 4 > ext_len) {
1331 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1332 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1333 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1334 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1335 }
1336 switch (ext_id) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1337#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1338 case MBEDTLS_TLS_EXT_SERVERNAME:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1339 MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1340 ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4,
1341 ext + 4 + ext_size);
1342 if (ret != 0) {
1343 return ret;
1344 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1345 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1346#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]1347
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1348 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1349 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1350#if defined(MBEDTLS_SSL_RENEGOTIATION)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1351 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1352#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1353
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1354 ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size);
1355 if (ret != 0) {
1356 return ret;
1357 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1358 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1359
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1360#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1361 case MBEDTLS_TLS_EXT_SIG_ALG:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1362 MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
Ron Eldor73a38172017-10-03 15:58:26 +0300[diff] [blame]1363
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1364 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size);
1365 if (ret != 0) {
1366 return ret;
1367 }
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1368
1369 sig_hash_alg_ext_present = 1;
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1370 break;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1371#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1372
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]1373#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1374 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1375 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yub47d0f82021-12-20 17:34:40 +0800[diff] [blame]1376 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1377 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1378
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1379 ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size);
1380 if (ret != 0) {
1381 return ret;
1382 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1383 break;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1384
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1385 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1386 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension"));
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1387 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1388
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1389 ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size);
1390 if (ret != 0) {
1391 return ret;
1392 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1393 break;
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]1394#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1395 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]1396 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1397
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1398#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1399 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1400 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension"));
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1401
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1402 ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size);
1403 if (ret != 0) {
1404 return ret;
1405 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1406 break;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1407#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1408
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1409#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1410 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1411 MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension"));
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1412
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1413 ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size);
1414 if (ret != 0) {
1415 return ret;
1416 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1417 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1418#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1419
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1420#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1421 case MBEDTLS_TLS_EXT_CID:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1422 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1423
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1424 ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size);
1425 if (ret != 0) {
1426 return ret;
1427 }
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1428 break;
Thomas Daubneye1c9a402021-06-15 11:26:43 +0100[diff] [blame]1429#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1430
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1431#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1432 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1433 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1434
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1435 ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size);
1436 if (ret != 0) {
1437 return ret;
1438 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1439 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1440#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1441
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1442#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1443 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1444 MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1445
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1446 ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size);
1447 if (ret != 0) {
1448 return ret;
1449 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1450 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1451#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1452
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1453#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1454 case MBEDTLS_TLS_EXT_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1455 MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1456
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1457 ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size);
1458 if (ret != 0) {
1459 return ret;
1460 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1461 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1462#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1463
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1464#if defined(MBEDTLS_SSL_ALPN)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1465 case MBEDTLS_TLS_EXT_ALPN:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1466 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1467
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1468 ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4,
1469 ext + 4 + ext_size);
1470 if (ret != 0) {
1471 return ret;
1472 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1473 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1474#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1475
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1476#if defined(MBEDTLS_SSL_DTLS_SRTP)
1477 case MBEDTLS_TLS_EXT_USE_SRTP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1478 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
Johan Pascald576fdb2020-09-22 10:39:53 +0200[diff] [blame]1479
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1480 ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size);
1481 if (ret != 0) {
1482 return ret;
1483 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1484 break;
1485#endif /* MBEDTLS_SSL_DTLS_SRTP */
1486
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1487 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1488 MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)",
1489 ext_id));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1490 }
Janos Follathc6dab2b2016-05-23 14:27:02 +0100[diff] [blame]1491
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1492 ext_len -= 4 + ext_size;
1493 ext += 4 + ext_size;
1494 }
1495
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1496#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1497
1498 /*
1499 * Try to fall back to default hash SHA1 if the client
1500 * hasn't provided any preferred signature-hash combinations.
1501 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1502 if (!sig_hash_alg_ext_present) {
Gabor Mezei86acf052022-05-10 13:29:02 +0200[diff] [blame]1503 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
1504 const uint16_t default_sig_algs[] = {
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1505#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1506 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA,
1507 MBEDTLS_SSL_HASH_SHA1),
Gabor Mezeic1051b62022-05-10 13:13:58 +0200[diff] [blame]1508#endif
1509#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1510 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA,
1511 MBEDTLS_SSL_HASH_SHA1),
Gabor Mezeic1051b62022-05-10 13:13:58 +0200[diff] [blame]1512#endif
Gabor Mezei86acf052022-05-10 13:29:02 +0200[diff] [blame]1513 MBEDTLS_TLS_SIG_NONE
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1514 };
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1515
Tom Cosgrove6ef9bb32023-03-08 14:19:51 +0000[diff] [blame]1516 MBEDTLS_STATIC_ASSERT(sizeof(default_sig_algs) / sizeof(default_sig_algs[0])
1517 <= MBEDTLS_RECEIVED_SIG_ALGS_SIZE,
1518 "default_sig_algs is too big");
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1519
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1520 memcpy(received_sig_algs, default_sig_algs, sizeof(default_sig_algs));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1521 }
1522
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1523#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1524
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1525 /*
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1526 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1527 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1528 for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
1529 if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
1530 MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1531#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1532 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1533 MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
1534 "during renegotiation"));
1535 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1536 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1537 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1538 }
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1539#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1540 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1541 break;
1542 }
1543 }
1544
1545 /*
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1546 * Renegotiation security checks
1547 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1548 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1549 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1550 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1551 handshake_failure = 1;
1552 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1553#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1554 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1555 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1556 renegotiation_info_seen == 0) {
1557 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1558 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1559 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1560 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1561 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1562 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1563 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1564 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1565 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1566 renegotiation_info_seen == 1) {
1567 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1568 handshake_failure = 1;
1569 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1570#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1571
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1572 if (handshake_failure == 1) {
1573 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1574 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1575 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1576 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1577
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1578 /*
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1579 * Server certification selection (after processing TLS extensions)
1580 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1581 if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
1582 MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
1583 return ret;
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1584 }
Glenn Strauss69894072022-01-24 12:58:00 -0500[diff] [blame]1585#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1586 ssl->handshake->sni_name = NULL;
1587 ssl->handshake->sni_name_len = 0;
1588#endif
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1589
1590 /*
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1591 * Search for a matching ciphersuite
Manuel Pégourié-Gonnard3ebb2cd2013-09-23 17:00:18 +0200[diff] [blame]1592 * (At the end because we need information from the EC-based extensions
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1593 * and certificate from the SNI callback triggered by the SNI extension
1594 * or certificate from server certificate selection callback.)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1595 */
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1596 got_common_suite = 0;
Hanno Beckerd60b6c62021-04-29 12:04:11 +0100[diff] [blame]1597 ciphersuites = ssl->conf->ciphersuite_list;
Manuel Pégourié-Gonnard59b81d72013-11-30 17:46:04 +0100[diff] [blame]1598 ciphersuite_info = NULL;
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1599
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1600 if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) {
1601 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1602 for (i = 0; ciphersuites[i] != 0; i++) {
1603 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1604 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1605 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1606
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1607 got_common_suite = 1;
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1608
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1609 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1610 &ciphersuite_info)) != 0) {
1611 return ret;
1612 }
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +0100[diff] [blame]1613
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1614 if (ciphersuite_info != NULL) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1615 goto have_ciphersuite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1616 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1617 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1618 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1619 } else {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1620 for (i = 0; ciphersuites[i] != 0; i++) {
1621 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1622 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1623 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1624 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1625
1626 got_common_suite = 1;
1627
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1628 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1629 &ciphersuite_info)) != 0) {
1630 return ret;
1631 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1632
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1633 if (ciphersuite_info != NULL) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1634 goto have_ciphersuite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1635 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1636 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1637 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1638 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1639
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1640 if (got_common_suite) {
1641 MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
1642 "but none of them usable"));
1643 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1644 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1645 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1646 } else {
1647 MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
1648 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1649 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1650 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1651 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1652
1653have_ciphersuite:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1654 MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]1655
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1656 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]1657 ssl->handshake->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1658
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1659 ssl->state++;
1660
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1661#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1662 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1663 mbedtls_ssl_recv_flight_completed(ssl);
1664 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1665#endif
1666
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1667 /* Debugging-only output for testsuite */
1668#if defined(MBEDTLS_DEBUG_C) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1669 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1670 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
1671 if (sig_alg != MBEDTLS_PK_NONE) {
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]1672 unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1673 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
1674 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u",
1675 sig_hash));
1676 } else {
1677 MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm "
1678 "%u - should not happen", (unsigned) sig_alg));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1679 }
1680#endif
1681
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1682 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1683
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1684 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1685}
1686
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1687#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1688static void ssl_write_cid_ext(mbedtls_ssl_context *ssl,
1689 unsigned char *buf,
1690 size_t *olen)
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1691{
1692 unsigned char *p = buf;
1693 size_t ext_len;
1694 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1695
1696 *olen = 0;
1697
1698 /* Skip writing the extension if we don't want to use it or if
1699 * the client hasn't offered it. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1700 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) {
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1701 return;
1702 }
1703
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1704 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
1705 * which is at most 255, so the increment cannot overflow. */
1706 if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) {
1707 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1708 return;
1709 }
1710
1711 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension"));
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1712
1713 /*
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1714 * struct {
1715 * opaque cid<0..2^8-1>;
1716 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1717 */
1718 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1719 p += 2;
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1720 ext_len = (size_t) ssl->own_cid_len + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1721 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1722 p += 2;
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1723
1724 *p++ = (uint8_t) ssl->own_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1725 memcpy(p, ssl->own_cid, ssl->own_cid_len);
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1726
1727 *olen = ssl->own_cid_len + 5;
1728}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1729#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1730
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]1731#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1732static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
1733 unsigned char *buf,
1734 size_t *olen)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1735{
1736 unsigned char *p = buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1737 const mbedtls_ssl_ciphersuite_t *suite = NULL;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1738
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1739 /*
1740 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
1741 * from a client and then selects a stream or Authenticated Encryption
1742 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
1743 * encrypt-then-MAC response extension back to the client."
1744 */
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1745 suite = mbedtls_ssl_ciphersuite_from_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1746 ssl->session_negotiate->ciphersuite);
1747 if (suite == NULL) {
Ronald Cron862902d2022-03-24 14:15:28 +0100[diff] [blame]1748 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1749 } else {
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1750 mbedtls_ssl_mode_t ssl_mode =
Neil Armstrongab555e02022-04-04 11:07:59 +0200[diff] [blame]1751 mbedtls_ssl_get_mode_from_ciphersuite(
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1752 ssl->session_negotiate->encrypt_then_mac,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1753 suite);
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1754
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1755 if (ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM) {
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1756 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1757 }
Ronald Cron862902d2022-03-24 14:15:28 +0100[diff] [blame]1758 }
1759
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1760 if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1761 *olen = 0;
1762 return;
1763 }
1764
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1765 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1766
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1767 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1768 p += 2;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1769
1770 *p++ = 0x00;
1771 *p++ = 0x00;
1772
1773 *olen = 4;
1774}
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]1775#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1776
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1777#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1778static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
1779 unsigned char *buf,
1780 size_t *olen)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1781{
1782 unsigned char *p = buf;
1783
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1784 if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1785 *olen = 0;
1786 return;
1787 }
1788
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1789 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret "
1790 "extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1791
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1792 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1793 p += 2;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1794
1795 *p++ = 0x00;
1796 *p++ = 0x00;
1797
1798 *olen = 4;
1799}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1800#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1801
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1802#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1803static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
1804 unsigned char *buf,
1805 size_t *olen)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1806{
1807 unsigned char *p = buf;
1808
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1809 if (ssl->handshake->new_session_ticket == 0) {
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1810 *olen = 0;
1811 return;
1812 }
1813
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1814 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1815
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1816 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1817 p += 2;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1818
1819 *p++ = 0x00;
1820 *p++ = 0x00;
1821
1822 *olen = 4;
1823}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1824#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1825
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1826static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
1827 unsigned char *buf,
1828 size_t *olen)
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1829{
1830 unsigned char *p = buf;
1831
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1832 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) {
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1833 *olen = 0;
1834 return;
1835 }
1836
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1837 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension"));
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1838
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1839 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1840 p += 2;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1841
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1842#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1843 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1844 *p++ = 0x00;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1845 *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1846 *p++ = ssl->verify_data_len * 2 & 0xFF;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1847
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1848 memcpy(p, ssl->peer_verify_data, ssl->verify_data_len);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1849 p += ssl->verify_data_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1850 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1851 p += ssl->verify_data_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1852 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1853#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1854 {
1855 *p++ = 0x00;
1856 *p++ = 0x01;
1857 *p++ = 0x00;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1858 }
Manuel Pégourié-Gonnard19389752015-06-23 13:46:44 +0200[diff] [blame]1859
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]1860 *olen = (size_t) (p - buf);
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1861}
1862
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1863#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1864static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
1865 unsigned char *buf,
1866 size_t *olen)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1867{
1868 unsigned char *p = buf;
1869
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1870 if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1871 *olen = 0;
1872 return;
1873 }
1874
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1875 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension"));
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1876
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1877 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1878 p += 2;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1879
1880 *p++ = 0x00;
1881 *p++ = 1;
1882
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]1883 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1884
1885 *olen = 5;
1886}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1887#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1888
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]1889#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1890 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]1891 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1892static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
1893 unsigned char *buf,
1894 size_t *olen)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1895{
1896 unsigned char *p = buf;
1897 ((void) ssl);
1898
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1899 if ((ssl->handshake->cli_exts &
1900 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) {
Paul Bakker677377f2013-10-28 12:54:26 +0100[diff] [blame]1901 *olen = 0;
1902 return;
1903 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1904
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1905 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension"));
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1906
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1907 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1908 p += 2;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1909
1910 *p++ = 0x00;
1911 *p++ = 2;
1912
1913 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1914 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1915
1916 *olen = 6;
1917}
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]1918#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1919 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]1920 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1921
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1922#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1923static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
1924 unsigned char *buf,
1925 size_t *olen)
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1926{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1927 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1928 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]1929 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1930 size_t kkpp_len;
1931
1932 *olen = 0;
1933
1934 /* Skip costly computation if not needed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1935 if (ssl->handshake->ciphersuite_info->key_exchange !=
1936 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1937 return;
1938 }
1939
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1940 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension"));
1941
1942 if (end - p < 4) {
1943 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1944 return;
1945 }
1946
1947 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1948 p += 2;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1949
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1950#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1951 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]1952 p + 2, (size_t) (end - p - 2), &kkpp_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1953 MBEDTLS_ECJPAKE_ROUND_ONE);
1954 if (ret != 0) {
1955 psa_destroy_key(ssl->handshake->psa_pake_password);
1956 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
1957 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
Valerio Settia9883642022-11-17 15:34:59 +0100[diff] [blame]1958 return;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1959 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1960#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1961 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]1962 p + 2, (size_t) (end - p - 2), &kkpp_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1963 ssl->conf->f_rng, ssl->conf->p_rng);
1964 if (ret != 0) {
1965 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret);
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1966 return;
1967 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1968#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1969
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1970 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1971 p += 2;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1972
1973 *olen = kkpp_len + 4;
1974}
1975#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1976
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1977#if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS)
1978static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
1979 unsigned char *buf,
1980 size_t *olen)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1981{
Ron Eldor75870ec2018-12-06 17:31:55 +0200[diff] [blame]1982 size_t mki_len = 0, ext_len = 0;
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1983 uint16_t profile_value = 0;
Johan Pascal8f70fba2020-09-02 10:32:06 +0200[diff] [blame]1984 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1985
1986 *olen = 0;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1987
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1988 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
1989 (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) {
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1990 return;
1991 }
1992
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1993 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension"));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1994
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1995 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1996 mki_len = ssl->dtls_srtp_info.mki_len;
1997 }
1998
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]1999 /* The extension total size is 9 bytes :
2000 * - 2 bytes for the extension tag
2001 * - 2 bytes for the total size
2002 * - 2 bytes for the protection profile length
2003 * - 2 bytes for the protection profile
2004 * - 1 byte for the mki length
2005 * + the actual mki length
2006 * Check we have enough room in the output buffer */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2007 if ((size_t) (end - buf) < mki_len + 9) {
2008 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
Johan Pascal8f70fba2020-09-02 10:32:06 +0200[diff] [blame]2009 return;
2010 }
2011
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2012 /* extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2013 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0);
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]2014 /*
2015 * total length 5 and mki value: only one profile(2 bytes)
2016 * and length(2 bytes) and srtp_mki )
2017 */
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]2018 ext_len = 5 + mki_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2019 MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2020
2021 /* protection profile length: 2 */
2022 buf[4] = 0x00;
2023 buf[5] = 0x02;
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]2024 profile_value = mbedtls_ssl_check_srtp_profile_value(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2025 ssl->dtls_srtp_info.chosen_dtls_srtp_profile);
2026 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
2027 MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6);
2028 } else {
2029 MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile"));
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]2030 return;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2031 }
2032
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]2033 buf[8] = mki_len & 0xFF;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2034 memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2035
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]2036 *olen = 9 + mki_len;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2037}
2038#endif /* MBEDTLS_SSL_DTLS_SRTP */
2039
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2040#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2041MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2042static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2043{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2044 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2045 unsigned char *p = ssl->out_msg + 4;
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2046 unsigned char *cookie_len_byte;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2047
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2048 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2049
2050 /*
2051 * struct {
2052 * ProtocolVersion server_version;
2053 * opaque cookie<0..2^8-1>;
2054 * } HelloVerifyRequest;
2055 */
2056
Manuel Pégourié-Gonnardb35fe562014-08-09 17:00:46 +0200[diff] [blame]2057 /* The RFC is not clear on this point, but sending the actual negotiated
2058 * version looks like the most interoperable thing to do. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2059 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
2060 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2061 p += 2;
2062
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]2063 /* If we get here, f_cookie_check is not null */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2064 if (ssl->conf->f_cookie_write == NULL) {
2065 MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks"));
2066 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]2067 }
2068
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2069 /* Skip length byte until we know the length */
2070 cookie_len_byte = p++;
2071
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2072 if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie,
2073 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2074 ssl->cli_id, ssl->cli_id_len)) != 0) {
2075 MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret);
2076 return ret;
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2077 }
2078
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2079 *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1));
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2080
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2081 MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2082
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2083 ssl->out_msglen = (size_t) (p - ssl->out_msg);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2084 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2085 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2086
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2087 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2088
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2089 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
2090 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
2091 return ret;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2092 }
2093
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2094#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2095 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2096 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
2097 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
2098 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2099 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]2100#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2101
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2102 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2103
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2104 return 0;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2105}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2106#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2107
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2108static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl)
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2109{
2110 int ret;
Hanno Beckera5b1a392021-04-15 16:48:01 +0100[diff] [blame]2111 mbedtls_ssl_session session_tmp;
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2112 mbedtls_ssl_session * const session = ssl->session_negotiate;
2113
2114 /* Resume is 0 by default, see ssl_handshake_init().
2115 * It may be already set to 1 by ssl_parse_session_ticket_ext(). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2116 if (ssl->handshake->resume == 1) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2117 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2118 }
2119 if (session->id_len == 0) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2120 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2121 }
2122 if (ssl->conf->f_get_cache == NULL) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2123 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2124 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2125#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2126 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2127 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2128 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2129#endif
2130
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2131 mbedtls_ssl_session_init(&session_tmp);
Hanno Beckera5b1a392021-04-15 16:48:01 +0100[diff] [blame]2132
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2133 ret = ssl->conf->f_get_cache(ssl->conf->p_cache,
2134 session->id,
2135 session->id_len,
2136 &session_tmp);
2137 if (ret != 0) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2138 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2139 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2140
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2141 if (session->ciphersuite != session_tmp.ciphersuite) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2142 /* Mismatch between cached and negotiated session */
2143 goto exit;
2144 }
2145
2146 /* Move semantics */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2147 mbedtls_ssl_session_free(session);
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2148 *session = session_tmp;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2149 memset(&session_tmp, 0, sizeof(session_tmp));
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2150
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2151 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache"));
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2152 ssl->handshake->resume = 1;
2153
2154exit:
2155
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2156 mbedtls_ssl_session_free(&session_tmp);
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2157}
2158
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2159MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2160static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2161{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2162#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]2163 mbedtls_time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2164#endif
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2165 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2166 size_t olen, ext_len = 0, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2167 unsigned char *buf, *p;
2168
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2169 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2170
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2171#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2172 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2173 ssl->handshake->cookie_verify_result != 0) {
2174 MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated"));
2175 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2176
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2177 return ssl_write_hello_verify_request(ssl);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2178 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2179#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2180
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2181 if (ssl->conf->f_rng == NULL) {
2182 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
2183 return MBEDTLS_ERR_SSL_NO_RNG;
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]2184 }
2185
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2186 /*
2187 * 0 . 0 handshake type
2188 * 1 . 3 handshake length
2189 * 4 . 5 protocol version
2190 * 6 . 9 UNIX time()
2191 * 10 . 37 random bytes
2192 */
2193 buf = ssl->out_msg;
2194 p = buf + 4;
2195
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2196 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]2197 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2198
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2199 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]",
2200 buf[4], buf[5]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2201
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2202#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2203 t = mbedtls_time(NULL);
2204 MBEDTLS_PUT_UINT32_BE(t, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2205 p += 4;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2206
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2207 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
2208 (long long) t));
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2209#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2210 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) {
2211 return ret;
2212 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2213
2214 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2215#endif /* MBEDTLS_HAVE_TIME */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2216
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2217 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2218 return ret;
2219 }
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2220 p += 20;
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2221
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2222#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2223 /*
2224 * RFC 8446
2225 * TLS 1.3 has a downgrade protection mechanism embedded in the server's
2226 * random value. TLS 1.3 servers which negotiate TLS 1.2 or below in
2227 * response to a ClientHello MUST set the last 8 bytes of their Random
2228 * value specially in their ServerHello.
2229 */
2230 if (mbedtls_ssl_conf_is_tls13_enabled(ssl->conf)) {
2231 static const unsigned char magic_tls12_downgrade_string[] =
2232 { 'D', 'O', 'W', 'N', 'G', 'R', 'D', 1 };
2233
2234 MBEDTLS_STATIC_ASSERT(
2235 sizeof(magic_tls12_downgrade_string) == 8,
2236 "magic_tls12_downgrade_string does not have the expected size");
2237
Ronald Cronfe01ec22023-04-06 09:56:53 +0200[diff] [blame]2238 memcpy(p, magic_tls12_downgrade_string,
2239 sizeof(magic_tls12_downgrade_string));
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2240 } else
2241#endif
2242 {
2243 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) {
2244 return ret;
2245 }
2246 }
2247 p += 8;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2248
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2249 memcpy(ssl->handshake->randbytes + 32, buf + 6, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2250
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2251 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2252
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2253 ssl_handle_id_based_session_resumption(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2254
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2255 if (ssl->handshake->resume == 0) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2256 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2257 * New session, create a new session id,
2258 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2259 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2260 ssl->state++;
2261
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2262#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2263 ssl->session_negotiate->start = mbedtls_time(NULL);
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]2264#endif
2265
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2266#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2267 if (ssl->handshake->new_session_ticket != 0) {
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2268 ssl->session_negotiate->id_len = n = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2269 memset(ssl->session_negotiate->id, 0, 32);
2270 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2271#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2272 {
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2273 ssl->session_negotiate->id_len = n = 32;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2274 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id,
2275 n)) != 0) {
2276 return ret;
2277 }
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2278 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2279 } else {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2280 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2281 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2282 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2283 n = ssl->session_negotiate->id_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2284 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2285
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2286 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
2287 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
2288 return ret;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2289 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2290 }
2291
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2292 /*
2293 * 38 . 38 session id length
2294 * 39 . 38+n session id
2295 * 39+n . 40+n chosen ciphersuite
2296 * 41+n . 41+n chosen compression alg.
2297 * 42+n . 43+n extensions length
2298 * 44+n . 43+n+m extensions
2299 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2300 *p++ = (unsigned char) ssl->session_negotiate->id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2301 memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2302 p += ssl->session_negotiate->id_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2303
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2304 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
2305 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n);
2306 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
2307 ssl->handshake->resume ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2308
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2309 MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2310 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2311 *p++ = MBEDTLS_BYTE_0(MBEDTLS_SSL_COMPRESS_NULL);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2312
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2313 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s",
2314 mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite)));
2315 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X",
2316 (unsigned int) MBEDTLS_SSL_COMPRESS_NULL));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2317
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2318 /*
2319 * First write extensions, then the total length
2320 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2321 ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2322 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2323
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2324#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2325 ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2326 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]2327#endif
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2328
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2329#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2330 ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen);
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]2331 ext_len += olen;
2332#endif
2333
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]2334#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2335 ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2336 ext_len += olen;
2337#endif
2338
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2339#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2340 ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2341 ext_len += olen;
2342#endif
2343
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2344#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2345 ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2346 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2347#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2348
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]2349#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]2350 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]2351 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Leonid Rozenboim28752702022-04-21 18:00:52 -0700[diff] [blame]2352 const mbedtls_ssl_ciphersuite_t *suite =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2353 mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite);
2354 if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) {
2355 ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen);
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]2356 ext_len += olen;
2357 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2358#endif
2359
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]2360#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2361 ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]2362 ext_len += olen;
2363#endif
2364
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2365#if defined(MBEDTLS_SSL_ALPN)
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2366 unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2367 if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen))
2368 != 0) {
Paul Elliottf518f812022-07-11 12:36:20 +0100[diff] [blame]2369 return ret;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2370 }
Paul Elliottf518f812022-07-11 12:36:20 +0100[diff] [blame]2371
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]2372 ext_len += olen;
2373#endif
2374
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2375#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2376 ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen);
Johan Pascalc3ccd982020-10-28 17:18:18 +0100[diff] [blame]2377 ext_len += olen;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2378#endif
2379
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2380 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
2381 ext_len));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2382
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2383 if (ext_len > 0) {
2384 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani94180e72021-08-20 16:20:44 +0100[diff] [blame]2385 p += 2 + ext_len;
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]2386 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2387
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2388 ssl->out_msglen = (size_t) (p - buf);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2389 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2390 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2391
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2392 ret = mbedtls_ssl_write_handshake_msg(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2393
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2394 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2395
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2396 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2397}
2398
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2399#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2400MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2401static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2402{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2403 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2404 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2405
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2406 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2407
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2408 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2409 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2410 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2411 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2412 }
2413
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2414 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2415 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2416}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2417#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2418MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2419static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2420{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2421 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2422 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2423 ssl->handshake->ciphersuite_info;
irwirc9bc3002020-04-01 13:46:36 +0300[diff] [blame]2424 uint16_t dn_size, total_dn_size; /* excluding length bytes */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2425 size_t ct_len, sa_len; /* including length bytes */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2426 unsigned char *buf, *p;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2427 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2428 const mbedtls_x509_crt *crt;
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2429 int authmode;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2430
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2431 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2432
2433 ssl->state++;
2434
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2435#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2436 if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2437 authmode = ssl->handshake->sni_authmode;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2438 } else
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2439#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2440 authmode = ssl->conf->authmode;
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2441
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2442 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) ||
2443 authmode == MBEDTLS_SSL_VERIFY_NONE) {
2444 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2445 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2446 }
2447
2448 /*
2449 * 0 . 0 handshake type
2450 * 1 . 3 handshake length
2451 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2452 * 5 .. m-1 cert types
2453 * m .. m+1 sig alg length (TLS 1.2 only)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]2454 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2455 * n .. n+1 length of all DNs
2456 * n+2 .. n+3 length of DN 1
2457 * n+4 .. ... Distinguished Name #1
2458 * ... .. ... length of DN 2, etc.
2459 */
2460 buf = ssl->out_msg;
2461 p = buf + 4;
2462
2463 /*
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2464 * Supported certificate types
2465 *
2466 * ClientCertificateType certificate_types<1..2^8-1>;
2467 * enum { (255) } ClientCertificateType;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2468 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2469 ct_len = 0;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2470
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2471#if defined(MBEDTLS_RSA_C)
2472 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2473#endif
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]2474#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2475 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2476#endif
2477
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2478 p[0] = (unsigned char) ct_len++;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2479 p += ct_len;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2480
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2481 sa_len = 0;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]2482
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2483 /*
2484 * Add signature_algorithms for verify (TLS 1.2)
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2485 *
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2486 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2487 *
2488 * struct {
2489 * HashAlgorithm hash;
2490 * SignatureAlgorithm signature;
2491 * } SignatureAndHashAlgorithm;
2492 *
2493 * enum { (255) } HashAlgorithm;
2494 * enum { (255) } SignatureAlgorithm;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2495 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2496 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
2497 if (sig_alg == NULL) {
2498 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2499 }
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2500
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2501 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2502 unsigned char hash = MBEDTLS_BYTE_1(*sig_alg);
Jerry Yu6106fdc2022-01-12 16:36:14 +0800[diff] [blame]2503
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2504 if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2505 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2506 }
2507 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2508 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2509 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2510
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2511 /* Write elements at offsets starting from 1 (offset 0 is for the
2512 * length). Thus the offset of each element is the length of the
2513 * partial list including that element. */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2514 sa_len += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2515 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, sa_len);
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2516
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2517 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2518
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2519 /* Fill in list length. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2520 MBEDTLS_PUT_UINT16_BE(sa_len, p, 0);
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2521 sa_len += 2;
2522 p += sa_len;
2523
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2524 /*
2525 * DistinguishedName certificate_authorities<0..2^16-1>;
2526 * opaque DistinguishedName<1..2^16-1>;
2527 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2528 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2529
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]2530 total_dn_size = 0;
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2531
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2532 if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) {
Hanno Becker8bf74f32019-03-27 11:01:30 +0000[diff] [blame]2533 /* NOTE: If trusted certificates are provisioned
2534 * via a CA callback (configured through
2535 * `mbedtls_ssl_conf_ca_cb()`, then the
2536 * CertificateRequest is currently left empty. */
2537
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2538#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2539#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2540 if (ssl->handshake->dn_hints != NULL) {
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2541 crt = ssl->handshake->dn_hints;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2542 } else
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2543#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2544 if (ssl->conf->dn_hints != NULL) {
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2545 crt = ssl->conf->dn_hints;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2546 } else
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2547#endif
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2548#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2549 if (ssl->handshake->sni_ca_chain != NULL) {
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2550 crt = ssl->handshake->sni_ca_chain;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2551 } else
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2552#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2553 crt = ssl->conf->ca_chain;
Manuel Pégourié-Gonnardbc1babb2015-10-02 11:16:47 +0200[diff] [blame]2554
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2555 while (crt != NULL && crt->version != 0) {
irwirc9bc3002020-04-01 13:46:36 +0300[diff] [blame]2556 /* It follows from RFC 5280 A.1 that this length
2557 * can be represented in at most 11 bits. */
2558 dn_size = (uint16_t) crt->subject_raw.len;
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2559
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2560 if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) {
2561 MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short"));
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2562 break;
2563 }
2564
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2565 MBEDTLS_PUT_UINT16_BE(dn_size, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2566 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2567 memcpy(p, crt->subject_raw.p, dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2568 p += dn_size;
2569
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2570 MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2571
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2572 total_dn_size += (unsigned short) (2 + dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2573 crt = crt->next;
Manuel Pégourié-Gonnardbc1babb2015-10-02 11:16:47 +0200[diff] [blame]2574 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2575 }
2576
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2577 ssl->out_msglen = (size_t) (p - buf);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2578 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2579 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2580 MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2581
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2582 ret = mbedtls_ssl_write_handshake_msg(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2583
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2584 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2585
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2586 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2587}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2588#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2589
Valerio Setti4d0e8462023-10-06 13:20:21 +0200[diff] [blame]2590#if (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2591 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED))
Valerio Setti4d0e8462023-10-06 13:20:21 +0200[diff] [blame]2592#if defined(MBEDTLS_USE_PSA_CRYPTO)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2593MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2594static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2595{
2596 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2597 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2598 mbedtls_pk_context *pk;
2599 mbedtls_pk_type_t pk_type;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2600 psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2601 unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
2602 size_t key_len;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2603#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2604 uint16_t tls_id = 0;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2605 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2606 mbedtls_ecp_group_id grp_id;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2607 mbedtls_ecp_keypair *key;
2608#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2609
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2610 pk = mbedtls_ssl_own_key(ssl);
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2611
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2612 if (pk == NULL) {
2613 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2614 }
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2615
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2616 pk_type = mbedtls_pk_get_type(pk);
Valerio Settid0405092023-05-24 13:16:40 +0200[diff] [blame]2617
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2618 switch (pk_type) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2619 case MBEDTLS_PK_OPAQUE:
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2620#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2621 case MBEDTLS_PK_ECKEY:
2622 case MBEDTLS_PK_ECKEY_DH:
2623 case MBEDTLS_PK_ECDSA:
2624#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2625 if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
2626 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2627 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2628
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2629 /* Get the attributes of the key previously parsed by PK module in
2630 * order to extract its type and length (in bits). */
2631 status = psa_get_key_attributes(pk->priv_id, &key_attributes);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2632 if (status != PSA_SUCCESS) {
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2633 ret = PSA_TO_MBEDTLS_ERR(status);
2634 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2635 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2636 ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2637 ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2638
Valerio Setti202bb712023-12-06 17:05:24 +0100[diff] [blame]2639 if (pk_type == MBEDTLS_PK_OPAQUE) {
2640 /* Opaque key is created by the user (externally from Mbed TLS)
2641 * so we assume it already has the right algorithm and flags
2642 * set. Just copy its ID as reference. */
2643 ssl->handshake->xxdh_psa_privkey = pk->priv_id;
2644 ssl->handshake->xxdh_psa_privkey_is_external = 1;
2645 } else {
2646 /* PK_ECKEY[_DH] and PK_ECDSA instead as parsed from the PK
2647 * module and only have ECDSA capabilities. Since we need
2648 * them for ECDH later, we export and then re-import them with
2649 * proper flags and algorithm. Of course We also set key's type
2650 * and bits that we just got above. */
2651 key_attributes = psa_key_attributes_init();
2652 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2653 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2654 psa_set_key_type(&key_attributes,
2655 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
2656 psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2657
Valerio Setti202bb712023-12-06 17:05:24 +0100[diff] [blame]2658 status = psa_export_key(pk->priv_id, buf, sizeof(buf), &key_len);
2659 if (status != PSA_SUCCESS) {
2660 ret = PSA_TO_MBEDTLS_ERR(status);
2661 goto exit;
2662 }
2663 status = psa_import_key(&key_attributes, buf, key_len,
2664 &ssl->handshake->xxdh_psa_privkey);
2665 if (status != PSA_SUCCESS) {
2666 ret = PSA_TO_MBEDTLS_ERR(status);
2667 goto exit;
2668 }
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2669
Valerio Setti202bb712023-12-06 17:05:24 +0100[diff] [blame]2670 /* Set this key as owned by the TLS library: it will be its duty
2671 * to clear it exit. */
2672 ssl->handshake->xxdh_psa_privkey_is_external = 0;
2673 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2674
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2675 ret = 0;
2676 break;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2677#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2678 case MBEDTLS_PK_ECKEY:
2679 case MBEDTLS_PK_ECKEY_DH:
2680 case MBEDTLS_PK_ECDSA:
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2681 key = mbedtls_pk_ec_rw(*pk);
Valerio Settif9362b72023-11-29 08:42:27 +0100[diff] [blame]2682 grp_id = mbedtls_pk_get_ec_group_id(pk);
Valerio Settid0405092023-05-24 13:16:40 +0200[diff] [blame]2683 if (grp_id == MBEDTLS_ECP_DP_NONE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2684 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2685 }
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2686 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2687 if (tls_id == 0) {
2688 /* This elliptic curve is not supported */
2689 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2690 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2691
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2692 /* If the above conversion to TLS ID was fine, then also this one will
2693 be, so there is no need to check the return value here */
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2694 mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2695 &ssl->handshake->xxdh_psa_bits);
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2696
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2697 ssl->handshake->xxdh_psa_type = key_type;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2698
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2699 key_attributes = psa_key_attributes_init();
2700 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2701 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2702 psa_set_key_type(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2703 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2704 psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2705
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2706 key_len = PSA_BITS_TO_BYTES(key->grp.pbits);
2707 ret = mbedtls_ecp_write_key(key, buf, key_len);
2708 if (ret != 0) {
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2709 mbedtls_platform_zeroize(buf, sizeof(buf));
2710 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2711 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2712
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2713 status = psa_import_key(&key_attributes, buf, key_len,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2714 &ssl->handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2715 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2716 ret = PSA_TO_MBEDTLS_ERR(status);
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2717 mbedtls_platform_zeroize(buf, sizeof(buf));
2718 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2719 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2720
Valerio Setti6835b4a2023-06-22 09:06:31 +0200[diff] [blame]2721 mbedtls_platform_zeroize(buf, sizeof(buf));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2722 ret = 0;
2723 break;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2724#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2725 default:
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2726 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2727 }
2728
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2729exit:
2730 psa_reset_key_attributes(&key_attributes);
2731 mbedtls_platform_zeroize(buf, sizeof(buf));
2732
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2733 return ret;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2734}
Valerio Setti4d0e8462023-10-06 13:20:21 +0200[diff] [blame]2735#else /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2736MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2737static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2738{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2739 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2740
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2741 const mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
2742 if (private_key == NULL) {
2743 MBEDTLS_SSL_DEBUG_MSG(1, ("got no server private key"));
2744 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Leonid Rozenboim28752702022-04-21 18:00:52 -0700[diff] [blame]2745 }
2746
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2747 if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_ECKEY)) {
2748 MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
2749 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2750 }
2751
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2752 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx,
Valerio Setti77a75682023-05-15 11:18:46 +0200[diff] [blame]2753 mbedtls_pk_ec_ro(*mbedtls_ssl_own_key(ssl)),
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2754 MBEDTLS_ECDH_OURS)) != 0) {
2755 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
2756 return ret;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2757 }
2758
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2759 return 0;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2760}
Valerio Setti4d0e8462023-10-06 13:20:21 +0200[diff] [blame]2761#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2762#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2763 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2764
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2765#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2766 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2767MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2768static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl,
2769 size_t *signature_len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2770{
Gilles Peskine0fd90dd2018-04-26 07:41:09 +0200[diff] [blame]2771 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
2772 * signature length which will be added in ssl_write_server_key_exchange
2773 * after the call to ssl_prepare_server_key_exchange.
2774 * ssl_write_server_key_exchange also takes care of incrementing
2775 * ssl->out_msglen. */
2776 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2777 size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
2778 - sig_start);
2779 int ret = ssl->conf->f_async_resume(ssl,
2780 sig_start, signature_len, sig_max_len);
2781 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]2782 ssl->handshake->async_in_progress = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2783 mbedtls_ssl_set_async_operation_data(ssl, NULL);
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2784 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2785 MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret);
2786 return ret;
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2787}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2788#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2789 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2790
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]2791/* Prepare the ServerKeyExchange message, up to and including
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]2792 * calculating the signature if any, but excluding formatting the
2793 * signature and sending the message. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2794MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2795static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
2796 size_t *signature_len)
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]2797{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2798 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2799 ssl->handshake->ciphersuite_info;
2800
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2801#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2802#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine3ce9b902018-01-06 01:34:21 +0100[diff] [blame]2803 unsigned char *dig_signed = NULL;
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2804#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2805#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2806
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2807 (void) ciphersuite_info; /* unused in some configurations */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2808#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine22e695f2018-04-26 00:22:50 +0200[diff] [blame]2809 (void) signature_len;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2810#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2811
Gilles Peskine16fe8fc2021-06-22 09:45:56 +0200[diff] [blame]2812#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2813#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2814 size_t out_buf_len = ssl->out_buf_len - (size_t) (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2815#else
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2816 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (size_t) (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2817#endif
Gilles Peskine16fe8fc2021-06-22 09:45:56 +0200[diff] [blame]2818#endif
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2819
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2820 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2821
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2822 /*
2823 *
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2824 * Part 1: Provide key exchange parameters for chosen ciphersuite.
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2825 *
2826 */
2827
2828 /*
2829 * - ECJPAKE key exchanges
2830 */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2831#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2832 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2833 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2834#if defined(MBEDTLS_USE_PSA_CRYPTO)
2835 unsigned char *out_p = ssl->out_msg + ssl->out_msglen;
2836 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
2837 ssl->out_msglen;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2838 size_t output_offset = 0;
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]2839 size_t output_len = 0;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2840
Valerio Setti6f1b5742022-11-16 10:00:32 +0100[diff] [blame]2841 /*
2842 * The first 3 bytes are:
2843 * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
2844 * [1, 2] elliptic curve's TLS ID
2845 *
2846 * However since we only support secp256r1 for now, we hardcode its
2847 * TLS ID here
2848 */
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2849 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2850 MBEDTLS_ECP_DP_SECP256R1);
2851 if (tls_id == 0) {
2852 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Valerio Setti6f1b5742022-11-16 10:00:32 +0100[diff] [blame]2853 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2854 *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2855 MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1);
Valerio Setti819de862022-11-17 18:05:19 +0100[diff] [blame]2856 output_offset += 3;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2857
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2858 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
2859 out_p + output_offset,
2860 end_p - out_p - output_offset, &output_len,
2861 MBEDTLS_ECJPAKE_ROUND_TWO);
2862 if (ret != 0) {
2863 psa_destroy_key(ssl->handshake->psa_pake_password);
2864 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2865 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
2866 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2867 }
2868
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]2869 output_offset += output_len;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2870 ssl->out_msglen += output_offset;
2871#else
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2872 size_t len = 0;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2873
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2874 ret = mbedtls_ecjpake_write_round_two(
2875 &ssl->handshake->ecjpake_ctx,
2876 ssl->out_msg + ssl->out_msglen,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2877 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2878 ssl->conf->f_rng, ssl->conf->p_rng);
2879 if (ret != 0) {
2880 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
2881 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2882 }
2883
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2884 ssl->out_msglen += len;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2885#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2886 }
2887#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2888
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2889 /*
2890 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
2891 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
2892 * we use empty support identity hints here.
2893 **/
2894#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2895 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2896 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2897 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2898 ssl->out_msg[ssl->out_msglen++] = 0x00;
2899 ssl->out_msg[ssl->out_msglen++] = 0x00;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2900 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2901#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2902 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2903
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]2904 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2905 * - DHE key exchanges
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2906 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2907#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2908 if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2909 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2910 size_t len = 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2911
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2912 if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) {
2913 MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set"));
2914 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +0100[diff] [blame]2915 }
2916
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2917 /*
2918 * Ephemeral DH parameters:
2919 *
2920 * struct {
2921 * opaque dh_p<1..2^16-1>;
2922 * opaque dh_g<1..2^16-1>;
2923 * opaque dh_Ys<1..2^16-1>;
2924 * } ServerDHParams;
2925 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2926 if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx,
2927 &ssl->conf->dhm_P,
2928 &ssl->conf->dhm_G)) != 0) {
2929 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret);
2930 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2931 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2932
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2933 if ((ret = mbedtls_dhm_make_params(
2934 &ssl->handshake->dhm_ctx,
2935 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
2936 ssl->out_msg + ssl->out_msglen, &len,
2937 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2938 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret);
2939 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2940 }
2941
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2942#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2943 dig_signed = ssl->out_msg + ssl->out_msglen;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2944#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2945
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2946 ssl->out_msglen += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2947
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2948 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
2949 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
2950 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
2951 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2952 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2953#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2954
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2955 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2956 * - ECDHE key exchanges
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2957 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2958#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2959 if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2960 /*
2961 * Ephemeral ECDH parameters:
2962 *
2963 * struct {
2964 * ECParameters curve_params;
2965 * ECPoint public;
2966 * } ServerECDHParams;
2967 */
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2968 uint16_t *curr_tls_id = ssl->handshake->curves_tls_id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2969 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2970 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2971 size_t len = 0;
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2972
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2973 /* Match our preference list against the offered curves */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2974 if ((group_list == NULL) || (curr_tls_id == NULL)) {
2975 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2976 }
2977 for (; *group_list != 0; group_list++) {
2978 for (curr_tls_id = ssl->handshake->curves_tls_id;
2979 *curr_tls_id != 0; curr_tls_id++) {
2980 if (*curr_tls_id == *group_list) {
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2981 goto curve_matching_done;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2982 }
2983 }
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2984 }
Manuel Pégourié-Gonnardde053902014-02-04 13:58:39 +0100[diff] [blame]2985
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2986curve_matching_done:
2987 if (*curr_tls_id == 0) {
2988 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE"));
2989 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2990 }
2991
2992 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s",
2993 mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id)));
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2994
Przemek Stekielb6ce0b62022-03-09 15:38:24 +0100[diff] [blame]2995#if defined(MBEDTLS_USE_PSA_CRYPTO)
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2996 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
2997 psa_key_attributes_t key_attributes;
2998 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2999 uint8_t *p = ssl->out_msg + ssl->out_msglen;
3000 const size_t header_size = 4; // curve_type(1), namedcurve(2),
3001 // data length(1)
3002 const size_t data_length_size = 1;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]3003 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]3004 size_t ec_bits = 0;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3005
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3006 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3007
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]3008 /* Convert EC's TLS ID to PSA key type. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3009 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id,
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]3010 &key_type,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3011 &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
3012 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse."));
3013 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Przemek Stekielb6ce0b62022-03-09 15:38:24 +0100[diff] [blame]3014 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3015 handshake->xxdh_psa_type = key_type;
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]3016 handshake->xxdh_psa_bits = ec_bits;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3017
3018 key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3019 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
3020 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3021 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]3022 psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3023
3024 /*
3025 * ECParameters curve_params
3026 *
3027 * First byte is curve_type, always named_curve
3028 */
3029 *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
3030
3031 /*
3032 * Next two bytes are the namedcurve value
3033 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3034 MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0);
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3035 p += 2;
3036
3037 /* Generate ECDH private key. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3038 status = psa_generate_key(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3039 &handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3040 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3041 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3042 MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
3043 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3044 }
3045
3046 /*
3047 * ECPoint public
3048 *
3049 * First byte is data length.
3050 * It will be filled later. p holds now the data length location.
3051 */
3052
3053 /* Export the public part of the ECDH private key from PSA.
3054 * Make one byte space for the length.
3055 */
3056 unsigned char *own_pubkey = p + data_length_size;
3057
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3058 size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN
3059 - (own_pubkey - ssl->out_msg));
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3060
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3061 status = psa_export_public_key(handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3062 own_pubkey, own_pubkey_max_len,
3063 &len);
3064 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3065 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3066 MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3067 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
3068 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3069 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3070 }
3071
3072 /* Store the length of the exported public key. */
3073 *p = (uint8_t) len;
3074
3075 /* Determine full message length. */
3076 len += header_size;
3077#else
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]3078 mbedtls_ecp_group_id curr_grp_id =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3079 mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]3080
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3081 if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx,
3082 curr_grp_id)) != 0) {
3083 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret);
3084 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3085 }
3086
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3087 if ((ret = mbedtls_ecdh_make_params(
3088 &ssl->handshake->ecdh_ctx, &len,
3089 ssl->out_msg + ssl->out_msglen,
3090 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
3091 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3092 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret);
3093 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3094 }
3095
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3096 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3097 MBEDTLS_DEBUG_ECDH_Q);
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3098#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3099
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]3100#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]3101 dig_signed = ssl->out_msg + ssl->out_msglen;
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]3102#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3103
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]3104 ssl->out_msglen += len;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3105 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3106#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3107
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3108 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]3109 *
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3110 * Part 2: For key exchanges involving the server signing the
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]3111 * exchange parameters, compute and add the signature here.
3112 *
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3113 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3114#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3115 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
3116 if (dig_signed == NULL) {
3117 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3118 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Elliott11420382022-05-13 17:43:47 +0100[diff] [blame]3119 }
3120
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]3121 size_t dig_signed_len = (size_t) (ssl->out_msg + ssl->out_msglen - dig_signed);
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]3122 size_t hashlen = 0;
Manuel Pégourié-Gonnard88579842023-03-28 11:20:23 +0200[diff] [blame]3123 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
Przemek Stekiel51669542022-09-13 12:57:05 +0200[diff] [blame]3124
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3125 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]3126
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3127 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3128 * 2.1: Choose hash algorithm:
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]3129 * For TLS 1.2, obey signature-hash-algorithm extension
3130 * to choose appropriate hash.
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3131 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3132
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3133 mbedtls_pk_type_t sig_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3134 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3135
Dave Rodgmanc37ad442023-11-03 23:36:06 +0000[diff] [blame]3136 unsigned char sig_hash =
3137 (unsigned char) mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3138 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]3139
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3140 mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash);
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]3141
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3142 /* For TLS 1.2, obey signature-hash-algorithm extension
3143 * (RFC 5246, Sec. 7.4.1.4.1). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3144 if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) {
3145 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3146 /* (... because we choose a cipher suite
3147 * only if there is a matching hash.) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3148 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3149 }
3150
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3151 MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3152
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3153 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3154 * 2.2: Compute the hash to be signed
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3155 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3156 if (md_alg != MBEDTLS_MD_NONE) {
3157 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
3158 dig_signed,
3159 dig_signed_len,
3160 md_alg);
3161 if (ret != 0) {
3162 return ret;
3163 }
3164 } else {
3165 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3166 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3167 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3168
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3169 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3170
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3171 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3172 * 2.3: Compute and add the signature
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3173 */
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3174 /*
3175 * We need to specify signature and hash algorithm explicitly through
3176 * a prefix to the signature.
3177 *
3178 * struct {
3179 * HashAlgorithm hash;
3180 * SignatureAlgorithm signature;
3181 * } SignatureAndHashAlgorithm;
3182 *
3183 * struct {
3184 * SignatureAndHashAlgorithm algorithm;
3185 * opaque signature<0..2^16-1>;
3186 * } DigitallySigned;
3187 *
3188 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3189
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3190 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg);
3191 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3192
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3193#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3194 if (ssl->conf->f_async_sign_start != NULL) {
3195 ret = ssl->conf->f_async_sign_start(ssl,
3196 mbedtls_ssl_own_cert(ssl),
3197 md_alg, hash, hashlen);
3198 switch (ret) {
3199 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3200 /* act as if f_async_sign was null */
3201 break;
3202 case 0:
3203 ssl->handshake->async_in_progress = 1;
3204 return ssl_resume_server_key_exchange(ssl, signature_len);
3205 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3206 ssl->handshake->async_in_progress = 1;
3207 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3208 default:
3209 MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret);
3210 return ret;
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3211 }
3212 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3213#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3214
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3215 if (mbedtls_ssl_own_key(ssl) == NULL) {
3216 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key"));
3217 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3218 }
3219
Gilles Peskine0fd90dd2018-04-26 07:41:09 +0200[diff] [blame]3220 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3221 * signature length which will be added in ssl_write_server_key_exchange
3222 * after the call to ssl_prepare_server_key_exchange.
3223 * ssl_write_server_key_exchange also takes care of incrementing
3224 * ssl->out_msglen. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3225 if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl),
3226 md_alg, hash, hashlen,
3227 ssl->out_msg + ssl->out_msglen + 2,
3228 out_buf_len - ssl->out_msglen - 2,
3229 signature_len,
3230 ssl->conf->f_rng,
3231 ssl->conf->p_rng)) != 0) {
3232 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
3233 return ret;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]3234 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3235 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3236#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3237
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3238 return 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3239}
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3240
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3241/* Prepare the ServerKeyExchange message and send it. For ciphersuites
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3242 * that do not include a ServerKeyExchange message, do nothing. Either
3243 * way, if successful, move on to the next step in the SSL state
3244 * machine. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3245MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3246static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3247{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3248 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3249 size_t signature_len = 0;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3250#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3251 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3252 ssl->handshake->ciphersuite_info;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3253#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3254
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3255 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange"));
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3256
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3257#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3258 /* Extract static ECDH parameters and abort if ServerKeyExchange
3259 * is not needed. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3260 if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) {
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3261 /* For suites involving ECDH, extract DH parameters
3262 * from certificate at this point. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3263#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3264 if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) {
3265 ret = ssl_get_ecdh_params_from_cert(ssl);
3266 if (ret != 0) {
3267 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
3268 return ret;
Manuel Pégourié-Gonnardb64fb622022-06-10 09:34:20 +0200[diff] [blame]3269 }
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3270 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3271#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3272
3273 /* Key exchanges not involving ephemeral keys don't use
3274 * ServerKeyExchange, so end here. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3275 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3276 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3277 return 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3278 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3279#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3280
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3281#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3282 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3283 /* If we have already prepared the message and there is an ongoing
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3284 * signature operation, resume signing. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3285 if (ssl->handshake->async_in_progress != 0) {
3286 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation"));
3287 ret = ssl_resume_server_key_exchange(ssl, &signature_len);
3288 } else
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3289#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3290 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]3291 {
3292 /* ServerKeyExchange is needed. Prepare the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3293 ret = ssl_prepare_server_key_exchange(ssl, &signature_len);
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3294 }
3295
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3296 if (ret != 0) {
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]3297 /* If we're starting to write a new message, set ssl->out_msglen
3298 * to 0. But if we're resuming after an asynchronous message,
3299 * out_msglen is the amount of data written so far and mst be
3300 * preserved. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3301 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3302 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)"));
3303 } else {
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3304 ssl->out_msglen = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3305 }
3306 return ret;
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]3307 }
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3308
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3309 /* If there is a signature, write its length.
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3310 * ssl_prepare_server_key_exchange already wrote the signature
3311 * itself at its proper place in the output buffer. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3312#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3313 if (signature_len != 0) {
3314 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len);
3315 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len);
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3316
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3317 MBEDTLS_SSL_DEBUG_BUF(3, "my signature",
3318 ssl->out_msg + ssl->out_msglen,
3319 signature_len);
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3320
3321 /* Skip over the already-written signature */
3322 ssl->out_msglen += signature_len;
3323 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3324#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3325
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3326 /* Add header and send. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3327 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3328 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3329
3330 ssl->state++;
3331
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3332 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3333 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3334 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3335 }
3336
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3337 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange"));
3338 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3339}
3340
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3341MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3342static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3343{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3344 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3345
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3346 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3347
3348 ssl->out_msglen = 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3349 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3350 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3351
3352 ssl->state++;
3353
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3354#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3355 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3356 mbedtls_ssl_send_flight_completed(ssl);
3357 }
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3358#endif
3359
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3360 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3361 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3362 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3363 }
3364
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3365#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3366 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3367 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
3368 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
3369 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3370 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]3371#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3372
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3373 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3374
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3375 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3376}
3377
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3378#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3379 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3380MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3381static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p,
3382 const unsigned char *end)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3383{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3384 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3385 size_t n;
3386
3387 /*
3388 * Receive G^Y mod P, premaster = (G^Y)^X mod P
3389 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3390 if (*p + 2 > end) {
3391 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3392 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3393 }
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3394
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]3395 n = MBEDTLS_GET_UINT16_BE(*p, 0);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3396 *p += 2;
3397
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3398 if (*p + n > end) {
3399 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3400 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3401 }
3402
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3403 if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) {
3404 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret);
3405 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3406 }
3407
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3408 *p += n;
3409
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3410 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3411
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3412 return ret;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3413}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3414#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3415 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3416
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3417#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3418 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3419
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3420#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3421MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3422static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
3423 unsigned char *peer_pms,
3424 size_t *peer_pmslen,
3425 size_t peer_pmssize)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3426{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3427 int ret = ssl->conf->f_async_resume(ssl,
3428 peer_pms, peer_pmslen, peer_pmssize);
3429 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]3430 ssl->handshake->async_in_progress = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3431 mbedtls_ssl_set_async_operation_data(ssl, NULL);
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3432 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3433 MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
3434 return ret;
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3435}
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3436#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3437
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3438MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3439static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
3440 const unsigned char *p,
3441 const unsigned char *end,
3442 unsigned char *peer_pms,
3443 size_t *peer_pmslen,
3444 size_t peer_pmssize)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3445{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3446 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Leonid Rozenboim70dfd4c2022-08-08 15:43:44 -0700[diff] [blame]3447
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3448 mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl);
3449 if (own_cert == NULL) {
3450 MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate"));
3451 return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
Leonid Rozenboim70dfd4c2022-08-08 15:43:44 -0700[diff] [blame]3452 }
3453 mbedtls_pk_context *public_key = &own_cert->pk;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3454 mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
3455 size_t len = mbedtls_pk_get_len(public_key);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3456
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3457#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3458 /* If we have already started decoding the message and there is an ongoing
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3459 * decryption operation, resume signing. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3460 if (ssl->handshake->async_in_progress != 0) {
3461 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
3462 return ssl_resume_decrypt_pms(ssl,
3463 peer_pms, peer_pmslen, peer_pmssize);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3464 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3465#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3466
3467 /*
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3468 * Prepare to decrypt the premaster using own private RSA key
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3469 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3470 if (p + 2 > end) {
3471 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3472 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]3473 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3474 if (*p++ != MBEDTLS_BYTE_1(len) ||
3475 *p++ != MBEDTLS_BYTE_0(len)) {
3476 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3477 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3478 }
3479
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3480 if (p + len != end) {
3481 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3482 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3483 }
3484
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3485 /*
3486 * Decrypt the premaster secret
3487 */
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3488#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3489 if (ssl->conf->f_async_decrypt_start != NULL) {
3490 ret = ssl->conf->f_async_decrypt_start(ssl,
3491 mbedtls_ssl_own_cert(ssl),
3492 p, len);
3493 switch (ret) {
3494 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3495 /* act as if f_async_decrypt_start was null */
3496 break;
3497 case 0:
3498 ssl->handshake->async_in_progress = 1;
3499 return ssl_resume_decrypt_pms(ssl,
3500 peer_pms,
3501 peer_pmslen,
3502 peer_pmssize);
3503 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3504 ssl->handshake->async_in_progress = 1;
3505 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3506 default:
3507 MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
3508 return ret;
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3509 }
3510 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3511#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3512
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3513 if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
3514 MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
3515 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3516 }
3517
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3518 ret = mbedtls_pk_decrypt(private_key, p, len,
3519 peer_pms, peer_pmslen, peer_pmssize,
3520 ssl->conf->f_rng, ssl->conf->p_rng);
3521 return ret;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3522}
3523
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3524MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3525static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
3526 const unsigned char *p,
3527 const unsigned char *end,
3528 size_t pms_offset)
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3529{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3530 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3531 unsigned char *pms = ssl->handshake->premaster + pms_offset;
3532 unsigned char ver[2];
3533 unsigned char fake_pms[48], peer_pms[48];
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3534 size_t peer_pmslen;
3535 mbedtls_ct_condition_t diff;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3536
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3537 /* In case of a failure in decryption, the decryption may write less than
3538 * 2 bytes of output, but we always read the first two bytes. It doesn't
3539 * matter in the end because diff will be nonzero in that case due to
André Maroneze79533292020-11-12 09:37:42 +0100[diff] [blame]3540 * ret being nonzero, and we only care whether diff is 0.
3541 * But do initialize peer_pms and peer_pmslen for robustness anyway. This
3542 * also makes memory analyzers happy (don't access uninitialized memory,
3543 * even if it's an unsigned char). */
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3544 peer_pms[0] = peer_pms[1] = ~0;
André Maroneze79533292020-11-12 09:37:42 +0100[diff] [blame]3545 peer_pmslen = 0;
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3546
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3547 ret = ssl_decrypt_encrypted_pms(ssl, p, end,
3548 peer_pms,
3549 &peer_pmslen,
3550 sizeof(peer_pms));
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3551
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3552#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3553 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3554 return ret;
3555 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3556#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3557
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3558 mbedtls_ssl_write_version(ver, ssl->conf->transport,
3559 ssl->session_negotiate->tls_version);
Gilles Peskine2e333372018-04-24 13:22:10 +0200[diff] [blame]3560
3561 /* Avoid data-dependent branches while checking for invalid
3562 * padding, to protect against timing-based Bleichenbacher-type
3563 * attacks. */
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3564 diff = mbedtls_ct_bool(ret);
Dave Rodgmanb7825ce2023-08-10 11:58:18 +0100[diff] [blame]3565 diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pmslen, 48));
3566 diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[0], ver[0]));
3567 diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[1], ver[1]));
Manuel Pégourié-Gonnardb9c93d02015-06-23 13:53:15 +0200[diff] [blame]3568
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3569 /*
3570 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3571 * must not cause the connection to end immediately; instead, send a
3572 * bad_record_mac later in the handshake.
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3573 * To protect against timing-based variants of the attack, we must
3574 * not have any branch that depends on whether the decryption was
3575 * successful. In particular, always generate the fake premaster secret,
3576 * regardless of whether it will ultimately influence the output or not.
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3577 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3578 ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
3579 if (ret != 0) {
Gilles Peskinee1416382018-04-26 10:23:21 +0200[diff] [blame]3580 /* It's ok to abort on an RNG failure, since this does not reveal
3581 * anything about the RSA decryption. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3582 return ret;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3583 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3584
Manuel Pégourié-Gonnard331ba572015-04-20 12:33:57 +0100[diff] [blame]3585#if defined(MBEDTLS_SSL_DEBUG_ALL)
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3586 if (diff != MBEDTLS_CT_FALSE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3587 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3588 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3589#endif
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3590
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3591 if (sizeof(ssl->handshake->premaster) < pms_offset ||
3592 sizeof(ssl->handshake->premaster) - pms_offset < 48) {
3593 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3594 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3595 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3596 ssl->handshake->pmslen = 48;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3597
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3598 /* Set pms to either the true or the fake PMS, without
3599 * data-dependent branches. */
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3600 mbedtls_ct_memcpy_if(diff, pms, fake_pms, peer_pms, ssl->handshake->pmslen);
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3601
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3602 return 0;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3603}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3604#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
3605 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3606
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3607#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3608MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3609static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
3610 const unsigned char *end)
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3611{
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]3612 int ret = 0;
irwir6527bd62019-09-21 18:51:25 +0300[diff] [blame]3613 uint16_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3614
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3615 if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
3616 MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key"));
3617 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3618 }
3619
3620 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3621 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3622 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3623 if (end - *p < 2) {
3624 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3625 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3626 }
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3627
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]3628 n = MBEDTLS_GET_UINT16_BE(*p, 0);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3629 *p += 2;
3630
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3631 if (n == 0 || n > end - *p) {
3632 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3633 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3634 }
3635
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3636 if (ssl->conf->f_psk != NULL) {
3637 if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3638 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3639 }
3640 } else {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]3641 /* Identity is not a big secret since clients send it in the clear,
3642 * but treat it carefully anyway, just in case */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3643 if (n != ssl->conf->psk_identity_len ||
3644 mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3645 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]3646 }
3647 }
3648
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3649 if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
3650 MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n);
3651 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3652 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY);
3653 return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3654 }
3655
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3656 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3657
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3658 return 0;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3659}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3660#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3661
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3662MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3663static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3664{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3665 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3666 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Manuel Pégourié-Gonnard2114d722014-09-10 13:59:41 +0000[diff] [blame]3667 unsigned char *p, *end;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3668
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3669 ciphersuite_info = ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3670
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3671 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3672
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3673#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3674 (defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3675 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED))
3676 if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3677 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) &&
3678 (ssl->handshake->async_in_progress != 0)) {
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3679 /* We've already read a record and there is an asynchronous
3680 * operation in progress to decrypt it. So skip reading the
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3681 * record. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3682 MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
3683 } else
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3684#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3685 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3686 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3687 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3688 }
3689
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3690 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard2114d722014-09-10 13:59:41 +0000[diff] [blame]3691 end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnardf8995832014-09-10 08:25:12 +0000[diff] [blame]3692
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3693 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3694 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3695 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3696 }
3697
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3698 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) {
3699 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3700 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3701 }
3702
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3703#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3704 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
3705 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3706 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
3707 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3708 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3709
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3710 if (p != end) {
3711 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3712 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3713 }
3714
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3715 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3716 ssl->handshake->premaster,
3717 MBEDTLS_PREMASTER_SIZE,
3718 &ssl->handshake->pmslen,
3719 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3720 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3721 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3722 }
3723
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3724 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3725 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3726#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3727#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3728 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3729 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3730 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3731 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]3732 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3733 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3734 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]3735#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3736 size_t data_len = (size_t) (*p++);
3737 size_t buf_len = (size_t) (end - p);
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3738 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
3739 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3740
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3741 MBEDTLS_SSL_DEBUG_MSG(3, ("Read the peer's public key."));
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3742
3743 /*
Przemek Stekiel338b61d2022-03-15 08:03:43 +0100[diff] [blame]3744 * We must have at least two bytes (1 for length, at least 1 for data)
3745 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3746 if (buf_len < 2) {
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3747 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length: %" MBEDTLS_PRINTF_SIZET,
3748 buf_len));
3749 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3750 }
3751
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3752 if (data_len < 1 || data_len > buf_len) {
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3753 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length: %" MBEDTLS_PRINTF_SIZET
3754 " > %" MBEDTLS_PRINTF_SIZET,
3755 data_len, buf_len));
3756 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3757 }
3758
3759 /* Store peer's ECDH public key. */
Gilles Peskinec8df8982023-10-02 14:58:16 +0200[diff] [blame]3760 if (data_len > sizeof(handshake->xxdh_psa_peerkey)) {
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3761 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %" MBEDTLS_PRINTF_SIZET
3762 " > %" MBEDTLS_PRINTF_SIZET,
3763 data_len,
3764 sizeof(handshake->xxdh_psa_peerkey)));
Gilles Peskinec8df8982023-10-02 14:58:16 +0200[diff] [blame]3765 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
3766 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3767 memcpy(handshake->xxdh_psa_peerkey, p, data_len);
3768 handshake->xxdh_psa_peerkey_len = data_len;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3769
3770 /* Compute ECDH shared secret. */
3771 status = psa_raw_key_agreement(
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3772 PSA_ALG_ECDH, handshake->xxdh_psa_privkey,
3773 handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3774 handshake->premaster, sizeof(handshake->premaster),
3775 &handshake->pmslen);
3776 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3777 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3778 MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3779 if (handshake->xxdh_psa_privkey_is_external == 0) {
3780 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3781 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3782 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3783 return ret;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3784 }
3785
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3786 if (handshake->xxdh_psa_privkey_is_external == 0) {
3787 status = psa_destroy_key(handshake->xxdh_psa_privkey);
Neil Armstrong8113d252022-03-23 10:57:04 +0100[diff] [blame]3788
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3789 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3790 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3791 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
3792 return ret;
Neil Armstrong8113d252022-03-23 10:57:04 +0100[diff] [blame]3793 }
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3794 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3795 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3796#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3797 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]3798 p, (size_t) (end - p))) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3799 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
3800 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3801 }
3802
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3803 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3804 MBEDTLS_DEBUG_ECDH_QP);
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3805
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3806 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
3807 &ssl->handshake->pmslen,
3808 ssl->handshake->premaster,
3809 MBEDTLS_MPI_MAX_SIZE,
3810 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3811 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
3812 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3813 }
3814
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3815 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3816 MBEDTLS_DEBUG_ECDH_Z);
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]3817#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3818 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3819#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3820 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3821 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3822 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3823#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3824 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
3825 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3826 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3827 return ret;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3828 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3829
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3830 if (p != end) {
3831 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3832 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3833 }
3834
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3835#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3836 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]3837 (mbedtls_key_exchange_type_t) ciphersuite_info->
3838 key_exchange)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3839 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3840 return ret;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]3841 }
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3842#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3843 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3844#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
3845#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3846 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3847#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3848 if (ssl->handshake->async_in_progress != 0) {
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3849 /* There is an asynchronous operation in progress to
3850 * decrypt the encrypted premaster secret, so skip
3851 * directly to resuming this operation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3852 MBEDTLS_SSL_DEBUG_MSG(3, ("PSK identity already parsed"));
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3853 /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
3854 * won't actually use it, but maintain p anyway for robustness. */
3855 p += ssl->conf->psk_identity_len + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3856 } else
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3857#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3858 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3859 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3860 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3861 }
3862
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3863 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) {
3864 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_encrypted_pms"), ret);
3865 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3866 }
3867
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3868#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3869 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]3870 (mbedtls_key_exchange_type_t) ciphersuite_info->
3871 key_exchange)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3872 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3873 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3874 }
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3875#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3876 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3877#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3878#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3879 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
3880 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3881 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3882 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3883 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3884 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3885 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
3886 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3887 }
3888
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3889 if (p != end) {
3890 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3891 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3892 }
3893
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3894#if defined(MBEDTLS_USE_PSA_CRYPTO)
3895 unsigned char *pms = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3896 unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3897 size_t pms_len;
3898
3899 /* Write length only when we know the actual value */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3900 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3901 pms + 2, pms_end - (pms + 2), &pms_len,
3902 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3903 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3904 return ret;
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3905 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3906 MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3907 pms += 2 + pms_len;
3908
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3909 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3910#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3911 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]3912 (mbedtls_key_exchange_type_t) ciphersuite_info->
3913 key_exchange)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3914 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3915 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3916 }
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3917#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3918 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3919#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3920#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3921 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]3922#if defined(MBEDTLS_USE_PSA_CRYPTO)
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3923 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3924 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
3925 uint8_t ecpoint_len;
3926
3927 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3928
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3929 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3930 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3931 psa_destroy_key(handshake->xxdh_psa_privkey);
3932 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3933 return ret;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3934 }
3935
3936 /* Keep a copy of the peer's public key */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3937 if (p >= end) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3938 psa_destroy_key(handshake->xxdh_psa_privkey);
3939 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3940 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Neil Armstrong3cae1672022-04-05 10:01:15 +0200[diff] [blame]3941 }
3942
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3943 ecpoint_len = *(p++);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3944 if ((size_t) (end - p) < ecpoint_len) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3945 psa_destroy_key(handshake->xxdh_psa_privkey);
3946 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3947 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3948 }
3949
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]3950 /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
3951 the sizes of the FFDH keys which are at least 2048 bits.
3952 The size of the array is thus greater than 256 bytes which is greater than any
3953 possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]3954#if !defined(PSA_WANT_ALG_FFDH)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3955 if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
3956 psa_destroy_key(handshake->xxdh_psa_privkey);
3957 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3958 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3959 }
Przemek Stekiel615cbcd2023-07-06 11:08:39 +0200[diff] [blame]3960#else
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]3961 MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
3962 "peer key buffer too small");
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]3963#endif
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3964
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3965 memcpy(handshake->xxdh_psa_peerkey, p, ecpoint_len);
3966 handshake->xxdh_psa_peerkey_len = ecpoint_len;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3967 p += ecpoint_len;
3968
Neil Armstrong3bcef082022-03-23 18:16:54 +0100[diff] [blame]3969 /* As RFC 5489 section 2, the premaster secret is formed as follows:
Neil Armstrongfdf20cb2022-03-24 09:43:02 +0100[diff] [blame]3970 * - a uint16 containing the length (in octets) of the ECDH computation
3971 * - the octet string produced by the ECDH computation
3972 * - a uint16 containing the length (in octets) of the PSK
3973 * - the PSK itself
3974 */
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3975 unsigned char *psm = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3976 const unsigned char * const psm_end =
3977 psm + sizeof(ssl->handshake->premaster);
Neil Armstrong2d63da92022-03-23 18:17:31 +0100[diff] [blame]3978 /* uint16 to store length (in octets) of the ECDH computation */
3979 const size_t zlen_size = 2;
Neil Armstrong549a3e42022-03-23 18:16:24 +0100[diff] [blame]3980 size_t zlen = 0;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3981
3982 /* Compute ECDH shared secret. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3983 status = psa_raw_key_agreement(PSA_ALG_ECDH,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3984 handshake->xxdh_psa_privkey,
3985 handshake->xxdh_psa_peerkey,
3986 handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3987 psm + zlen_size,
3988 psm_end - (psm + zlen_size),
3989 &zlen);
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3990
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3991 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
3992 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3993
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3994 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3995 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3996 } else if (destruction_status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3997 return PSA_TO_MBEDTLS_ERR(destruction_status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3998 }
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3999
Neil Armstrong3bcef082022-03-23 18:16:54 +0100[diff] [blame]4000 /* Write the ECDH computation length before the ECDH computation */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4001 MBEDTLS_PUT_UINT16_BE(zlen, psm, 0);
Neil Armstrong2d63da92022-03-23 18:17:31 +0100[diff] [blame]4002 psm += zlen_size + zlen;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]4003
Przemek Stekiel14d11b02022-04-14 08:33:29 +0200[diff] [blame]4004#else /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4005 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
4006 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
4007 return ret;
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]4008 }
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]4009
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4010 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]4011 p, (size_t) (end - p))) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4012 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
4013 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]4014 }
4015
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4016 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
4017 MBEDTLS_DEBUG_ECDH_QP);
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]4018
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4019 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]4020 (mbedtls_key_exchange_type_t) ciphersuite_info->
4021 key_exchange)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4022 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
4023 return ret;
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]4024 }
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]4025#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4026 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4027#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
4028#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4029 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
4030 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
4031 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
4032 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4033 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4034 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4035#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4036#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4037 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4038#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4039 if ((ret = mbedtls_psa_ecjpake_read_round(
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]4040 &ssl->handshake->psa_pake_ctx, p, (size_t) (end - p),
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4041 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
4042 psa_destroy_key(ssl->handshake->psa_pake_password);
4043 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4044
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4045 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
4046 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4047 }
4048#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4049 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]4050 p, (size_t) (end - p));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4051 if (ret != 0) {
4052 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
4053 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4054 }
4055
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4056 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
4057 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
4058 ssl->conf->f_rng, ssl->conf->p_rng);
4059 if (ret != 0) {
4060 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
4061 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4062 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4063#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4064 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4065#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4066 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4067 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4068 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4069 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4070
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4071 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
4072 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
4073 return ret;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]4074 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4075
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4076 ssl->state++;
4077
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4078 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4079
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4080 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4081}
4082
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4083#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]4084MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4085static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4086{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]4087 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]4088 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4089
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4090 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4091
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4092 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4093 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]4094 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4095 return 0;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]4096 }
4097
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4098 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4099 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4100}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4101#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]4102MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4103static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4104{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4105 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4106 size_t i, sig_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4107 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]4108 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]4109 size_t hashlen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4110 mbedtls_pk_type_t pk_alg;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4111 mbedtls_md_type_t md_alg;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]4112 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]4113 ssl->handshake->ciphersuite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4114 mbedtls_pk_context *peer_pk;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4115
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4116 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4117
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4118 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4119 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4120 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4121 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4122 }
4123
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4124#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4125 if (ssl->session_negotiate->peer_cert == NULL) {
4126 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4127 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4128 return 0;
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4129 }
4130#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4131 if (ssl->session_negotiate->peer_cert_digest == NULL) {
4132 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4133 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4134 return 0;
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4135 }
4136#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4137
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4138 /* Read the message without adding it to the checksum */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4139 ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */);
4140 if (0 != ret) {
4141 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret);
4142 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4143 }
4144
4145 ssl->state++;
4146
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4147 /* Process the message contents */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4148 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
4149 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) {
4150 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4151 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4152 }
4153
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4154 i = mbedtls_ssl_hs_hdr_len(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4155
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]4156#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4157 peer_pk = &ssl->handshake->peer_pubkey;
4158#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4159 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]4160 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4161 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]4162 }
4163 peer_pk = &ssl->session_negotiate->peer_cert->pk;
4164#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4165
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4166 /*
4167 * struct {
4168 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
4169 * opaque signature<0..2^16-1>;
4170 * } DigitallySigned;
4171 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4172 if (i + 2 > ssl->in_hslen) {
4173 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4174 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4175 }
Manuel Pégourié-Gonnard5ee96542014-09-10 14:27:21 +0000[diff] [blame]4176
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4177 /*
4178 * Hash
4179 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4180 md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]);
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4181
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4182 if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) {
4183 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4184 " for verify message"));
4185 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4186 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4187
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4188#if !defined(MBEDTLS_MD_SHA1)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4189 if (MBEDTLS_MD_SHA1 == md_alg) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4190 hash_start += 16;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4191 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4192#endif
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]4193
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4194 /* Info from md_alg will be used instead */
4195 hashlen = 0;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]4196
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4197 i++;
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4198
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4199 /*
4200 * Signature
4201 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4202 if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i]))
4203 == MBEDTLS_PK_NONE) {
4204 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4205 " for verify message"));
4206 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]4207 }
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]4208
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4209 /*
4210 * Check the certificate's key type matches the signature alg
4211 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4212 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
4213 MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
4214 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4215 }
4216
4217 i++;
4218
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4219 if (i + 2 > ssl->in_hslen) {
4220 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4221 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard5ee96542014-09-10 14:27:21 +0000[diff] [blame]4222 }
4223
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]4224 sig_len = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i);
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4225 i += 2;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]4226
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4227 if (i + sig_len != ssl->in_hslen) {
4228 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4229 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4230 }
4231
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4232 /* Calculate hash and verify signature */
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]4233 {
4234 size_t dummy_hlen;
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]4235 ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
4236 if (0 != ret) {
4237 MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
4238 return ret;
4239 }
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]4240 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4241
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4242 if ((ret = mbedtls_pk_verify(peer_pk,
4243 md_alg, hash_start, hashlen,
4244 ssl->in_msg + i, sig_len)) != 0) {
4245 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
4246 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4247 }
4248
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]4249 ret = mbedtls_ssl_update_handshake_status(ssl);
4250 if (0 != ret) {
4251 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
4252 return ret;
4253 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4254
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4255 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4256
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4257 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4258}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4259#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4260
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4261#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]4262MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4263static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4264{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4265 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]4266 size_t tlen;
Manuel Pégourié-Gonnardb0394be2015-05-19 11:40:30 +0200[diff] [blame]4267 uint32_t lifetime;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4268
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4269 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4270
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4271 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4272 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4273
4274 /*
4275 * struct {
4276 * uint32 ticket_lifetime_hint;
4277 * opaque ticket<0..2^16-1>;
4278 * } NewSessionTicket;
4279 *
4280 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
4281 * 8 . 9 ticket_len (n)
4282 * 10 . 9+n ticket content
4283 */
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]4284
Ronald Cron3c0072b2023-11-22 10:00:14 +0100[diff] [blame^]4285#if defined(MBEDTLS_HAVE_TIME)
4286 ssl->session_negotiate->ticket_creation_time = mbedtls_ms_time();
4287#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4288 if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
4289 ssl->session_negotiate,
4290 ssl->out_msg + 10,
4291 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
4292 &tlen, &lifetime)) != 0) {
4293 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret);
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]4294 tlen = 0;
4295 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4296
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4297 MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4);
4298 MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8);
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]4299 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4300
Manuel Pégourié-Gonnard145dfcb2014-02-26 14:23:33 +0100[diff] [blame]4301 /*
4302 * Morally equivalent to updating ssl->state, but NewSessionTicket and
4303 * ChangeCipherSpec share the same state.
4304 */
4305 ssl->handshake->new_session_ticket = 0;
4306
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4307 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4308 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4309 return ret;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4310 }
4311
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4312 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4313
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4314 return 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4315}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4316#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4317
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4318/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4319 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4320 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4321int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4322{
4323 int ret = 0;
4324
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4325 MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state));
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4326
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4327 switch (ssl->state) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4328 case MBEDTLS_SSL_HELLO_REQUEST:
4329 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4330 break;
4331
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4332 /*
4333 * <== ClientHello
4334 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4335 case MBEDTLS_SSL_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4336 ret = ssl_parse_client_hello(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4337 break;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4338
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4339#if defined(MBEDTLS_SSL_PROTO_DTLS)
4340 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4341 return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED;
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]4342#endif
4343
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4344 /*
4345 * ==> ServerHello
4346 * Certificate
4347 * ( ServerKeyExchange )
4348 * ( CertificateRequest )
4349 * ServerHelloDone
4350 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4351 case MBEDTLS_SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4352 ret = ssl_write_server_hello(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4353 break;
4354
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4355 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4356 ret = mbedtls_ssl_write_certificate(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4357 break;
4358
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4359 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4360 ret = ssl_write_server_key_exchange(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4361 break;
4362
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4363 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4364 ret = ssl_write_certificate_request(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4365 break;
4366
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4367 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4368 ret = ssl_write_server_hello_done(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4369 break;
4370
4371 /*
4372 * <== ( Certificate/Alert )
4373 * ClientKeyExchange
4374 * ( CertificateVerify )
4375 * ChangeCipherSpec
4376 * Finished
4377 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4378 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4379 ret = mbedtls_ssl_parse_certificate(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4380 break;
4381
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4382 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4383 ret = ssl_parse_client_key_exchange(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4384 break;
4385
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4386 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4387 ret = ssl_parse_certificate_verify(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4388 break;
4389
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4390 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4391 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4392 break;
4393
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4394 case MBEDTLS_SSL_CLIENT_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4395 ret = mbedtls_ssl_parse_finished(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4396 break;
4397
4398 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4399 * ==> ( NewSessionTicket )
4400 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4401 * Finished
4402 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4403 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4404#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4405 if (ssl->handshake->new_session_ticket != 0) {
4406 ret = ssl_write_new_session_ticket(ssl);
4407 } else
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]4408#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4409 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4410 break;
4411
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4412 case MBEDTLS_SSL_SERVER_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4413 ret = mbedtls_ssl_write_finished(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4414 break;
4415
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4416 case MBEDTLS_SSL_FLUSH_BUFFERS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4417 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4418 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4419 break;
4420
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4421 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4422 mbedtls_ssl_handshake_wrapup(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4423 break;
4424
4425 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4426 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
4427 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4428 }
4429
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4430 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4431}
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4432
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4433void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order)
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4434{
TRodziewicz3946f792021-06-14 12:11:18 +0200[diff] [blame]4435 conf->respect_cli_pref = order;
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4436}
4437
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]4438#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */