TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 4515d10163c4f531a67548d396dcc511b1b74aea / . / library / ssl_tls12_server.c
blob: a302af48edd19ea9701d019340eb99f09ca5a482 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]2 * TLS server-side functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6 */
7
Harry Ramsey0f6bc412024-10-04 10:36:54 +0100[diff] [blame]8#include "ssl_misc.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]10#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]11
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]12#include "mbedtls/platform.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]13
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]14#include "mbedtls/ssl.h"
Valerio Settib4f50762024-01-17 10:24:52 +0100[diff] [blame]15#include "debug_internal.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]16#include "mbedtls/error.h"
Andres Amaya Garcia84914062018-04-24 08:40:46 -0500[diff] [blame]17#include "mbedtls/platform_util.h"
Gabor Mezei22c9a6f2021-10-20 12:09:35 +0200[diff] [blame]18#include "constant_time_internal.h"
Gabor Mezei765862c2021-10-19 12:22:25 +0200[diff] [blame]19#include "mbedtls/constant_time.h"
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]20
21#include <string.h>
22
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]23/* Define a local translating function to save code size by not using too many
24 * arguments in each translating place. */
Andrzej Kurek1c7a9982023-05-30 09:21:20 -0400[diff] [blame]25#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \
26 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]27static int local_err_translation(psa_status_t status)
28{
29 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -0400[diff] [blame]30 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]31 psa_generic_status_to_mbedtls);
32}
33#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]34#endif
35
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]37#include "mbedtls/ecp.h"
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]38#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]39
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]40#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]41#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]42#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]45int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
46 const unsigned char *info,
47 size_t ilen)
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]48{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]49 if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) {
50 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
51 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]52
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]53 mbedtls_free(ssl->cli_id);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]54
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]55 if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) {
56 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
57 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]58
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]59 memcpy(ssl->cli_id, info, ilen);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]60 ssl->cli_id_len = ilen;
61
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]62 return 0;
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]63}
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]64
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]65void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf,
66 mbedtls_ssl_cookie_write_t *f_cookie_write,
67 mbedtls_ssl_cookie_check_t *f_cookie_check,
68 void *p_cookie)
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]69{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]70 conf->f_cookie_write = f_cookie_write;
71 conf->f_cookie_check = f_cookie_check;
72 conf->p_cookie = p_cookie;
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]73}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]74#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]75
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]76#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]77MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]78static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf)
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]79{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]80 if (conf->f_psk != NULL) {
81 return 1;
82 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]83
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]84 if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) {
85 return 0;
86 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]87
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]88
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]89 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
90 return 1;
91 }
Neil Armstrong8ecd6682022-05-05 11:40:35 +0200[diff] [blame]92
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]93 if (conf->psk != NULL && conf->psk_len != 0) {
94 return 1;
95 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]96
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]97 return 0;
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]98}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]99#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]100
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]101MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]102static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
103 const unsigned char *buf,
104 size_t len)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]105{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]106#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]107 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]108 /* Check verify-data in constant-time. The length OTOH is no secret */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]109 if (len != 1 + ssl->verify_data_len ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]110 buf[0] != ssl->verify_data_len ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]111 mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data,
112 ssl->verify_data_len) != 0) {
113 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
114 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
115 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
116 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]117 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]118 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]119#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]120 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]121 if (len != 1 || buf[0] != 0x0) {
122 MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info"));
123 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
124 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
125 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]126 }
127
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]128 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]129 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]130
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]131 return 0;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]132}
133
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]134#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]135 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]136 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]137/*
Jerry Yud491ea42022-01-13 16:15:25 +0800[diff] [blame]138 * Function for parsing a supported groups (TLS 1.3) or supported elliptic
139 * curves (TLS 1.2) extension.
140 *
141 * The "extension_data" field of a supported groups extension contains a
142 * "NamedGroupList" value (TLS 1.3 RFC8446):
143 * enum {
144 * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
145 * x25519(0x001D), x448(0x001E),
146 * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
147 * ffdhe6144(0x0103), ffdhe8192(0x0104),
148 * ffdhe_private_use(0x01FC..0x01FF),
149 * ecdhe_private_use(0xFE00..0xFEFF),
150 * (0xFFFF)
151 * } NamedGroup;
152 * struct {
153 * NamedGroup named_group_list<2..2^16-1>;
154 * } NamedGroupList;
155 *
156 * The "extension_data" field of a supported elliptic curves extension contains
157 * a "NamedCurveList" value (TLS 1.2 RFC 8422):
158 * enum {
159 * deprecated(1..22),
160 * secp256r1 (23), secp384r1 (24), secp521r1 (25),
161 * x25519(29), x448(30),
162 * reserved (0xFE00..0xFEFF),
163 * deprecated(0xFF01..0xFF02),
164 * (0xFFFF)
165 * } NamedCurve;
166 * struct {
167 * NamedCurve named_curve_list<2..2^16-1>
168 * } NamedCurveList;
169 *
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]170 * The TLS 1.3 supported groups extension was defined to be a compatible
171 * generalization of the TLS 1.2 supported elliptic curves extension. They both
172 * share the same extension identifier.
Jerry Yud491ea42022-01-13 16:15:25 +0800[diff] [blame]173 *
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]174 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]175MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]176static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
177 const unsigned char *buf,
178 size_t len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]179{
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]180 size_t list_size, our_size;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]181 const unsigned char *p;
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]182 uint16_t *curves_tls_id;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]183
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]184 if (len < 2) {
185 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
186 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
187 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
188 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]189 }
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]190 list_size = MBEDTLS_GET_UINT16_BE(buf, 0);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]191 if (list_size + 2 != len ||
192 list_size % 2 != 0) {
193 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
194 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
195 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
196 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]197 }
198
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]199 /* Should never happen unless client duplicates the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]200 if (ssl->handshake->curves_tls_id != NULL) {
201 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
202 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
203 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
204 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]205 }
206
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]207 /* Don't allow our peer to make us allocate too much memory,
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]208 * and leave room for a final 0 */
209 our_size = list_size / 2 + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]210 if (our_size > MBEDTLS_ECP_DP_MAX) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]211 our_size = MBEDTLS_ECP_DP_MAX;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]212 }
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]213
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]214 if ((curves_tls_id = mbedtls_calloc(our_size,
215 sizeof(*curves_tls_id))) == NULL) {
216 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
217 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
218 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]219 }
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]220
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]221 ssl->handshake->curves_tls_id = curves_tls_id;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]222
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]223 p = buf + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]224 while (list_size > 0 && our_size > 1) {
225 uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0);
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200[diff] [blame]226
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]227 if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) !=
228 MBEDTLS_ECP_DP_NONE) {
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]229 *curves_tls_id++ = curr_tls_id;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]230 our_size--;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]231 }
232
233 list_size -= 2;
234 p += 2;
235 }
236
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]237 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]238}
239
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]240MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]241static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
242 const unsigned char *buf,
243 size_t len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]244{
245 size_t list_size;
246 const unsigned char *p;
247
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]248 if (len == 0 || (size_t) (buf[0] + 1) != len) {
249 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
250 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
251 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
252 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]253 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]254 list_size = buf[0];
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]255
Manuel Pégourié-Gonnardc1b46d02015-09-16 11:18:32 +0200[diff] [blame]256 p = buf + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]257 while (list_size > 0) {
258 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
259 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]260 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
261 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]262 }
263
264 list_size--;
265 p++;
266 }
267
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]268 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]269}
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]270#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]271 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]272 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]273
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]274#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]275MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]276static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
277 const unsigned char *buf,
278 size_t len)
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]279{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]280 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]281
Manuel Pégourié-Gonnard58916762025-01-23 10:48:45 +0100[diff] [blame]282 if (ssl->handshake->psa_pake_ctx_is_ok != 1) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]283 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
284 return 0;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]285 }
286
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]287 if ((ret = mbedtls_psa_ecjpake_read_round(
288 &ssl->handshake->psa_pake_ctx, buf, len,
289 MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
290 psa_destroy_key(ssl->handshake->psa_pake_password);
291 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]292
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]293 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]294 mbedtls_ssl_send_alert_message(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]295 ssl,
296 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
297 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]298
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]299 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]300 }
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]301
302 /* Only mark the extension as OK when we're sure it is */
303 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
304
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]305 return 0;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]306}
307#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
308
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]309#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]310MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]311static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
312 const unsigned char *buf,
313 size_t len)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]314{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]315 if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) {
316 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
317 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
318 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
319 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]320 }
321
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]322 ssl->session_negotiate->mfl_code = buf[0];
323
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]324 return 0;
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]325}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]326#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]327
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]328#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]329MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]330static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
331 const unsigned char *buf,
332 size_t len)
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]333{
334 size_t peer_cid_len;
335
336 /* CID extension only makes sense in DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]337 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
338 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
339 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
340 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
341 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]342 }
343
344 /*
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]345 * struct {
346 * opaque cid<0..2^8-1>;
347 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]348 */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]349
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]350 if (len < 1) {
351 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
352 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
353 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
354 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]355 }
356
357 peer_cid_len = *buf++;
358 len--;
359
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]360 if (len != peer_cid_len) {
361 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
362 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
363 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
364 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]365 }
366
367 /* Ignore CID if the user has disabled its use. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]368 if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]369 /* Leave ssl->handshake->cid_in_use in its default
370 * value of MBEDTLS_SSL_CID_DISABLED. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]371 MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled"));
372 return 0;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]373 }
374
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]375 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
376 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
377 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
378 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
379 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]380 }
381
Hanno Becker08556bf2019-05-03 12:43:44 +0100[diff] [blame]382 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]383 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]384 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]385
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]386 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
387 MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len);
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]388
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]389 return 0;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]390}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]391#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]392
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]393#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]394MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]395static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
396 const unsigned char *buf,
397 size_t len)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]398{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]399 if (len != 0) {
400 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
401 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
402 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
403 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]404 }
405
406 ((void) buf);
407
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]408 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]409 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]410 }
411
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]412 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]413}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]414#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]415
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]416#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]417MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]418static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
419 const unsigned char *buf,
420 size_t len)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]421{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]422 if (len != 0) {
423 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
424 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
425 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
426 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]427 }
428
429 ((void) buf);
430
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]431 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]432 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]433 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]434
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]435 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]436}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]437#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]438
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]439#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]440MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]441static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
442 unsigned char *buf,
443 size_t len)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]444{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]445 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]446 mbedtls_ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]447
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]448 mbedtls_ssl_session_init(&session);
Manuel Pégourié-Gonnardbae389b2015-06-24 10:45:58 +0200[diff] [blame]449
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]450 if (ssl->conf->f_ticket_parse == NULL ||
451 ssl->conf->f_ticket_write == NULL) {
452 return 0;
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]453 }
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]454
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]455 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]456 ssl->handshake->new_session_ticket = 1;
457
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]458 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len));
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]459
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]460 if (len == 0) {
461 return 0;
462 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]463
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]464#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]465 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
466 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating"));
467 return 0;
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]468 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]469#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]470
471 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]472 * Failures are ok: just ignore the ticket and proceed.
473 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]474 if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session,
475 buf, len)) != 0) {
476 mbedtls_ssl_session_free(&session);
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]477
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]478 if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
479 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
480 } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
481 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
482 } else {
483 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret);
484 }
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]485
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]486 return 0;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]487 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]488
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]489 /*
490 * Keep the session ID sent by the client, since we MUST send it back to
491 * inform them we're accepting the ticket (RFC 5077 section 3.4)
492 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]493 session.id_len = ssl->session_negotiate->id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]494 memcpy(&session.id, ssl->session_negotiate->id, session.id_len);
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]495
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]496 mbedtls_ssl_session_free(ssl->session_negotiate);
497 memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session));
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]498
499 /* Zeroize instead of free as we copied the content */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]500 mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session));
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]501
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]502 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket"));
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]503
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]504 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]505
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]506 /* Don't send a new ticket after all, this one is OK */
507 ssl->handshake->new_session_ticket = 0;
508
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]509 return 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]510}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]511#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]512
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]513#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]514MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]515static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
516 const unsigned char *buf,
517 size_t len)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]518{
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]519 mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]520 size_t i, j;
Johan Pascalf6417ec2020-09-22 15:15:19 +0200[diff] [blame]521 size_t profile_length;
522 uint16_t mki_length;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]523 /*! 2 bytes for profile length and 1 byte for mki len */
524 const size_t size_of_lengths = 3;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]525
526 /* If use_srtp is not configured, just ignore the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]527 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
528 (ssl->conf->dtls_srtp_profile_list == NULL) ||
529 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
530 return 0;
Johan Pascal85269572020-08-25 10:01:54 +0200[diff] [blame]531 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]532
533 /* RFC5764 section 4.1.1
534 * uint8 SRTPProtectionProfile[2];
535 *
536 * struct {
537 * SRTPProtectionProfiles SRTPProtectionProfiles;
538 * opaque srtp_mki<0..255>;
539 * } UseSRTPData;
540
541 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]542 */
543
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]544 /*
545 * Min length is 5: at least one protection profile(2 bytes)
546 * and length(2 bytes) + srtp_mki length(1 byte)
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]547 * Check here that we have at least 2 bytes of protection profiles length
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]548 * and one of srtp_mki length
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]549 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]550 if (len < size_of_lengths) {
551 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
552 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
553 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]554 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]555
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]556 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]557
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]558 /* first 2 bytes are protection profile length(in bytes) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]559 profile_length = (buf[0] << 8) | buf[1];
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]560 buf += 2;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]561
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]562 /* The profile length cannot be bigger than input buffer size - lengths fields */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]563 if (profile_length > len - size_of_lengths ||
564 profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */
565 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
566 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
567 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]568 }
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]569 /*
570 * parse the extension list values are defined in
571 * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
572 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]573 for (j = 0; j < profile_length; j += 2) {
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]574 uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]575 client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]576
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]577 if (client_protection != MBEDTLS_TLS_SRTP_UNSET) {
578 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
579 mbedtls_ssl_get_srtp_profile_as_string(
580 client_protection)));
581 } else {
Johan Pascal85269572020-08-25 10:01:54 +0200[diff] [blame]582 continue;
583 }
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]584 /* check if suggested profile is in our list */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]585 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
586 if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) {
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]587 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]588 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
589 mbedtls_ssl_get_srtp_profile_as_string(
590 client_protection)));
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]591 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]592 }
593 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]594 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]595 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]596 }
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]597 }
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]598 buf += profile_length; /* buf points to the mki length */
599 mki_length = *buf;
600 buf++;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]601
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]602 if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH ||
603 mki_length + profile_length + size_of_lengths != len) {
604 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
605 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
606 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]607 }
608
609 /* Parse the mki only if present and mki is supported locally */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]610 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
611 mki_length > 0) {
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]612 ssl->dtls_srtp_info.mki_len = mki_length;
613
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]614 memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length);
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]615
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]616 MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value,
617 ssl->dtls_srtp_info.mki_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]618 }
619
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]620 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]621}
622#endif /* MBEDTLS_SSL_DTLS_SRTP */
623
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]624/*
625 * Auxiliary functions for ServerHello parsing and related actions
626 */
627
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]628#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]629/*
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100[diff] [blame]630 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]631 */
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]632#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]633MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634static int ssl_check_key_curve(mbedtls_pk_context *pk,
635 uint16_t *curves_tls_id)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]636{
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]637 uint16_t *curr_tls_id = curves_tls_id;
Valerio Settif9362b72023-11-29 08:42:27 +0100[diff] [blame]638 mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk);
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]639 mbedtls_ecp_group_id curr_grp_id;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]640
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]641 while (*curr_tls_id != 0) {
642 curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
643 if (curr_grp_id == grp_id) {
644 return 0;
645 }
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]646 curr_tls_id++;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]647 }
648
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]649 return -1;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]650}
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]651#endif /* MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]652
653/*
654 * Try picking a certificate for this ciphersuite,
655 * return 0 on success and -1 on failure.
656 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]657MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]658static int ssl_pick_cert(mbedtls_ssl_context *ssl,
659 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]660{
Glenn Strauss041a3762022-03-15 06:08:29 -0400[diff] [blame]661 mbedtls_ssl_key_cert *cur, *list;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]662 psa_algorithm_t pk_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]663 mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]664 psa_key_usage_t pk_usage =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]665 mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info);
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +0200[diff] [blame]666 uint32_t flags;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]668#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]669 if (ssl->handshake->sni_key_cert != NULL) {
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]670 list = ssl->handshake->sni_key_cert;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]671 } else
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]672#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]673 list = ssl->conf->key_cert;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]674
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]675 int pk_alg_is_none = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]676 pk_alg_is_none = (pk_alg == PSA_ALG_NONE);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]677 if (pk_alg_is_none) {
678 return 0;
Manuel Pégourié-Gonnarde540b492015-07-07 12:44:38 +0200[diff] [blame]679 }
680
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]681 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate"));
682
683 if (list == NULL) {
684 MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
685 return -1;
686 }
687
688 for (cur = list; cur != NULL; cur = cur->next) {
Andrzej Kurek7ed01e82020-03-18 11:51:59 -0400[diff] [blame]689 flags = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]690 MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate",
691 cur->cert);
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]692
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]693 int key_type_matches = 0;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]694#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]695 key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
696 ssl->conf->f_async_decrypt_start != NULL ||
697 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
698 mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]699#else
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]700 key_type_matches = (
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]701 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]702#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]703 if (!key_type_matches) {
704 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]705 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]706 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]707
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]708 /*
709 * This avoids sending the client a cert it'll reject based on
710 * keyUsage or other extensions.
711 *
712 * It also allows the user to provision different certificates for
713 * different uses based on keyUsage, eg if they want to avoid signing
714 * and decrypting with the same RSA key.
715 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]716 if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
Manuel Pégourié-Gonnard7a4aa4d2024-08-09 11:49:12 +0200[diff] [blame]717 MBEDTLS_SSL_IS_CLIENT,
718 MBEDTLS_SSL_VERSION_TLS1_2,
719 &flags) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]720 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
721 "(extended) key usage extension"));
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]722 continue;
723 }
724
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]725#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]726 if (pk_alg == MBEDTLS_PK_ECDSA &&
727 ssl_check_key_curve(&cur->cert->pk,
728 ssl->handshake->curves_tls_id) != 0) {
729 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve"));
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]730 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]731 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]732#endif
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]733
734 /* If we get there, we got a winner */
735 break;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]736 }
737
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]738 /* Do not update ssl->handshake->key_cert unless there is a match */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]739 if (cur != NULL) {
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]740 ssl->handshake->key_cert = cur;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]741 MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate",
742 ssl->handshake->key_cert->cert);
743 return 0;
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]744 }
745
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]746 return -1;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]747}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]748#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]749
750/*
751 * Check if a given ciphersuite is suitable for use with our config/keys/etc
752 * Sets ciphersuite_info only if the suite matches.
753 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]754MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]755static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
756 const mbedtls_ssl_ciphersuite_t **ciphersuite_info)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]757{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]758 const mbedtls_ssl_ciphersuite_t *suite_info;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]759
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]760#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]761 mbedtls_pk_type_t sig_type;
762#endif
763
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]764 suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
765 if (suite_info == NULL) {
766 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
767 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]768 }
769
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]770 MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)",
771 (unsigned int) suite_id, suite_info->name));
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]772
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]773 if (suite_info->min_tls_version > ssl->tls_version ||
774 suite_info->max_tls_version < ssl->tls_version) {
775 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version"));
776 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]777 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]778
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]779#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]780 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
781 (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) {
782 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake "
783 "not configured or ext missing"));
784 return 0;
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]785 }
786#endif
787
788
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]789#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]790 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]791 if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
792 (ssl->handshake->curves_tls_id == NULL ||
793 ssl->handshake->curves_tls_id[0] == 0)) {
794 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
795 "no common elliptic curve"));
796 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]797 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]798#endif
799
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]800#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]801 /* If the ciphersuite requires a pre-shared key and we don't
802 * have one, skip it now rather than failing later */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]803 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
804 ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
805 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key"));
806 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]807 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]808#endif
809
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]810#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]811 /*
812 * Final check: if ciphersuite requires us to have a
813 * certificate/key of a particular type:
814 * - select the appropriate certificate if we have one, or
815 * - try the next ciphersuite if we don't
816 * This must be done last since we modify the key_cert list.
817 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]818 if (ssl_pick_cert(ssl, suite_info) != 0) {
819 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
820 "no suitable certificate"));
821 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]822 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]823#endif
824
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]825#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
826 /* If the ciphersuite requires signing, check whether
827 * a suitable hash algorithm is present. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]828 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
829 if (sig_type != MBEDTLS_PK_NONE &&
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]830 mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]831 ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) {
832 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm "
833 "for signature algorithm %u", (unsigned) sig_type));
834 return 0;
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]835 }
836
837#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
838
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]839 *ciphersuite_info = suite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]840 return 0;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]841}
842
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]843/* This function doesn't alert on errors that happen early during
844 ClientHello parsing because they might indicate that the client is
845 not talking SSL/TLS at all and would not understand our alert. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]846MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]847static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]848{
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]849 int ret, got_common_suite;
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]850 size_t i, j;
851 size_t ciph_offset, comp_offset, ext_offset;
852 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]853#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]854 size_t cookie_offset, cookie_len;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]855#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]856 unsigned char *buf, *p, *ext;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]857#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]858 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]859#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]860 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]861 const int *ciphersuites;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]862 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]863
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]864 /* If there is no signature-algorithm extension present,
865 * we need to fall back to the default values for allowed
866 * signature-hash pairs. */
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]867#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]868 int sig_hash_alg_ext_present = 0;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]869#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]870
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]871 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]872
David Horstmanne0af39a2022-10-06 18:19:18 +0100[diff] [blame]873 int renegotiating;
874
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]875#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]876read_record_header:
877#endif
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]878 /*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]879 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]880 * otherwise read it ourselves manually in order to support SSLv2
881 * ClientHello, which doesn't use the same record layer format.
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]882 * Otherwise in a scenario of TLS 1.3/TLS 1.2 version negotiation, the
883 * ClientHello has been already fully fetched by the TLS 1.3 code and the
884 * flag ssl->keep_current_message is raised.
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]885 */
David Horstmanne0af39a2022-10-06 18:19:18 +0100[diff] [blame]886 renegotiating = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]887#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]888 renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]889#endif
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]890 if (!renegotiating && !ssl->keep_current_message) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]891 if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]892 /* No alert on a read error. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]893 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
894 return ret;
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]895 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]896 }
897
898 buf = ssl->in_hdr;
899
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]900 MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl));
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]901
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]902 /*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]903 * TLS Client Hello
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]904 *
905 * Record layer:
906 * 0 . 0 message type
907 * 1 . 2 protocol version
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]908 * 3 . 11 DTLS: epoch + record sequence number
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]909 * 3 . 4 message length
910 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]911 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message type: %d",
912 buf[0]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]913
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]914 if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
915 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
916 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]917 }
918
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]919 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d",
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]920 MBEDTLS_GET_UINT16_BE(ssl->in_len, 0)));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]921
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]922 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, protocol version: [%d:%d]",
923 buf[1], buf[2]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]924
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]925 /* For DTLS if this is the initial handshake, remember the client sequence
926 * number to use it in our next message (RFC 6347 4.2.1) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]927#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]928 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]929#if defined(MBEDTLS_SSL_RENEGOTIATION)
930 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
Manuel Pégourié-Gonnard3a173f42015-01-22 13:30:33 +0000[diff] [blame]931#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]932 ) {
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]933 /* Epoch should be 0 for initial handshakes */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]934 if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
935 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
936 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]937 }
938
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]939 memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2,
940 sizeof(ssl->cur_out_ctr) - 2);
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]941
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]942#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]943 if (mbedtls_ssl_dtls_replay_check(ssl) != 0) {
944 MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding"));
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]945 ssl->next_record_offset = 0;
946 ssl->in_left = 0;
947 goto read_record_header;
948 }
949
950 /* No MAC to check yet, so we can update right now */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]951 mbedtls_ssl_dtls_replay_update(ssl);
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]952#endif
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]953 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]954#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]955
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]956 msg_len = MBEDTLS_GET_UINT16_BE(ssl->in_len, 0);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]957
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]958#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]959 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]960 /* Set by mbedtls_ssl_read_record() */
Manuel Pégourié-Gonnardb89c4f32015-01-21 13:24:10 +0000[diff] [blame]961 msg_len = ssl->in_hslen;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]962 } else
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]963#endif
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]964 {
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]965 if (ssl->keep_current_message) {
966 ssl->keep_current_message = 0;
967 } else {
968 if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
969 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
970 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
971 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]972
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]973 if ((ret = mbedtls_ssl_fetch_input(ssl,
974 mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) {
975 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
976 return ret;
977 }
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]978
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]979 /* Done reading this record, get ready for the next one */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]980#if defined(MBEDTLS_SSL_PROTO_DTLS)
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]981 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
982 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl);
983 } else
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]984#endif
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]985 ssl->in_left = 0;
986 }
Manuel Pégourié-Gonnardd6b721c2014-03-24 12:13:54 +0100[diff] [blame]987 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]988
989 buf = ssl->in_msg;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]990
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]991 MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len);
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]992
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]993 ret = ssl->handshake->update_checksum(ssl, buf, msg_len);
994 if (0 != ret) {
995 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
996 return ret;
997 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]998
999 /*
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1000 * Handshake layer:
1001 * 0 . 0 handshake type
1002 * 1 . 3 handshake length
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1003 * 4 . 5 DTLS only: message sequence number
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1004 * 6 . 8 DTLS only: fragment offset
1005 * 9 . 11 DTLS only: fragment length
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1006 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1007 if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) {
1008 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1009 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1010 }
1011
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1012 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0]));
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1013
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1014 if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
1015 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1016 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1017 }
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1018
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1019#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1020 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1021 /*
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1022 * Copy the client's handshake message_seq on initial handshakes,
1023 * check sequence number on renego.
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1024 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1025#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1026 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]1027 /* This couldn't be done in ssl_prepare_handshake_record() */
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +0100[diff] [blame]1028 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1029 if (cli_msg_seq != ssl->handshake->in_msg_seq) {
1030 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
1031 "%u (expected %u)", cli_msg_seq,
1032 ssl->handshake->in_msg_seq));
1033 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]1034 }
1035
1036 ssl->handshake->in_msg_seq++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1037 } else
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1038#endif
1039 {
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +0100[diff] [blame]1040 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1041 ssl->handshake->out_msg_seq = cli_msg_seq;
1042 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
1043 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1044 {
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1045 /*
1046 * For now we don't support fragmentation, so make sure
1047 * fragment_offset == 0 and fragment_length == length
1048 */
1049 size_t fragment_offset, fragment_length, length;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1050 fragment_offset = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6);
1051 fragment_length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9);
1052 length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1);
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1053 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1054 4, ("fragment_offset=%u fragment_length=%u length=%u",
1055 (unsigned) fragment_offset, (unsigned) fragment_length,
1056 (unsigned) length));
1057 if (fragment_offset != 0 || length != fragment_length) {
1058 MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported"));
1059 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1060 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1061 }
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1062 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1063#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1064
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1065 buf += mbedtls_ssl_hs_hdr_len(ssl);
1066 msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1067
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1068 /*
Wenxing Hou3b9de382023-12-14 16:22:01 +0800[diff] [blame]1069 * ClientHello layout:
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1070 * 0 . 1 protocol version
1071 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
Wenxing Hou3b9de382023-12-14 16:22:01 +0800[diff] [blame]1072 * 34 . 34 session id length (1 byte)
1073 * 35 . 34+x session id, where x = session id length from byte 34
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1074 * 35+x . 35+x DTLS only: cookie length (1 byte)
1075 * 36+x . .. DTLS only: cookie
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1076 * .. . .. ciphersuite list length (2 bytes)
1077 * .. . .. ciphersuite list
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1078 * .. . .. compression alg. list length (1 byte)
1079 * .. . .. compression alg. list
1080 * .. . .. extensions length (2 bytes, optional)
1081 * .. . .. extensions (optional)
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1082 */
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1083
1084 /*
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]1085 * Minimal length (with everything empty and extensions omitted) is
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1086 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1087 * read at least up to session id length without worrying.
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1088 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1089 if (msg_len < 38) {
1090 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1091 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1092 }
1093
1094 /*
1095 * Check and save the protocol version
1096 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1097 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1098
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]1099 ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
1100 ssl->conf->transport);
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1101 ssl->session_negotiate->tls_version = ssl->tls_version;
Ronald Cron17ef8df2023-11-22 10:29:42 +0100[diff] [blame]1102 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1103
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1104 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
1105 MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2"));
1106 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1107 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1108 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1109 }
1110
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1111 /*
1112 * Save client random (inc. Unix time)
1113 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1114 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1115
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1116 memcpy(ssl->handshake->randbytes, buf + 2, 32);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1117
1118 /*
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1119 * Check the session ID length and save session ID
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1120 */
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1121 sess_len = buf[34];
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1122
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1123 if (sess_len > sizeof(ssl->session_negotiate->id) ||
1124 sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */
1125 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1126 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1127 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1128 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1129 }
1130
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1131 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1132
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1133 ssl->session_negotiate->id_len = sess_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1134 memset(ssl->session_negotiate->id, 0,
1135 sizeof(ssl->session_negotiate->id));
1136 memcpy(ssl->session_negotiate->id, buf + 35,
1137 ssl->session_negotiate->id_len);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1138
1139 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1140 * Check the cookie length and content
1141 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1142#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1143 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1144 cookie_offset = 35 + sess_len;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1145 cookie_len = buf[cookie_offset];
1146
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1147 if (cookie_offset + 1 + cookie_len + 2 > msg_len) {
1148 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1149 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1150 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1151 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1152 }
1153
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1154 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
1155 buf + cookie_offset + 1, cookie_len);
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1156
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1157#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1158 if (ssl->conf->f_cookie_check != NULL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1159#if defined(MBEDTLS_SSL_RENEGOTIATION)
1160 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1161#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1162 ) {
1163 if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
1164 buf + cookie_offset + 1, cookie_len,
1165 ssl->cli_id, ssl->cli_id_len) != 0) {
1166 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed"));
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1167 ssl->handshake->cookie_verify_result = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1168 } else {
1169 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed"));
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1170 ssl->handshake->cookie_verify_result = 0;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1171 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1172 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1173#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1174 {
1175 /* We know we didn't send a cookie, so it should be empty */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1176 if (cookie_len != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1177 /* This may be an attacker's probe, so don't send an alert */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1178 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1179 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1180 }
1181
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1182 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped"));
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1183 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1184
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1185 /*
1186 * Check the ciphersuitelist length (will be parsed later)
1187 */
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1188 ciph_offset = cookie_offset + 1 + cookie_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1189 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1190#endif /* MBEDTLS_SSL_PROTO_DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1191 ciph_offset = 35 + sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1192
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]1193 ciph_len = MBEDTLS_GET_UINT16_BE(buf, ciph_offset);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1194
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1195 if (ciph_len < 2 ||
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1196 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1197 (ciph_len % 2) != 0) {
1198 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1199 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1200 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1201 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1202 }
1203
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1204 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
1205 buf + ciph_offset + 2, ciph_len);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1206
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1207 /*
Thomas Daubney20f89a92022-06-20 15:12:19 +0100[diff] [blame]1208 * Check the compression algorithm's length.
1209 * The list contents are ignored because implementing
1210 * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only
1211 * option supported by Mbed TLS.
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1212 */
1213 comp_offset = ciph_offset + 2 + ciph_len;
1214
1215 comp_len = buf[comp_offset];
1216
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1217 if (comp_len < 1 ||
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1218 comp_len > 16 ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1219 comp_len + comp_offset + 1 > msg_len) {
1220 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1221 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1222 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1223 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1224 }
1225
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1226 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression",
1227 buf + comp_offset + 1, comp_len);
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1228
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1229 /*
1230 * Check the extension length
1231 */
1232 ext_offset = comp_offset + 1 + comp_len;
1233 if (msg_len > ext_offset) {
1234 if (msg_len < ext_offset + 2) {
1235 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1236 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1237 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1238 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1239 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1240
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]1241 ext_len = MBEDTLS_GET_UINT16_BE(buf, ext_offset);
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1242
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1243 if (msg_len != ext_offset + 2 + ext_len) {
1244 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1245 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1246 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1247 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1248 }
1249 } else {
1250 ext_len = 0;
1251 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1252
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1253 ext = buf + ext_offset + 2;
1254 MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len);
1255
1256 while (ext_len != 0) {
1257 unsigned int ext_id;
1258 unsigned int ext_size;
1259 if (ext_len < 4) {
1260 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1261 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1262 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1263 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1264 }
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]1265 ext_id = MBEDTLS_GET_UINT16_BE(ext, 0);
1266 ext_size = MBEDTLS_GET_UINT16_BE(ext, 2);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1267
1268 if (ext_size + 4 > ext_len) {
1269 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1270 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1271 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1272 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1273 }
1274 switch (ext_id) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1275#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1276 case MBEDTLS_TLS_EXT_SERVERNAME:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1277 MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1278 ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4,
1279 ext + 4 + ext_size);
1280 if (ret != 0) {
1281 return ret;
1282 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1283 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1284#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]1285
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1286 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1287 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1288#if defined(MBEDTLS_SSL_RENEGOTIATION)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1289 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1290#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1291
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1292 ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size);
1293 if (ret != 0) {
1294 return ret;
1295 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1296 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1297
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1298#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1299 case MBEDTLS_TLS_EXT_SIG_ALG:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1300 MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
Ron Eldor73a38172017-10-03 15:58:26 +0300[diff] [blame]1301
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1302 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size);
1303 if (ret != 0) {
1304 return ret;
1305 }
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1306
1307 sig_hash_alg_ext_present = 1;
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1308 break;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1309#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1310
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]1311#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1312 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1313 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yub47d0f82021-12-20 17:34:40 +0800[diff] [blame]1314 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1315 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1316
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1317 ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size);
1318 if (ret != 0) {
1319 return ret;
1320 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1321 break;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1322
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1323 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1324 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension"));
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1325 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1326
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1327 ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size);
1328 if (ret != 0) {
1329 return ret;
1330 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1331 break;
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]1332#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1333 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]1334 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1335
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1336#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1337 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1338 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension"));
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1339
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1340 ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size);
1341 if (ret != 0) {
1342 return ret;
1343 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1344 break;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1345#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1346
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1347#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1348 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1349 MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension"));
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1350
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1351 ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size);
1352 if (ret != 0) {
1353 return ret;
1354 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1355 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1356#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1357
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1358#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1359 case MBEDTLS_TLS_EXT_CID:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1360 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1361
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1362 ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size);
1363 if (ret != 0) {
1364 return ret;
1365 }
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1366 break;
Thomas Daubneye1c9a402021-06-15 11:26:43 +0100[diff] [blame]1367#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1368
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1369#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1370 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1371 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1372
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1373 ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size);
1374 if (ret != 0) {
1375 return ret;
1376 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1377 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1378#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1379
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1380#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1381 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1382 MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1383
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1384 ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size);
1385 if (ret != 0) {
1386 return ret;
1387 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1388 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1389#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1390
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1391#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1392 case MBEDTLS_TLS_EXT_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1393 MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1394
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1395 ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size);
1396 if (ret != 0) {
1397 return ret;
1398 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1399 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1400#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1401
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1402#if defined(MBEDTLS_SSL_ALPN)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1403 case MBEDTLS_TLS_EXT_ALPN:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1404 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1405
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1406 ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4,
1407 ext + 4 + ext_size);
1408 if (ret != 0) {
1409 return ret;
1410 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1411 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1412#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1413
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1414#if defined(MBEDTLS_SSL_DTLS_SRTP)
1415 case MBEDTLS_TLS_EXT_USE_SRTP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1416 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
Johan Pascald576fdb2020-09-22 10:39:53 +0200[diff] [blame]1417
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1418 ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size);
1419 if (ret != 0) {
1420 return ret;
1421 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1422 break;
1423#endif /* MBEDTLS_SSL_DTLS_SRTP */
1424
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1425 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1426 MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)",
1427 ext_id));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1428 }
Janos Follathc6dab2b2016-05-23 14:27:02 +0100[diff] [blame]1429
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1430 ext_len -= 4 + ext_size;
1431 ext += 4 + ext_size;
1432 }
1433
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1434#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1435
1436 /*
1437 * Try to fall back to default hash SHA1 if the client
1438 * hasn't provided any preferred signature-hash combinations.
1439 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1440 if (!sig_hash_alg_ext_present) {
Gabor Mezei86acf052022-05-10 13:29:02 +0200[diff] [blame]1441 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
1442 const uint16_t default_sig_algs[] = {
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1443#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1444 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA,
1445 MBEDTLS_SSL_HASH_SHA1),
Gabor Mezeic1051b62022-05-10 13:13:58 +0200[diff] [blame]1446#endif
1447#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1448 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA,
1449 MBEDTLS_SSL_HASH_SHA1),
Gabor Mezeic1051b62022-05-10 13:13:58 +0200[diff] [blame]1450#endif
Gabor Mezei86acf052022-05-10 13:29:02 +0200[diff] [blame]1451 MBEDTLS_TLS_SIG_NONE
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1452 };
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1453
Tom Cosgrove6ef9bb32023-03-08 14:19:51 +0000[diff] [blame]1454 MBEDTLS_STATIC_ASSERT(sizeof(default_sig_algs) / sizeof(default_sig_algs[0])
1455 <= MBEDTLS_RECEIVED_SIG_ALGS_SIZE,
1456 "default_sig_algs is too big");
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1457
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1458 memcpy(received_sig_algs, default_sig_algs, sizeof(default_sig_algs));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1459 }
1460
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1461#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1462
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1463 /*
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1464 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1465 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1466 for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
1467 if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
1468 MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1469#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1470 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1471 MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
1472 "during renegotiation"));
1473 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1474 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1475 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1476 }
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1477#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1478 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1479 break;
1480 }
1481 }
1482
1483 /*
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1484 * Renegotiation security checks
1485 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1486 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1487 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1488 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1489 handshake_failure = 1;
1490 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1491#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1492 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1493 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1494 renegotiation_info_seen == 0) {
1495 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1496 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1497 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1498 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1499 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1500 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1501 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1502 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1503 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1504 renegotiation_info_seen == 1) {
1505 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1506 handshake_failure = 1;
1507 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1508#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1509
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1510 if (handshake_failure == 1) {
1511 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1512 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1513 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1514 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1515
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1516 /*
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1517 * Server certification selection (after processing TLS extensions)
1518 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1519 if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
1520 MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
1521 return ret;
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1522 }
Glenn Strauss69894072022-01-24 12:58:00 -0500[diff] [blame]1523#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1524 ssl->handshake->sni_name = NULL;
1525 ssl->handshake->sni_name_len = 0;
1526#endif
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1527
1528 /*
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1529 * Search for a matching ciphersuite
Manuel Pégourié-Gonnard3ebb2cd2013-09-23 17:00:18 +0200[diff] [blame]1530 * (At the end because we need information from the EC-based extensions
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1531 * and certificate from the SNI callback triggered by the SNI extension
1532 * or certificate from server certificate selection callback.)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1533 */
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1534 got_common_suite = 0;
Hanno Beckerd60b6c62021-04-29 12:04:11 +0100[diff] [blame]1535 ciphersuites = ssl->conf->ciphersuite_list;
Manuel Pégourié-Gonnard59b81d72013-11-30 17:46:04 +0100[diff] [blame]1536 ciphersuite_info = NULL;
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1537
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1538 if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) {
1539 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1540 for (i = 0; ciphersuites[i] != 0; i++) {
1541 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1542 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1543 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1544
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1545 got_common_suite = 1;
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1546
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1547 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1548 &ciphersuite_info)) != 0) {
1549 return ret;
1550 }
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +0100[diff] [blame]1551
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1552 if (ciphersuite_info != NULL) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1553 goto have_ciphersuite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1554 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1555 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1556 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1557 } else {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1558 for (i = 0; ciphersuites[i] != 0; i++) {
1559 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1560 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1561 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1562 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1563
1564 got_common_suite = 1;
1565
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1566 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1567 &ciphersuite_info)) != 0) {
1568 return ret;
1569 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1570
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1571 if (ciphersuite_info != NULL) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1572 goto have_ciphersuite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1573 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1574 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1575 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1576 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1577
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1578 if (got_common_suite) {
1579 MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
1580 "but none of them usable"));
1581 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1582 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1583 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1584 } else {
1585 MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
1586 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1587 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1588 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1589 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1590
1591have_ciphersuite:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1592 MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]1593
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1594 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]1595 ssl->handshake->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1596
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1597 ssl->state++;
1598
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1599#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1600 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1601 mbedtls_ssl_recv_flight_completed(ssl);
1602 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1603#endif
1604
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1605 /* Debugging-only output for testsuite */
1606#if defined(MBEDTLS_DEBUG_C) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1607 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1608 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
1609 if (sig_alg != MBEDTLS_PK_NONE) {
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]1610 unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1611 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
1612 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u",
1613 sig_hash));
1614 } else {
1615 MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm "
1616 "%u - should not happen", (unsigned) sig_alg));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1617 }
1618#endif
1619
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1620 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1621
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1622 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1623}
1624
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1625#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1626static void ssl_write_cid_ext(mbedtls_ssl_context *ssl,
1627 unsigned char *buf,
1628 size_t *olen)
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1629{
1630 unsigned char *p = buf;
1631 size_t ext_len;
1632 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1633
1634 *olen = 0;
1635
1636 /* Skip writing the extension if we don't want to use it or if
1637 * the client hasn't offered it. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1638 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) {
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1639 return;
1640 }
1641
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1642 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
1643 * which is at most 255, so the increment cannot overflow. */
1644 if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) {
1645 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1646 return;
1647 }
1648
1649 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension"));
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1650
1651 /*
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1652 * struct {
1653 * opaque cid<0..2^8-1>;
1654 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1655 */
1656 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1657 p += 2;
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1658 ext_len = (size_t) ssl->own_cid_len + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1659 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1660 p += 2;
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1661
1662 *p++ = (uint8_t) ssl->own_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1663 memcpy(p, ssl->own_cid, ssl->own_cid_len);
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1664
1665 *olen = ssl->own_cid_len + 5;
1666}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1667#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1668
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]1669#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1670static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
1671 unsigned char *buf,
1672 size_t *olen)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1673{
1674 unsigned char *p = buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1675 const mbedtls_ssl_ciphersuite_t *suite = NULL;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1676
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1677 /*
1678 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
1679 * from a client and then selects a stream or Authenticated Encryption
1680 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
1681 * encrypt-then-MAC response extension back to the client."
1682 */
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1683 suite = mbedtls_ssl_ciphersuite_from_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1684 ssl->session_negotiate->ciphersuite);
1685 if (suite == NULL) {
Ronald Cron862902d2022-03-24 14:15:28 +0100[diff] [blame]1686 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1687 } else {
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1688 mbedtls_ssl_mode_t ssl_mode =
Neil Armstrongab555e02022-04-04 11:07:59 +0200[diff] [blame]1689 mbedtls_ssl_get_mode_from_ciphersuite(
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1690 ssl->session_negotiate->encrypt_then_mac,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1691 suite);
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1692
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1693 if (ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM) {
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1694 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1695 }
Ronald Cron862902d2022-03-24 14:15:28 +0100[diff] [blame]1696 }
1697
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1698 if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1699 *olen = 0;
1700 return;
1701 }
1702
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1703 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1704
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1705 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1706 p += 2;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1707
1708 *p++ = 0x00;
1709 *p++ = 0x00;
1710
1711 *olen = 4;
1712}
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]1713#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1714
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1715#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1716static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
1717 unsigned char *buf,
1718 size_t *olen)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1719{
1720 unsigned char *p = buf;
1721
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1722 if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1723 *olen = 0;
1724 return;
1725 }
1726
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1727 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret "
1728 "extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1729
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1730 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1731 p += 2;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1732
1733 *p++ = 0x00;
1734 *p++ = 0x00;
1735
1736 *olen = 4;
1737}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1738#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1739
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1740#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1741static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
1742 unsigned char *buf,
1743 size_t *olen)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1744{
1745 unsigned char *p = buf;
1746
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1747 if (ssl->handshake->new_session_ticket == 0) {
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1748 *olen = 0;
1749 return;
1750 }
1751
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1752 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1753
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1754 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1755 p += 2;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1756
1757 *p++ = 0x00;
1758 *p++ = 0x00;
1759
1760 *olen = 4;
1761}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1762#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1763
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1764static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
1765 unsigned char *buf,
1766 size_t *olen)
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1767{
1768 unsigned char *p = buf;
1769
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1770 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) {
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1771 *olen = 0;
1772 return;
1773 }
1774
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1775 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension"));
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1776
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1777 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1778 p += 2;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1779
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1780#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1781 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1782 *p++ = 0x00;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1783 *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1784 *p++ = ssl->verify_data_len * 2 & 0xFF;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1785
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1786 memcpy(p, ssl->peer_verify_data, ssl->verify_data_len);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1787 p += ssl->verify_data_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1788 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1789 p += ssl->verify_data_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1790 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1791#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1792 {
1793 *p++ = 0x00;
1794 *p++ = 0x01;
1795 *p++ = 0x00;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1796 }
Manuel Pégourié-Gonnard19389752015-06-23 13:46:44 +0200[diff] [blame]1797
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]1798 *olen = (size_t) (p - buf);
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1799}
1800
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1801#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1802static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
1803 unsigned char *buf,
1804 size_t *olen)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1805{
1806 unsigned char *p = buf;
1807
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1808 if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1809 *olen = 0;
1810 return;
1811 }
1812
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1813 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension"));
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1814
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1815 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1816 p += 2;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1817
1818 *p++ = 0x00;
1819 *p++ = 1;
1820
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]1821 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1822
1823 *olen = 5;
1824}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1825#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1826
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]1827#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1828 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]1829 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1830static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
1831 unsigned char *buf,
1832 size_t *olen)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1833{
1834 unsigned char *p = buf;
1835 ((void) ssl);
1836
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1837 if ((ssl->handshake->cli_exts &
1838 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) {
Paul Bakker677377f2013-10-28 12:54:26 +0100[diff] [blame]1839 *olen = 0;
1840 return;
1841 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1842
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1843 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension"));
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1844
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1845 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1846 p += 2;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1847
1848 *p++ = 0x00;
1849 *p++ = 2;
1850
1851 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1852 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1853
1854 *olen = 6;
1855}
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]1856#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1857 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]1858 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1859
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1860#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1861static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
1862 unsigned char *buf,
1863 size_t *olen)
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1864{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1865 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1866 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]1867 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1868 size_t kkpp_len;
1869
1870 *olen = 0;
1871
1872 /* Skip costly computation if not needed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1873 if (ssl->handshake->ciphersuite_info->key_exchange !=
1874 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1875 return;
1876 }
1877
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1878 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension"));
1879
1880 if (end - p < 4) {
1881 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1882 return;
1883 }
1884
1885 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1886 p += 2;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1887
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1888 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]1889 p + 2, (size_t) (end - p - 2), &kkpp_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1890 MBEDTLS_ECJPAKE_ROUND_ONE);
1891 if (ret != 0) {
1892 psa_destroy_key(ssl->handshake->psa_pake_password);
1893 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
1894 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
Valerio Settia9883642022-11-17 15:34:59 +0100[diff] [blame]1895 return;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1896 }
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1897
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1898 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1899 p += 2;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1900
1901 *olen = kkpp_len + 4;
1902}
1903#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1904
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1905#if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS)
1906static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
1907 unsigned char *buf,
1908 size_t *olen)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1909{
Ron Eldor75870ec2018-12-06 17:31:55 +0200[diff] [blame]1910 size_t mki_len = 0, ext_len = 0;
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1911 uint16_t profile_value = 0;
Johan Pascal8f70fba2020-09-02 10:32:06 +0200[diff] [blame]1912 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1913
1914 *olen = 0;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1915
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1916 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
1917 (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) {
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1918 return;
1919 }
1920
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1921 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension"));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1922
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1923 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1924 mki_len = ssl->dtls_srtp_info.mki_len;
1925 }
1926
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]1927 /* The extension total size is 9 bytes :
1928 * - 2 bytes for the extension tag
1929 * - 2 bytes for the total size
1930 * - 2 bytes for the protection profile length
1931 * - 2 bytes for the protection profile
1932 * - 1 byte for the mki length
1933 * + the actual mki length
1934 * Check we have enough room in the output buffer */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1935 if ((size_t) (end - buf) < mki_len + 9) {
1936 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
Johan Pascal8f70fba2020-09-02 10:32:06 +0200[diff] [blame]1937 return;
1938 }
1939
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1940 /* extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1941 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0);
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1942 /*
1943 * total length 5 and mki value: only one profile(2 bytes)
1944 * and length(2 bytes) and srtp_mki )
1945 */
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1946 ext_len = 5 + mki_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1947 MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1948
1949 /* protection profile length: 2 */
1950 buf[4] = 0x00;
1951 buf[5] = 0x02;
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1952 profile_value = mbedtls_ssl_check_srtp_profile_value(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1953 ssl->dtls_srtp_info.chosen_dtls_srtp_profile);
1954 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
1955 MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6);
1956 } else {
1957 MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile"));
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1958 return;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1959 }
1960
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1961 buf[8] = mki_len & 0xFF;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1962 memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1963
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1964 *olen = 9 + mki_len;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1965}
1966#endif /* MBEDTLS_SSL_DTLS_SRTP */
1967
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1968#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1969MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1970static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1971{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1972 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1973 unsigned char *p = ssl->out_msg + 4;
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]1974 unsigned char *cookie_len_byte;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1975
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1976 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1977
1978 /*
1979 * struct {
1980 * ProtocolVersion server_version;
1981 * opaque cookie<0..2^8-1>;
1982 * } HelloVerifyRequest;
1983 */
1984
Manuel Pégourié-Gonnardb35fe562014-08-09 17:00:46 +0200[diff] [blame]1985 /* The RFC is not clear on this point, but sending the actual negotiated
1986 * version looks like the most interoperable thing to do. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1987 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
1988 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1989 p += 2;
1990
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1991 /* If we get here, f_cookie_check is not null */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1992 if (ssl->conf->f_cookie_write == NULL) {
1993 MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks"));
1994 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1995 }
1996
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]1997 /* Skip length byte until we know the length */
1998 cookie_len_byte = p++;
1999
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2000 if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie,
2001 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2002 ssl->cli_id, ssl->cli_id_len)) != 0) {
2003 MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret);
2004 return ret;
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2005 }
2006
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2007 *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1));
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2008
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2009 MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2010
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2011 ssl->out_msglen = (size_t) (p - ssl->out_msg);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2012 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2013 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2014
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2015 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2016
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2017 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
2018 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
2019 return ret;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2020 }
2021
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2022#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2023 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2024 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
2025 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
2026 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2027 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]2028#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2029
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2030 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2031
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2032 return 0;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2033}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2034#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2035
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2036static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl)
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2037{
2038 int ret;
Hanno Beckera5b1a392021-04-15 16:48:01 +0100[diff] [blame]2039 mbedtls_ssl_session session_tmp;
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2040 mbedtls_ssl_session * const session = ssl->session_negotiate;
2041
2042 /* Resume is 0 by default, see ssl_handshake_init().
2043 * It may be already set to 1 by ssl_parse_session_ticket_ext(). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2044 if (ssl->handshake->resume == 1) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2045 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2046 }
2047 if (session->id_len == 0) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2048 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2049 }
2050 if (ssl->conf->f_get_cache == NULL) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2051 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2052 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2053#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2054 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2055 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2056 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2057#endif
2058
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2059 mbedtls_ssl_session_init(&session_tmp);
Hanno Beckera5b1a392021-04-15 16:48:01 +0100[diff] [blame]2060
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2061 ret = ssl->conf->f_get_cache(ssl->conf->p_cache,
2062 session->id,
2063 session->id_len,
2064 &session_tmp);
2065 if (ret != 0) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2066 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2067 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2068
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2069 if (session->ciphersuite != session_tmp.ciphersuite) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2070 /* Mismatch between cached and negotiated session */
2071 goto exit;
2072 }
2073
2074 /* Move semantics */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2075 mbedtls_ssl_session_free(session);
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2076 *session = session_tmp;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2077 memset(&session_tmp, 0, sizeof(session_tmp));
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2078
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2079 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache"));
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2080 ssl->handshake->resume = 1;
2081
2082exit:
2083
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2084 mbedtls_ssl_session_free(&session_tmp);
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2085}
2086
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2087MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2088static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2089{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2090#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]2091 mbedtls_time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2092#endif
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2093 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2094 size_t olen, ext_len = 0, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2095 unsigned char *buf, *p;
2096
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2097 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2098
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2099#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2100 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2101 ssl->handshake->cookie_verify_result != 0) {
2102 MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated"));
2103 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2104
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2105 return ssl_write_hello_verify_request(ssl);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2106 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2107#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2108
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2109 /*
2110 * 0 . 0 handshake type
2111 * 1 . 3 handshake length
2112 * 4 . 5 protocol version
2113 * 6 . 9 UNIX time()
2114 * 10 . 37 random bytes
2115 */
2116 buf = ssl->out_msg;
2117 p = buf + 4;
2118
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2119 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]2120 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2121
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2122 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]",
2123 buf[4], buf[5]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2124
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2125#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2126 t = mbedtls_time(NULL);
2127 MBEDTLS_PUT_UINT32_BE(t, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2128 p += 4;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2129
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2130 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
2131 (long long) t));
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2132#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2133 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) {
2134 return ret;
2135 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2136
2137 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2138#endif /* MBEDTLS_HAVE_TIME */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2139
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2140 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2141 return ret;
2142 }
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2143 p += 20;
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2144
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2145#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2146 /*
2147 * RFC 8446
2148 * TLS 1.3 has a downgrade protection mechanism embedded in the server's
2149 * random value. TLS 1.3 servers which negotiate TLS 1.2 or below in
2150 * response to a ClientHello MUST set the last 8 bytes of their Random
2151 * value specially in their ServerHello.
2152 */
2153 if (mbedtls_ssl_conf_is_tls13_enabled(ssl->conf)) {
2154 static const unsigned char magic_tls12_downgrade_string[] =
2155 { 'D', 'O', 'W', 'N', 'G', 'R', 'D', 1 };
2156
2157 MBEDTLS_STATIC_ASSERT(
2158 sizeof(magic_tls12_downgrade_string) == 8,
2159 "magic_tls12_downgrade_string does not have the expected size");
2160
Ronald Cronfe01ec22023-04-06 09:56:53 +0200[diff] [blame]2161 memcpy(p, magic_tls12_downgrade_string,
2162 sizeof(magic_tls12_downgrade_string));
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2163 } else
2164#endif
2165 {
2166 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) {
2167 return ret;
2168 }
2169 }
2170 p += 8;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2171
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2172 memcpy(ssl->handshake->randbytes + 32, buf + 6, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2173
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2174 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2175
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2176 ssl_handle_id_based_session_resumption(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2177
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2178 if (ssl->handshake->resume == 0) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2179 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2180 * New session, create a new session id,
2181 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2182 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2183 ssl->state++;
2184
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2185#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2186 ssl->session_negotiate->start = mbedtls_time(NULL);
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]2187#endif
2188
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2189#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2190 if (ssl->handshake->new_session_ticket != 0) {
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2191 ssl->session_negotiate->id_len = n = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2192 memset(ssl->session_negotiate->id, 0, 32);
2193 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2194#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2195 {
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2196 ssl->session_negotiate->id_len = n = 32;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2197 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id,
2198 n)) != 0) {
2199 return ret;
2200 }
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2201 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2202 } else {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2203 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2204 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2205 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2206 n = ssl->session_negotiate->id_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2207 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2208
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2209 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
2210 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
2211 return ret;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2212 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2213 }
2214
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2215 /*
2216 * 38 . 38 session id length
2217 * 39 . 38+n session id
2218 * 39+n . 40+n chosen ciphersuite
2219 * 41+n . 41+n chosen compression alg.
2220 * 42+n . 43+n extensions length
2221 * 44+n . 43+n+m extensions
2222 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2223 *p++ = (unsigned char) ssl->session_negotiate->id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2224 memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2225 p += ssl->session_negotiate->id_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2226
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2227 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
2228 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n);
2229 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
2230 ssl->handshake->resume ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2231
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2232 MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2233 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2234 *p++ = MBEDTLS_BYTE_0(MBEDTLS_SSL_COMPRESS_NULL);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2235
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2236 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s",
2237 mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite)));
2238 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X",
2239 (unsigned int) MBEDTLS_SSL_COMPRESS_NULL));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2240
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2241 /*
2242 * First write extensions, then the total length
2243 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2244 ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2245 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2246
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2247#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2248 ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2249 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]2250#endif
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2251
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2252#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2253 ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen);
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]2254 ext_len += olen;
2255#endif
2256
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]2257#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2258 ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2259 ext_len += olen;
2260#endif
2261
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2262#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2263 ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2264 ext_len += olen;
2265#endif
2266
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2267#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2268 ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2269 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2270#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2271
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]2272#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]2273 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]2274 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Leonid Rozenboim28752702022-04-21 18:00:52 -0700[diff] [blame]2275 const mbedtls_ssl_ciphersuite_t *suite =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2276 mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite);
2277 if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) {
2278 ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen);
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]2279 ext_len += olen;
2280 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2281#endif
2282
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]2283#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2284 ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]2285 ext_len += olen;
2286#endif
2287
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2288#if defined(MBEDTLS_SSL_ALPN)
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2289 unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2290 if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen))
2291 != 0) {
Paul Elliottf518f812022-07-11 12:36:20 +0100[diff] [blame]2292 return ret;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2293 }
Paul Elliottf518f812022-07-11 12:36:20 +0100[diff] [blame]2294
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]2295 ext_len += olen;
2296#endif
2297
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2298#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2299 ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen);
Johan Pascalc3ccd982020-10-28 17:18:18 +0100[diff] [blame]2300 ext_len += olen;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2301#endif
2302
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2303 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
2304 ext_len));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2305
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2306 if (ext_len > 0) {
2307 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani94180e72021-08-20 16:20:44 +0100[diff] [blame]2308 p += 2 + ext_len;
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]2309 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2310
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2311 ssl->out_msglen = (size_t) (p - buf);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2312 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2313 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2314
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2315 ret = mbedtls_ssl_write_handshake_msg(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2316
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2317 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2318
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2319 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2320}
2321
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2322#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2323MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2324static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2325{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2326 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2327 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2328
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2329 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2330
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2331 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2332 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2333 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2334 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2335 }
2336
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2337 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2338 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2339}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2340#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2341MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2342static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2343{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2344 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2345 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2346 ssl->handshake->ciphersuite_info;
irwirc9bc3002020-04-01 13:46:36 +0300[diff] [blame]2347 uint16_t dn_size, total_dn_size; /* excluding length bytes */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2348 size_t ct_len, sa_len; /* including length bytes */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2349 unsigned char *buf, *p;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2350 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2351 const mbedtls_x509_crt *crt;
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2352 int authmode;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2353
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2354 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2355
2356 ssl->state++;
2357
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2358#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2359 if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2360 authmode = ssl->handshake->sni_authmode;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2361 } else
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2362#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2363 authmode = ssl->conf->authmode;
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2364
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2365 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) ||
2366 authmode == MBEDTLS_SSL_VERIFY_NONE) {
2367 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2368 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2369 }
2370
2371 /*
2372 * 0 . 0 handshake type
2373 * 1 . 3 handshake length
2374 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2375 * 5 .. m-1 cert types
2376 * m .. m+1 sig alg length (TLS 1.2 only)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]2377 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2378 * n .. n+1 length of all DNs
2379 * n+2 .. n+3 length of DN 1
2380 * n+4 .. ... Distinguished Name #1
2381 * ... .. ... length of DN 2, etc.
2382 */
2383 buf = ssl->out_msg;
2384 p = buf + 4;
2385
2386 /*
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2387 * Supported certificate types
2388 *
2389 * ClientCertificateType certificate_types<1..2^8-1>;
2390 * enum { (255) } ClientCertificateType;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2391 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2392 ct_len = 0;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2393
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2394#if defined(MBEDTLS_RSA_C)
2395 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2396#endif
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]2397#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2398 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2399#endif
2400
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2401 p[0] = (unsigned char) ct_len++;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2402 p += ct_len;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2403
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2404 sa_len = 0;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]2405
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2406 /*
2407 * Add signature_algorithms for verify (TLS 1.2)
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2408 *
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2409 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2410 *
2411 * struct {
2412 * HashAlgorithm hash;
2413 * SignatureAlgorithm signature;
2414 * } SignatureAndHashAlgorithm;
2415 *
2416 * enum { (255) } HashAlgorithm;
2417 * enum { (255) } SignatureAlgorithm;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2418 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2419 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
2420 if (sig_alg == NULL) {
2421 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2422 }
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2423
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2424 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2425 unsigned char hash = MBEDTLS_BYTE_1(*sig_alg);
Jerry Yu6106fdc2022-01-12 16:36:14 +0800[diff] [blame]2426
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2427 if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2428 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2429 }
2430 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2431 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2432 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2433
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2434 /* Write elements at offsets starting from 1 (offset 0 is for the
2435 * length). Thus the offset of each element is the length of the
2436 * partial list including that element. */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2437 sa_len += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2438 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, sa_len);
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2439
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2440 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2441
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2442 /* Fill in list length. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2443 MBEDTLS_PUT_UINT16_BE(sa_len, p, 0);
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2444 sa_len += 2;
2445 p += sa_len;
2446
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2447 /*
2448 * DistinguishedName certificate_authorities<0..2^16-1>;
2449 * opaque DistinguishedName<1..2^16-1>;
2450 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2451 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2452
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]2453 total_dn_size = 0;
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2454
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2455 if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) {
Hanno Becker8bf74f32019-03-27 11:01:30 +0000[diff] [blame]2456 /* NOTE: If trusted certificates are provisioned
2457 * via a CA callback (configured through
2458 * `mbedtls_ssl_conf_ca_cb()`, then the
2459 * CertificateRequest is currently left empty. */
2460
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2461#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2462#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2463 if (ssl->handshake->dn_hints != NULL) {
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2464 crt = ssl->handshake->dn_hints;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2465 } else
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2466#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2467 if (ssl->conf->dn_hints != NULL) {
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2468 crt = ssl->conf->dn_hints;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2469 } else
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2470#endif
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2471#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2472 if (ssl->handshake->sni_ca_chain != NULL) {
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2473 crt = ssl->handshake->sni_ca_chain;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2474 } else
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2475#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2476 crt = ssl->conf->ca_chain;
Manuel Pégourié-Gonnardbc1babb2015-10-02 11:16:47 +0200[diff] [blame]2477
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2478 while (crt != NULL && crt->version != 0) {
irwirc9bc3002020-04-01 13:46:36 +0300[diff] [blame]2479 /* It follows from RFC 5280 A.1 that this length
2480 * can be represented in at most 11 bits. */
2481 dn_size = (uint16_t) crt->subject_raw.len;
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2482
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2483 if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) {
2484 MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short"));
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2485 break;
2486 }
2487
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2488 MBEDTLS_PUT_UINT16_BE(dn_size, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2489 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2490 memcpy(p, crt->subject_raw.p, dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2491 p += dn_size;
2492
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2493 MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2494
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2495 total_dn_size += (unsigned short) (2 + dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2496 crt = crt->next;
Manuel Pégourié-Gonnardbc1babb2015-10-02 11:16:47 +0200[diff] [blame]2497 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2498 }
2499
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2500 ssl->out_msglen = (size_t) (p - buf);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2501 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2502 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2503 MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2504
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2505 ret = mbedtls_ssl_write_handshake_msg(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2506
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2507 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2508
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2509 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2510}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2511#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2512
Valerio Setti4d0e8462023-10-06 13:20:21 +0200[diff] [blame]2513#if (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2514 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED))
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2515MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2516static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2517{
2518 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2519 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2520 mbedtls_pk_context *pk;
2521 mbedtls_pk_type_t pk_type;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2522 psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2523 unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
2524 size_t key_len;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2525#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2526 uint16_t tls_id = 0;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2527 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2528 mbedtls_ecp_group_id grp_id;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2529 mbedtls_ecp_keypair *key;
2530#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2531
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2532 pk = mbedtls_ssl_own_key(ssl);
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2533
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2534 if (pk == NULL) {
2535 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2536 }
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2537
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2538 pk_type = mbedtls_pk_get_type(pk);
Valerio Settid0405092023-05-24 13:16:40 +0200[diff] [blame]2539
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2540 switch (pk_type) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2541 case MBEDTLS_PK_OPAQUE:
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2542#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2543 case MBEDTLS_PK_ECKEY:
2544 case MBEDTLS_PK_ECKEY_DH:
2545 case MBEDTLS_PK_ECDSA:
2546#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2547 if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
2548 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2549 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2550
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2551 /* Get the attributes of the key previously parsed by PK module in
2552 * order to extract its type and length (in bits). */
2553 status = psa_get_key_attributes(pk->priv_id, &key_attributes);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2554 if (status != PSA_SUCCESS) {
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2555 ret = PSA_TO_MBEDTLS_ERR(status);
2556 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2557 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2558 ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2559 ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2560
Gilles Peskinec6d2df82023-12-18 20:38:38 +0100[diff] [blame]2561#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2562 if (pk_type != MBEDTLS_PK_OPAQUE) {
Valerio Setti202bb712023-12-06 17:05:24 +0100[diff] [blame]2563 /* PK_ECKEY[_DH] and PK_ECDSA instead as parsed from the PK
2564 * module and only have ECDSA capabilities. Since we need
2565 * them for ECDH later, we export and then re-import them with
2566 * proper flags and algorithm. Of course We also set key's type
2567 * and bits that we just got above. */
2568 key_attributes = psa_key_attributes_init();
2569 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2570 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2571 psa_set_key_type(&key_attributes,
2572 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
2573 psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2574
Valerio Setti202bb712023-12-06 17:05:24 +0100[diff] [blame]2575 status = psa_export_key(pk->priv_id, buf, sizeof(buf), &key_len);
2576 if (status != PSA_SUCCESS) {
2577 ret = PSA_TO_MBEDTLS_ERR(status);
2578 goto exit;
2579 }
2580 status = psa_import_key(&key_attributes, buf, key_len,
2581 &ssl->handshake->xxdh_psa_privkey);
2582 if (status != PSA_SUCCESS) {
2583 ret = PSA_TO_MBEDTLS_ERR(status);
2584 goto exit;
2585 }
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2586
Valerio Setti202bb712023-12-06 17:05:24 +0100[diff] [blame]2587 /* Set this key as owned by the TLS library: it will be its duty
2588 * to clear it exit. */
2589 ssl->handshake->xxdh_psa_privkey_is_external = 0;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2590
Gilles Peskinec6d2df82023-12-18 20:38:38 +0100[diff] [blame]2591 ret = 0;
2592 break;
2593 }
2594#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
2595
2596 /* Opaque key is created by the user (externally from Mbed TLS)
2597 * so we assume it already has the right algorithm and flags
2598 * set. Just copy its ID as reference. */
2599 ssl->handshake->xxdh_psa_privkey = pk->priv_id;
2600 ssl->handshake->xxdh_psa_privkey_is_external = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2601 ret = 0;
2602 break;
Gilles Peskinec6d2df82023-12-18 20:38:38 +0100[diff] [blame]2603
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2604#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2605 case MBEDTLS_PK_ECKEY:
2606 case MBEDTLS_PK_ECKEY_DH:
2607 case MBEDTLS_PK_ECDSA:
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2608 key = mbedtls_pk_ec_rw(*pk);
Valerio Settif9362b72023-11-29 08:42:27 +0100[diff] [blame]2609 grp_id = mbedtls_pk_get_ec_group_id(pk);
Valerio Settid0405092023-05-24 13:16:40 +0200[diff] [blame]2610 if (grp_id == MBEDTLS_ECP_DP_NONE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2611 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2612 }
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2613 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2614 if (tls_id == 0) {
2615 /* This elliptic curve is not supported */
2616 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2617 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2618
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2619 /* If the above conversion to TLS ID was fine, then also this one will
2620 be, so there is no need to check the return value here */
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2621 mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2622 &ssl->handshake->xxdh_psa_bits);
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2623
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2624 ssl->handshake->xxdh_psa_type = key_type;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2625
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2626 key_attributes = psa_key_attributes_init();
2627 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2628 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2629 psa_set_key_type(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2630 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2631 psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2632
Gilles Peskine84b9f1b2024-02-19 16:44:29 +0100[diff] [blame]2633 ret = mbedtls_ecp_write_key_ext(key, &key_len, buf, sizeof(buf));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2634 if (ret != 0) {
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2635 mbedtls_platform_zeroize(buf, sizeof(buf));
2636 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2637 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2638
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2639 status = psa_import_key(&key_attributes, buf, key_len,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2640 &ssl->handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2641 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2642 ret = PSA_TO_MBEDTLS_ERR(status);
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2643 mbedtls_platform_zeroize(buf, sizeof(buf));
2644 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2645 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2646
Valerio Setti6835b4a2023-06-22 09:06:31 +0200[diff] [blame]2647 mbedtls_platform_zeroize(buf, sizeof(buf));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2648 ret = 0;
2649 break;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2650#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2651 default:
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2652 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2653 }
2654
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2655exit:
2656 psa_reset_key_attributes(&key_attributes);
2657 mbedtls_platform_zeroize(buf, sizeof(buf));
2658
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2659 return ret;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2660}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2661#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2662 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2663
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2664#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2665 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2666MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2667static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl,
2668 size_t *signature_len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2669{
Gilles Peskine0fd90dd2018-04-26 07:41:09 +0200[diff] [blame]2670 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
2671 * signature length which will be added in ssl_write_server_key_exchange
2672 * after the call to ssl_prepare_server_key_exchange.
2673 * ssl_write_server_key_exchange also takes care of incrementing
2674 * ssl->out_msglen. */
2675 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2676 size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
2677 - sig_start);
2678 int ret = ssl->conf->f_async_resume(ssl,
2679 sig_start, signature_len, sig_max_len);
2680 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]2681 ssl->handshake->async_in_progress = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2682 mbedtls_ssl_set_async_operation_data(ssl, NULL);
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2683 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2684 MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret);
2685 return ret;
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2686}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2687#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2688 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2689
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]2690/* Prepare the ServerKeyExchange message, up to and including
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]2691 * calculating the signature if any, but excluding formatting the
2692 * signature and sending the message. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2693MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2694static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
2695 size_t *signature_len)
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]2696{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2697 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2698 ssl->handshake->ciphersuite_info;
2699
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2700#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2701#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine3ce9b902018-01-06 01:34:21 +0100[diff] [blame]2702 unsigned char *dig_signed = NULL;
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2703#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2704#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2705
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2706 (void) ciphersuite_info; /* unused in some configurations */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2707#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine22e695f2018-04-26 00:22:50 +0200[diff] [blame]2708 (void) signature_len;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2709#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2710
Gilles Peskine16fe8fc2021-06-22 09:45:56 +0200[diff] [blame]2711#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2712#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2713 size_t out_buf_len = ssl->out_buf_len - (size_t) (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2714#else
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2715 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (size_t) (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2716#endif
Gilles Peskine16fe8fc2021-06-22 09:45:56 +0200[diff] [blame]2717#endif
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2718
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2719 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2720
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2721 /*
2722 *
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2723 * Part 1: Provide key exchange parameters for chosen ciphersuite.
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2724 *
2725 */
2726
2727 /*
2728 * - ECJPAKE key exchanges
2729 */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2730#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2731 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2732 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2733 unsigned char *out_p = ssl->out_msg + ssl->out_msglen;
2734 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
2735 ssl->out_msglen;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2736 size_t output_offset = 0;
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]2737 size_t output_len = 0;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2738
Valerio Setti6f1b5742022-11-16 10:00:32 +0100[diff] [blame]2739 /*
2740 * The first 3 bytes are:
2741 * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
2742 * [1, 2] elliptic curve's TLS ID
2743 *
2744 * However since we only support secp256r1 for now, we hardcode its
2745 * TLS ID here
2746 */
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2747 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2748 MBEDTLS_ECP_DP_SECP256R1);
2749 if (tls_id == 0) {
2750 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Valerio Setti6f1b5742022-11-16 10:00:32 +0100[diff] [blame]2751 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2752 *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2753 MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1);
Valerio Setti819de862022-11-17 18:05:19 +0100[diff] [blame]2754 output_offset += 3;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2755
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2756 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
2757 out_p + output_offset,
2758 end_p - out_p - output_offset, &output_len,
2759 MBEDTLS_ECJPAKE_ROUND_TWO);
2760 if (ret != 0) {
2761 psa_destroy_key(ssl->handshake->psa_pake_password);
2762 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2763 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
2764 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2765 }
2766
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]2767 output_offset += output_len;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2768 ssl->out_msglen += output_offset;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2769 }
2770#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2771
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2772 /*
Valerio Setti48659a12025-01-15 14:22:28 +0100[diff] [blame]2773 * For ECDHE key exchanges with PSK, parameters are prefixed by support
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2774 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
2775 * we use empty support identity hints here.
2776 **/
Valerio Setti48659a12025-01-15 14:22:28 +0100[diff] [blame]2777#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2778 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2779 ssl->out_msg[ssl->out_msglen++] = 0x00;
2780 ssl->out_msg[ssl->out_msglen++] = 0x00;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2781 }
Valerio Setti48659a12025-01-15 14:22:28 +0100[diff] [blame]2782#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2783
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]2784 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2785 * - ECDHE key exchanges
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2786 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2787#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2788 if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2789 /*
2790 * Ephemeral ECDH parameters:
2791 *
2792 * struct {
2793 * ECParameters curve_params;
2794 * ECPoint public;
2795 * } ServerECDHParams;
2796 */
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2797 uint16_t *curr_tls_id = ssl->handshake->curves_tls_id;
Manuel Pégourié-Gonnard6402c352025-01-14 12:23:56 +0100[diff] [blame]2798 const uint16_t *group_list = ssl->conf->group_list;
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2799 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2800 size_t len = 0;
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2801
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2802 /* Match our preference list against the offered curves */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2803 if ((group_list == NULL) || (curr_tls_id == NULL)) {
2804 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2805 }
2806 for (; *group_list != 0; group_list++) {
2807 for (curr_tls_id = ssl->handshake->curves_tls_id;
2808 *curr_tls_id != 0; curr_tls_id++) {
2809 if (*curr_tls_id == *group_list) {
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2810 goto curve_matching_done;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2811 }
2812 }
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2813 }
Manuel Pégourié-Gonnardde053902014-02-04 13:58:39 +0100[diff] [blame]2814
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2815curve_matching_done:
2816 if (*curr_tls_id == 0) {
2817 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE"));
2818 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2819 }
2820
2821 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s",
2822 mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id)));
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2823
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2824 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
2825 psa_key_attributes_t key_attributes;
2826 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2827 uint8_t *p = ssl->out_msg + ssl->out_msglen;
2828 const size_t header_size = 4; // curve_type(1), namedcurve(2),
2829 // data length(1)
2830 const size_t data_length_size = 1;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2831 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]2832 size_t ec_bits = 0;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2833
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2834 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2835
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]2836 /* Convert EC's TLS ID to PSA key type. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2837 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id,
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2838 &key_type,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2839 &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
2840 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse."));
2841 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Przemek Stekielb6ce0b62022-03-09 15:38:24 +0100[diff] [blame]2842 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2843 handshake->xxdh_psa_type = key_type;
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2844 handshake->xxdh_psa_bits = ec_bits;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2845
2846 key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2847 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2848 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2849 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2850 psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2851
2852 /*
2853 * ECParameters curve_params
2854 *
2855 * First byte is curve_type, always named_curve
2856 */
2857 *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
2858
2859 /*
2860 * Next two bytes are the namedcurve value
2861 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2862 MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0);
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2863 p += 2;
2864
2865 /* Generate ECDH private key. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2866 status = psa_generate_key(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2867 &handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2868 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2869 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2870 MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
2871 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2872 }
2873
2874 /*
2875 * ECPoint public
2876 *
2877 * First byte is data length.
2878 * It will be filled later. p holds now the data length location.
2879 */
2880
2881 /* Export the public part of the ECDH private key from PSA.
2882 * Make one byte space for the length.
2883 */
2884 unsigned char *own_pubkey = p + data_length_size;
2885
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2886 size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN
2887 - (own_pubkey - ssl->out_msg));
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2888
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2889 status = psa_export_public_key(handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2890 own_pubkey, own_pubkey_max_len,
2891 &len);
2892 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2893 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2894 MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2895 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
2896 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2897 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2898 }
2899
2900 /* Store the length of the exported public key. */
2901 *p = (uint8_t) len;
2902
2903 /* Determine full message length. */
2904 len += header_size;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2905
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2906#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2907 dig_signed = ssl->out_msg + ssl->out_msglen;
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2908#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2909
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2910 ssl->out_msglen += len;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2911 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2912#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2913
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2914 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2915 *
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2916 * Part 2: For key exchanges involving the server signing the
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2917 * exchange parameters, compute and add the signature here.
2918 *
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2919 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2920#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2921 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
2922 if (dig_signed == NULL) {
2923 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2924 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Elliott11420382022-05-13 17:43:47 +0100[diff] [blame]2925 }
2926
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2927 size_t dig_signed_len = (size_t) (ssl->out_msg + ssl->out_msglen - dig_signed);
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]2928 size_t hashlen = 0;
Manuel Pégourié-Gonnard88579842023-03-28 11:20:23 +0200[diff] [blame]2929 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
Przemek Stekiel51669542022-09-13 12:57:05 +0200[diff] [blame]2930
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2931 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2932
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2933 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2934 * 2.1: Choose hash algorithm:
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]2935 * For TLS 1.2, obey signature-hash-algorithm extension
2936 * to choose appropriate hash.
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2937 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]2938
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2939 mbedtls_pk_type_t sig_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2940 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2941
Dave Rodgmanc37ad442023-11-03 23:36:06 +0000[diff] [blame]2942 unsigned char sig_hash =
2943 (unsigned char) mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2944 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]2945
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2946 mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash);
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]2947
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2948 /* For TLS 1.2, obey signature-hash-algorithm extension
2949 * (RFC 5246, Sec. 7.4.1.4.1). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2950 if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) {
2951 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2952 /* (... because we choose a cipher suite
2953 * only if there is a matching hash.) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2954 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2955 }
2956
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2957 MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]2958
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2959 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2960 * 2.2: Compute the hash to be signed
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2961 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2962 if (md_alg != MBEDTLS_MD_NONE) {
2963 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
2964 dig_signed,
2965 dig_signed_len,
2966 md_alg);
2967 if (ret != 0) {
2968 return ret;
2969 }
2970 } else {
2971 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2972 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2973 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2974
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2975 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2976
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2977 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2978 * 2.3: Compute and add the signature
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2979 */
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2980 /*
2981 * We need to specify signature and hash algorithm explicitly through
2982 * a prefix to the signature.
2983 *
2984 * struct {
2985 * HashAlgorithm hash;
2986 * SignatureAlgorithm signature;
2987 * } SignatureAndHashAlgorithm;
2988 *
2989 * struct {
2990 * SignatureAndHashAlgorithm algorithm;
2991 * opaque signature<0..2^16-1>;
2992 * } DigitallySigned;
2993 *
2994 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]2995
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2996 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg);
2997 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2998
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2999#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3000 if (ssl->conf->f_async_sign_start != NULL) {
3001 ret = ssl->conf->f_async_sign_start(ssl,
3002 mbedtls_ssl_own_cert(ssl),
3003 md_alg, hash, hashlen);
3004 switch (ret) {
3005 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3006 /* act as if f_async_sign was null */
3007 break;
3008 case 0:
3009 ssl->handshake->async_in_progress = 1;
3010 return ssl_resume_server_key_exchange(ssl, signature_len);
3011 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3012 ssl->handshake->async_in_progress = 1;
3013 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3014 default:
3015 MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret);
3016 return ret;
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3017 }
3018 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3019#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3020
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3021 if (mbedtls_ssl_own_key(ssl) == NULL) {
3022 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key"));
3023 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3024 }
3025
Gilles Peskine0fd90dd2018-04-26 07:41:09 +0200[diff] [blame]3026 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3027 * signature length which will be added in ssl_write_server_key_exchange
3028 * after the call to ssl_prepare_server_key_exchange.
3029 * ssl_write_server_key_exchange also takes care of incrementing
3030 * ssl->out_msglen. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3031 if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl),
3032 md_alg, hash, hashlen,
3033 ssl->out_msg + ssl->out_msglen + 2,
3034 out_buf_len - ssl->out_msglen - 2,
3035 signature_len,
3036 ssl->conf->f_rng,
3037 ssl->conf->p_rng)) != 0) {
3038 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
3039 return ret;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]3040 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3041 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3042#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3043
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3044 return 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3045}
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3046
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3047/* Prepare the ServerKeyExchange message and send it. For ciphersuites
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3048 * that do not include a ServerKeyExchange message, do nothing. Either
3049 * way, if successful, move on to the next step in the SSL state
3050 * machine. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3051MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3052static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3053{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3054 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3055 size_t signature_len = 0;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3056#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3057 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3058 ssl->handshake->ciphersuite_info;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3059#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3060
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3061 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange"));
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3062
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3063#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3064 /* Extract static ECDH parameters and abort if ServerKeyExchange
3065 * is not needed. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3066 if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) {
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3067 /* For suites involving ECDH, extract DH parameters
3068 * from certificate at this point. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3069#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3070 if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) {
3071 ret = ssl_get_ecdh_params_from_cert(ssl);
3072 if (ret != 0) {
3073 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
3074 return ret;
Manuel Pégourié-Gonnardb64fb622022-06-10 09:34:20 +0200[diff] [blame]3075 }
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3076 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3077#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3078
3079 /* Key exchanges not involving ephemeral keys don't use
3080 * ServerKeyExchange, so end here. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3081 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3082 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3083 return 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3084 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3085#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3086
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3087#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3088 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3089 /* If we have already prepared the message and there is an ongoing
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3090 * signature operation, resume signing. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3091 if (ssl->handshake->async_in_progress != 0) {
3092 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation"));
3093 ret = ssl_resume_server_key_exchange(ssl, &signature_len);
3094 } else
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3095#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3096 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]3097 {
3098 /* ServerKeyExchange is needed. Prepare the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3099 ret = ssl_prepare_server_key_exchange(ssl, &signature_len);
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3100 }
3101
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3102 if (ret != 0) {
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]3103 /* If we're starting to write a new message, set ssl->out_msglen
3104 * to 0. But if we're resuming after an asynchronous message,
3105 * out_msglen is the amount of data written so far and mst be
3106 * preserved. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3107 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3108 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)"));
3109 } else {
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3110 ssl->out_msglen = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3111 }
3112 return ret;
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]3113 }
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3114
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3115 /* If there is a signature, write its length.
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3116 * ssl_prepare_server_key_exchange already wrote the signature
3117 * itself at its proper place in the output buffer. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3118#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3119 if (signature_len != 0) {
3120 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len);
3121 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len);
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3122
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3123 MBEDTLS_SSL_DEBUG_BUF(3, "my signature",
3124 ssl->out_msg + ssl->out_msglen,
3125 signature_len);
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3126
3127 /* Skip over the already-written signature */
3128 ssl->out_msglen += signature_len;
3129 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3130#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3131
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3132 /* Add header and send. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3133 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3134 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3135
3136 ssl->state++;
3137
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3138 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3139 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3140 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3141 }
3142
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3143 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange"));
3144 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3145}
3146
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3147MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3148static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3149{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3150 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3151
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3152 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3153
3154 ssl->out_msglen = 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3155 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3156 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3157
3158 ssl->state++;
3159
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3160#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3161 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3162 mbedtls_ssl_send_flight_completed(ssl);
3163 }
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3164#endif
3165
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3166 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3167 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3168 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3169 }
3170
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3171#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3172 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3173 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
3174 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
3175 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3176 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]3177#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3178
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3179 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3180
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3181 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3182}
3183
Gilles Peskineac767e52024-09-20 18:08:44 +0200[diff] [blame]3184#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3185
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3186#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3187MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3188static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
3189 unsigned char *peer_pms,
3190 size_t *peer_pmslen,
3191 size_t peer_pmssize)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3192{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3193 int ret = ssl->conf->f_async_resume(ssl,
3194 peer_pms, peer_pmslen, peer_pmssize);
3195 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]3196 ssl->handshake->async_in_progress = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3197 mbedtls_ssl_set_async_operation_data(ssl, NULL);
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3198 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3199 MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
3200 return ret;
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3201}
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3202#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3203
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3204MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3205static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
3206 const unsigned char *p,
3207 const unsigned char *end,
3208 unsigned char *peer_pms,
3209 size_t *peer_pmslen,
3210 size_t peer_pmssize)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3211{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3212 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Leonid Rozenboim70dfd4c2022-08-08 15:43:44 -0700[diff] [blame]3213
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3214 mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl);
3215 if (own_cert == NULL) {
3216 MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate"));
3217 return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
Leonid Rozenboim70dfd4c2022-08-08 15:43:44 -0700[diff] [blame]3218 }
3219 mbedtls_pk_context *public_key = &own_cert->pk;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3220 mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
3221 size_t len = mbedtls_pk_get_len(public_key);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3222
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3223#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3224 /* If we have already started decoding the message and there is an ongoing
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3225 * decryption operation, resume signing. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3226 if (ssl->handshake->async_in_progress != 0) {
3227 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
3228 return ssl_resume_decrypt_pms(ssl,
3229 peer_pms, peer_pmslen, peer_pmssize);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3230 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3231#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3232
3233 /*
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3234 * Prepare to decrypt the premaster using own private RSA key
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3235 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3236 if (p + 2 > end) {
3237 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3238 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]3239 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3240 if (*p++ != MBEDTLS_BYTE_1(len) ||
3241 *p++ != MBEDTLS_BYTE_0(len)) {
3242 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3243 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3244 }
3245
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3246 if (p + len != end) {
3247 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3248 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3249 }
3250
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3251 /*
3252 * Decrypt the premaster secret
3253 */
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3254#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3255 if (ssl->conf->f_async_decrypt_start != NULL) {
3256 ret = ssl->conf->f_async_decrypt_start(ssl,
3257 mbedtls_ssl_own_cert(ssl),
3258 p, len);
3259 switch (ret) {
3260 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3261 /* act as if f_async_decrypt_start was null */
3262 break;
3263 case 0:
3264 ssl->handshake->async_in_progress = 1;
3265 return ssl_resume_decrypt_pms(ssl,
3266 peer_pms,
3267 peer_pmslen,
3268 peer_pmssize);
3269 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3270 ssl->handshake->async_in_progress = 1;
3271 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3272 default:
3273 MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
3274 return ret;
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3275 }
3276 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3277#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3278
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3279 if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
3280 MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
3281 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3282 }
3283
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3284 ret = mbedtls_pk_decrypt(private_key, p, len,
3285 peer_pms, peer_pmslen, peer_pmssize,
3286 ssl->conf->f_rng, ssl->conf->p_rng);
3287 return ret;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3288}
3289
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3290MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3291static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
3292 const unsigned char *p,
3293 const unsigned char *end,
3294 size_t pms_offset)
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3295{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3296 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3297 unsigned char *pms = ssl->handshake->premaster + pms_offset;
3298 unsigned char ver[2];
3299 unsigned char fake_pms[48], peer_pms[48];
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3300 size_t peer_pmslen;
3301 mbedtls_ct_condition_t diff;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3302
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3303 /* In case of a failure in decryption, the decryption may write less than
3304 * 2 bytes of output, but we always read the first two bytes. It doesn't
3305 * matter in the end because diff will be nonzero in that case due to
André Maroneze79533292020-11-12 09:37:42 +0100[diff] [blame]3306 * ret being nonzero, and we only care whether diff is 0.
3307 * But do initialize peer_pms and peer_pmslen for robustness anyway. This
3308 * also makes memory analyzers happy (don't access uninitialized memory,
3309 * even if it's an unsigned char). */
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3310 peer_pms[0] = peer_pms[1] = ~0;
André Maroneze79533292020-11-12 09:37:42 +0100[diff] [blame]3311 peer_pmslen = 0;
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3312
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3313 ret = ssl_decrypt_encrypted_pms(ssl, p, end,
3314 peer_pms,
3315 &peer_pmslen,
3316 sizeof(peer_pms));
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3317
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3318#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3319 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3320 return ret;
3321 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3322#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3323
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3324 mbedtls_ssl_write_version(ver, ssl->conf->transport,
3325 ssl->session_negotiate->tls_version);
Gilles Peskine2e333372018-04-24 13:22:10 +0200[diff] [blame]3326
3327 /* Avoid data-dependent branches while checking for invalid
3328 * padding, to protect against timing-based Bleichenbacher-type
3329 * attacks. */
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3330 diff = mbedtls_ct_bool(ret);
Dave Rodgmanb7825ce2023-08-10 11:58:18 +0100[diff] [blame]3331 diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pmslen, 48));
3332 diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[0], ver[0]));
3333 diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[1], ver[1]));
Manuel Pégourié-Gonnardb9c93d02015-06-23 13:53:15 +0200[diff] [blame]3334
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3335 /*
3336 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3337 * must not cause the connection to end immediately; instead, send a
3338 * bad_record_mac later in the handshake.
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3339 * To protect against timing-based variants of the attack, we must
3340 * not have any branch that depends on whether the decryption was
3341 * successful. In particular, always generate the fake premaster secret,
3342 * regardless of whether it will ultimately influence the output or not.
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3343 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3344 ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
3345 if (ret != 0) {
Gilles Peskinee1416382018-04-26 10:23:21 +0200[diff] [blame]3346 /* It's ok to abort on an RNG failure, since this does not reveal
3347 * anything about the RSA decryption. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3348 return ret;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3349 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3350
Manuel Pégourié-Gonnard331ba572015-04-20 12:33:57 +0100[diff] [blame]3351#if defined(MBEDTLS_SSL_DEBUG_ALL)
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3352 if (diff != MBEDTLS_CT_FALSE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3353 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3354 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3355#endif
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3356
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3357 if (sizeof(ssl->handshake->premaster) < pms_offset ||
3358 sizeof(ssl->handshake->premaster) - pms_offset < 48) {
3359 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3360 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3361 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3362 ssl->handshake->pmslen = 48;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3363
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3364 /* Set pms to either the true or the fake PMS, without
3365 * data-dependent branches. */
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3366 mbedtls_ct_memcpy_if(diff, pms, fake_pms, peer_pms, ssl->handshake->pmslen);
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3367
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3368 return 0;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3369}
Gilles Peskineac767e52024-09-20 18:08:44 +0200[diff] [blame]3370#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3371
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3372#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3373MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3374static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
3375 const unsigned char *end)
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3376{
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]3377 int ret = 0;
irwir6527bd62019-09-21 18:51:25 +0300[diff] [blame]3378 uint16_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3379
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3380 if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
3381 MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key"));
3382 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3383 }
3384
3385 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3386 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3387 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3388 if (end - *p < 2) {
3389 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3390 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3391 }
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3392
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]3393 n = MBEDTLS_GET_UINT16_BE(*p, 0);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3394 *p += 2;
3395
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3396 if (n == 0 || n > end - *p) {
3397 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3398 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3399 }
3400
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3401 if (ssl->conf->f_psk != NULL) {
3402 if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3403 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3404 }
3405 } else {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]3406 /* Identity is not a big secret since clients send it in the clear,
3407 * but treat it carefully anyway, just in case */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3408 if (n != ssl->conf->psk_identity_len ||
3409 mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3410 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]3411 }
3412 }
3413
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3414 if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
3415 MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n);
3416 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3417 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY);
3418 return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3419 }
3420
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3421 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3422
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3423 return 0;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3424}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3425#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3426
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3427MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3428static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3429{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3430 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3431 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Manuel Pégourié-Gonnard2114d722014-09-10 13:59:41 +0000[diff] [blame]3432 unsigned char *p, *end;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3433
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3434 ciphersuite_info = ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3435
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3436 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3437
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3438#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
Gilles Peskineac767e52024-09-20 18:08:44 +0200[diff] [blame]3439 defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine712e9a12024-09-20 18:11:31 +0200[diff] [blame]3440 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3441 (ssl->handshake->async_in_progress != 0)) {
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3442 /* We've already read a record and there is an asynchronous
3443 * operation in progress to decrypt it. So skip reading the
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3444 * record. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3445 MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
3446 } else
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3447#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3448 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3449 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3450 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3451 }
3452
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3453 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard2114d722014-09-10 13:59:41 +0000[diff] [blame]3454 end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnardf8995832014-09-10 08:25:12 +0000[diff] [blame]3455
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3456 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3457 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3458 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3459 }
3460
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3461 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) {
3462 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3463 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3464 }
3465
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3466#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3467 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3468 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3469 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3470 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]3471 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3472 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3473 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3474 size_t data_len = (size_t) (*p++);
3475 size_t buf_len = (size_t) (end - p);
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3476 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
3477 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3478
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3479 MBEDTLS_SSL_DEBUG_MSG(3, ("Read the peer's public key."));
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3480
3481 /*
Przemek Stekiel338b61d2022-03-15 08:03:43 +0100[diff] [blame]3482 * We must have at least two bytes (1 for length, at least 1 for data)
3483 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3484 if (buf_len < 2) {
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3485 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length: %" MBEDTLS_PRINTF_SIZET,
3486 buf_len));
3487 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3488 }
3489
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3490 if (data_len < 1 || data_len > buf_len) {
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3491 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length: %" MBEDTLS_PRINTF_SIZET
3492 " > %" MBEDTLS_PRINTF_SIZET,
3493 data_len, buf_len));
3494 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3495 }
3496
3497 /* Store peer's ECDH public key. */
Gilles Peskinec8df8982023-10-02 14:58:16 +0200[diff] [blame]3498 if (data_len > sizeof(handshake->xxdh_psa_peerkey)) {
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3499 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %" MBEDTLS_PRINTF_SIZET
3500 " > %" MBEDTLS_PRINTF_SIZET,
3501 data_len,
3502 sizeof(handshake->xxdh_psa_peerkey)));
Gilles Peskinec8df8982023-10-02 14:58:16 +0200[diff] [blame]3503 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
3504 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3505 memcpy(handshake->xxdh_psa_peerkey, p, data_len);
3506 handshake->xxdh_psa_peerkey_len = data_len;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3507
3508 /* Compute ECDH shared secret. */
3509 status = psa_raw_key_agreement(
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3510 PSA_ALG_ECDH, handshake->xxdh_psa_privkey,
3511 handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3512 handshake->premaster, sizeof(handshake->premaster),
3513 &handshake->pmslen);
3514 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3515 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3516 MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3517 if (handshake->xxdh_psa_privkey_is_external == 0) {
3518 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3519 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3520 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3521 return ret;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3522 }
3523
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3524 if (handshake->xxdh_psa_privkey_is_external == 0) {
3525 status = psa_destroy_key(handshake->xxdh_psa_privkey);
Neil Armstrong8113d252022-03-23 10:57:04 +0100[diff] [blame]3526
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3527 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3528 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3529 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
3530 return ret;
Neil Armstrong8113d252022-03-23 10:57:04 +0100[diff] [blame]3531 }
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3532 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3533 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3534 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3535#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3536 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3537 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3538 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3539#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3540 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
3541 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3542 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3543 return ret;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3544 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3545
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3546 if (p != end) {
3547 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3548 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3549 }
3550
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3551 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3552#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3553#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3554 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3555 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3556 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
Michael Schuster7e390282024-05-27 20:07:05 +0200[diff] [blame]3557 size_t ecpoint_len;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3558
3559 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3560
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3561 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3562 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3563 psa_destroy_key(handshake->xxdh_psa_privkey);
3564 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3565 return ret;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3566 }
3567
3568 /* Keep a copy of the peer's public key */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3569 if (p >= end) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3570 psa_destroy_key(handshake->xxdh_psa_privkey);
3571 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3572 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Neil Armstrong3cae1672022-04-05 10:01:15 +0200[diff] [blame]3573 }
3574
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3575 ecpoint_len = *(p++);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3576 if ((size_t) (end - p) < ecpoint_len) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3577 psa_destroy_key(handshake->xxdh_psa_privkey);
3578 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3579 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3580 }
3581
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]3582 /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
3583 the sizes of the FFDH keys which are at least 2048 bits.
3584 The size of the array is thus greater than 256 bytes which is greater than any
3585 possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]3586#if !defined(PSA_WANT_ALG_FFDH)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3587 if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
3588 psa_destroy_key(handshake->xxdh_psa_privkey);
3589 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3590 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3591 }
Przemek Stekiel615cbcd2023-07-06 11:08:39 +0200[diff] [blame]3592#else
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]3593 MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
3594 "peer key buffer too small");
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]3595#endif
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3596
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3597 memcpy(handshake->xxdh_psa_peerkey, p, ecpoint_len);
3598 handshake->xxdh_psa_peerkey_len = ecpoint_len;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3599 p += ecpoint_len;
3600
Neil Armstrong3bcef082022-03-23 18:16:54 +0100[diff] [blame]3601 /* As RFC 5489 section 2, the premaster secret is formed as follows:
Neil Armstrongfdf20cb2022-03-24 09:43:02 +0100[diff] [blame]3602 * - a uint16 containing the length (in octets) of the ECDH computation
3603 * - the octet string produced by the ECDH computation
3604 * - a uint16 containing the length (in octets) of the PSK
3605 * - the PSK itself
3606 */
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3607 unsigned char *psm = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3608 const unsigned char * const psm_end =
3609 psm + sizeof(ssl->handshake->premaster);
Neil Armstrong2d63da92022-03-23 18:17:31 +0100[diff] [blame]3610 /* uint16 to store length (in octets) of the ECDH computation */
3611 const size_t zlen_size = 2;
Neil Armstrong549a3e42022-03-23 18:16:24 +0100[diff] [blame]3612 size_t zlen = 0;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3613
3614 /* Compute ECDH shared secret. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3615 status = psa_raw_key_agreement(PSA_ALG_ECDH,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3616 handshake->xxdh_psa_privkey,
3617 handshake->xxdh_psa_peerkey,
3618 handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3619 psm + zlen_size,
3620 psm_end - (psm + zlen_size),
3621 &zlen);
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3622
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3623 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
3624 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3625
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3626 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3627 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3628 } else if (destruction_status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3629 return PSA_TO_MBEDTLS_ERR(destruction_status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3630 }
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3631
Neil Armstrong3bcef082022-03-23 18:16:54 +0100[diff] [blame]3632 /* Write the ECDH computation length before the ECDH computation */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3633 MBEDTLS_PUT_UINT16_BE(zlen, psm, 0);
Neil Armstrong2d63da92022-03-23 18:17:31 +0100[diff] [blame]3634 psm += zlen_size + zlen;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3635
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3636 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3637#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3638#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3639 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
3640 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
3641 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
3642 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3643 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3644 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3645#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3646#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3647 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3648 if ((ret = mbedtls_psa_ecjpake_read_round(
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]3649 &ssl->handshake->psa_pake_ctx, p, (size_t) (end - p),
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3650 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
3651 psa_destroy_key(ssl->handshake->psa_pake_password);
3652 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3653
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3654 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
3655 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3656 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3657 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3658#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3659 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3660 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3661 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3662 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3663
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3664 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3665 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3666 return ret;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]3667 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3668
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3669 ssl->state++;
3670
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3671 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3672
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3673 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3674}
3675
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3676#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3677MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3678static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3679{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3680 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3681 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3682
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3683 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3684
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3685 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3686 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3687 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3688 return 0;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3689 }
3690
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3691 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3692 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3693}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3694#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3695MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3696static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3697{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3698 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]3699 size_t i, sig_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3700 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3701 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3702 size_t hashlen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3703 mbedtls_pk_type_t pk_alg;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3704 mbedtls_md_type_t md_alg;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3705 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3706 ssl->handshake->ciphersuite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3707 mbedtls_pk_context *peer_pk;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3708
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3709 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3710
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3711 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3712 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3713 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3714 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3715 }
3716
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3717#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3718 if (ssl->session_negotiate->peer_cert == NULL) {
3719 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3720 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3721 return 0;
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3722 }
3723#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3724 if (ssl->session_negotiate->peer_cert_digest == NULL) {
3725 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3726 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3727 return 0;
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3728 }
3729#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3730
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3731 /* Read the message without adding it to the checksum */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3732 ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */);
3733 if (0 != ret) {
3734 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret);
3735 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3736 }
3737
3738 ssl->state++;
3739
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3740 /* Process the message contents */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3741 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
3742 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) {
3743 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
3744 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3745 }
3746
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3747 i = mbedtls_ssl_hs_hdr_len(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3748
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]3749#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3750 peer_pk = &ssl->handshake->peer_pubkey;
3751#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3752 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]3753 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3754 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]3755 }
3756 peer_pk = &ssl->session_negotiate->peer_cert->pk;
3757#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3758
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]3759 /*
3760 * struct {
3761 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
3762 * opaque signature<0..2^16-1>;
3763 * } DigitallySigned;
3764 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3765 if (i + 2 > ssl->in_hslen) {
3766 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
3767 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3768 }
Manuel Pégourié-Gonnard5ee96542014-09-10 14:27:21 +0000[diff] [blame]3769
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3770 /*
3771 * Hash
3772 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3773 md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]);
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3774
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3775 if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) {
3776 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
3777 " for verify message"));
3778 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3779 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3780
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3781#if !defined(MBEDTLS_MD_SHA1)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3782 if (MBEDTLS_MD_SHA1 == md_alg) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3783 hash_start += 16;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3784 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3785#endif
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3786
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3787 /* Info from md_alg will be used instead */
3788 hashlen = 0;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3789
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3790 i++;
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]3791
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3792 /*
3793 * Signature
3794 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3795 if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i]))
3796 == MBEDTLS_PK_NONE) {
3797 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
3798 " for verify message"));
3799 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]3800 }
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]3801
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3802 /*
3803 * Check the certificate's key type matches the signature alg
3804 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3805 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
3806 MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
3807 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3808 }
3809
3810 i++;
3811
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3812 if (i + 2 > ssl->in_hslen) {
3813 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
3814 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard5ee96542014-09-10 14:27:21 +0000[diff] [blame]3815 }
3816
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]3817 sig_len = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i);
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]3818 i += 2;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3819
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3820 if (i + sig_len != ssl->in_hslen) {
3821 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
3822 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3823 }
3824
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3825 /* Calculate hash and verify signature */
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]3826 {
3827 size_t dummy_hlen;
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]3828 ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
3829 if (0 != ret) {
3830 MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
3831 return ret;
3832 }
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]3833 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3834
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3835 if ((ret = mbedtls_pk_verify(peer_pk,
3836 md_alg, hash_start, hashlen,
3837 ssl->in_msg + i, sig_len)) != 0) {
3838 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
3839 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3840 }
3841
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]3842 ret = mbedtls_ssl_update_handshake_status(ssl);
3843 if (0 != ret) {
3844 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
3845 return ret;
3846 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3847
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3848 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3849
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3850 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3851}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3852#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3853
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3854#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3855MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3856static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3857{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3858 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]3859 size_t tlen;
Manuel Pégourié-Gonnardb0394be2015-05-19 11:40:30 +0200[diff] [blame]3860 uint32_t lifetime;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3861
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3862 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3863
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3864 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3865 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3866
3867 /*
3868 * struct {
3869 * uint32 ticket_lifetime_hint;
3870 * opaque ticket<0..2^16-1>;
3871 * } NewSessionTicket;
3872 *
3873 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
3874 * 8 . 9 ticket_len (n)
3875 * 10 . 9+n ticket content
3876 */
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]3877
Ronald Cron3c0072b2023-11-22 10:00:14 +0100[diff] [blame]3878#if defined(MBEDTLS_HAVE_TIME)
3879 ssl->session_negotiate->ticket_creation_time = mbedtls_ms_time();
3880#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3881 if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
3882 ssl->session_negotiate,
3883 ssl->out_msg + 10,
3884 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
3885 &tlen, &lifetime)) != 0) {
3886 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret);
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]3887 tlen = 0;
3888 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3889
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3890 MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4);
3891 MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8);
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]3892 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3893
Manuel Pégourié-Gonnard145dfcb2014-02-26 14:23:33 +0100[diff] [blame]3894 /*
3895 * Morally equivalent to updating ssl->state, but NewSessionTicket and
3896 * ChangeCipherSpec share the same state.
3897 */
3898 ssl->handshake->new_session_ticket = 0;
3899
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3900 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3901 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3902 return ret;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3903 }
3904
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3905 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3906
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3907 return 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3908}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3909#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3910
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3911/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3912 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3913 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3914int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3915{
3916 int ret = 0;
3917
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3918 MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state));
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3919
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3920 switch (ssl->state) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3921 case MBEDTLS_SSL_HELLO_REQUEST:
3922 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3923 break;
3924
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3925 /*
3926 * <== ClientHello
3927 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3928 case MBEDTLS_SSL_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3929 ret = ssl_parse_client_hello(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3930 break;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3931
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3932#if defined(MBEDTLS_SSL_PROTO_DTLS)
3933 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3934 return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED;
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3935#endif
3936
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3937 /*
3938 * ==> ServerHello
3939 * Certificate
3940 * ( ServerKeyExchange )
3941 * ( CertificateRequest )
3942 * ServerHelloDone
3943 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3944 case MBEDTLS_SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3945 ret = ssl_write_server_hello(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3946 break;
3947
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3948 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3949 ret = mbedtls_ssl_write_certificate(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3950 break;
3951
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3952 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3953 ret = ssl_write_server_key_exchange(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3954 break;
3955
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3956 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3957 ret = ssl_write_certificate_request(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3958 break;
3959
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3960 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3961 ret = ssl_write_server_hello_done(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3962 break;
3963
3964 /*
3965 * <== ( Certificate/Alert )
3966 * ClientKeyExchange
3967 * ( CertificateVerify )
3968 * ChangeCipherSpec
3969 * Finished
3970 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3971 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3972 ret = mbedtls_ssl_parse_certificate(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3973 break;
3974
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3975 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3976 ret = ssl_parse_client_key_exchange(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3977 break;
3978
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3979 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3980 ret = ssl_parse_certificate_verify(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3981 break;
3982
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3983 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3984 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3985 break;
3986
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3987 case MBEDTLS_SSL_CLIENT_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3988 ret = mbedtls_ssl_parse_finished(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3989 break;
3990
3991 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3992 * ==> ( NewSessionTicket )
3993 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3994 * Finished
3995 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3996 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3997#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3998 if (ssl->handshake->new_session_ticket != 0) {
3999 ret = ssl_write_new_session_ticket(ssl);
4000 } else
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]4001#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4002 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4003 break;
4004
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4005 case MBEDTLS_SSL_SERVER_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4006 ret = mbedtls_ssl_write_finished(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4007 break;
4008
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4009 case MBEDTLS_SSL_FLUSH_BUFFERS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4010 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4011 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4012 break;
4013
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4014 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4015 mbedtls_ssl_handshake_wrapup(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4016 break;
4017
4018 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4019 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
4020 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4021 }
4022
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4023 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4024}
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4025
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4026void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order)
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4027{
TRodziewicz3946f792021-06-14 12:11:18 +0200[diff] [blame]4028 conf->respect_cli_pref = order;
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4029}
4030
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]4031#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */