TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 4dd89310e96817f6e6a67cbec99395db7074d1f6 / . / library / ssl_tls12_server.c
blob: 8d0129b33579c59f6950dc00bb2749cae9a64093 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]2 * TLS server-side functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]20#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]23
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]24#include "mbedtls/platform.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]25
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]26#include "mbedtls/ssl.h"
Chris Jones84a773f2021-03-05 18:38:47 +0000[diff] [blame]27#include "ssl_misc.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]28#include "mbedtls/debug.h"
29#include "mbedtls/error.h"
Andres Amaya Garcia84914062018-04-24 08:40:46 -0500[diff] [blame]30#include "mbedtls/platform_util.h"
Gabor Mezei22c9a6f2021-10-20 12:09:35 +0200[diff] [blame]31#include "constant_time_internal.h"
Gabor Mezei765862c2021-10-19 12:22:25 +0200[diff] [blame]32#include "mbedtls/constant_time.h"
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]33
34#include <string.h>
35
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]36#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]37/* Define a local translating function to save code size by not using too many
38 * arguments in each translating place. */
Andrzej Kurek1c7a9982023-05-30 09:21:20 -0400[diff] [blame]39#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \
40 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]41static int local_err_translation(psa_status_t status)
42{
43 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -0400[diff] [blame]44 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]45 psa_generic_status_to_mbedtls);
46}
47#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]48#endif
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]49#endif
50
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]51#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]52#include "mbedtls/ecp.h"
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]53#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]54
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]55#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]56#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]57#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]59#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]60int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
61 const unsigned char *info,
62 size_t ilen)
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]63{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]64 if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) {
65 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
66 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]67
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]68 mbedtls_free(ssl->cli_id);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]69
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]70 if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) {
71 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
72 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]73
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]74 memcpy(ssl->cli_id, info, ilen);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]75 ssl->cli_id_len = ilen;
76
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]77 return 0;
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]78}
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]79
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]80void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf,
81 mbedtls_ssl_cookie_write_t *f_cookie_write,
82 mbedtls_ssl_cookie_check_t *f_cookie_check,
83 void *p_cookie)
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]84{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]85 conf->f_cookie_write = f_cookie_write;
86 conf->f_cookie_check = f_cookie_check;
87 conf->p_cookie = p_cookie;
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]88}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]89#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]90
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]91#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]92MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]93static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf)
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]94{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]95 if (conf->f_psk != NULL) {
96 return 1;
97 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]98
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]99 if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) {
100 return 0;
101 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]102
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]103
104#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]105 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
106 return 1;
107 }
Neil Armstrong8ecd6682022-05-05 11:40:35 +0200[diff] [blame]108#endif /* MBEDTLS_USE_PSA_CRYPTO */
109
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]110 if (conf->psk != NULL && conf->psk_len != 0) {
111 return 1;
112 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]113
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]114 return 0;
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]115}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]116#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]117
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]118MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]119static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
120 const unsigned char *buf,
121 size_t len)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]122{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]123#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]124 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]125 /* Check verify-data in constant-time. The length OTOH is no secret */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]126 if (len != 1 + ssl->verify_data_len ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]127 buf[0] != ssl->verify_data_len ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]128 mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data,
129 ssl->verify_data_len) != 0) {
130 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
131 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
132 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
133 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]134 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]135 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]136#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]137 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]138 if (len != 1 || buf[0] != 0x0) {
139 MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info"));
140 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
141 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
142 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]143 }
144
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]145 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]146 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]147
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]148 return 0;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]149}
150
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]151#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settic2232ea2023-07-05 18:57:52 +0200[diff] [blame]152 defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]153 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]154/*
Jerry Yud491ea42022-01-13 16:15:25 +0800[diff] [blame]155 * Function for parsing a supported groups (TLS 1.3) or supported elliptic
156 * curves (TLS 1.2) extension.
157 *
158 * The "extension_data" field of a supported groups extension contains a
159 * "NamedGroupList" value (TLS 1.3 RFC8446):
160 * enum {
161 * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
162 * x25519(0x001D), x448(0x001E),
163 * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
164 * ffdhe6144(0x0103), ffdhe8192(0x0104),
165 * ffdhe_private_use(0x01FC..0x01FF),
166 * ecdhe_private_use(0xFE00..0xFEFF),
167 * (0xFFFF)
168 * } NamedGroup;
169 * struct {
170 * NamedGroup named_group_list<2..2^16-1>;
171 * } NamedGroupList;
172 *
173 * The "extension_data" field of a supported elliptic curves extension contains
174 * a "NamedCurveList" value (TLS 1.2 RFC 8422):
175 * enum {
176 * deprecated(1..22),
177 * secp256r1 (23), secp384r1 (24), secp521r1 (25),
178 * x25519(29), x448(30),
179 * reserved (0xFE00..0xFEFF),
180 * deprecated(0xFF01..0xFF02),
181 * (0xFFFF)
182 * } NamedCurve;
183 * struct {
184 * NamedCurve named_curve_list<2..2^16-1>
185 * } NamedCurveList;
186 *
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]187 * The TLS 1.3 supported groups extension was defined to be a compatible
188 * generalization of the TLS 1.2 supported elliptic curves extension. They both
189 * share the same extension identifier.
Jerry Yud491ea42022-01-13 16:15:25 +0800[diff] [blame]190 *
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]191 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]192MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]193static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
194 const unsigned char *buf,
195 size_t len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]196{
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]197 size_t list_size, our_size;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]198 const unsigned char *p;
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]199 uint16_t *curves_tls_id;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]200
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]201 if (len < 2) {
202 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
203 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
204 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
205 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]206 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]207 list_size = ((buf[0] << 8) | (buf[1]));
208 if (list_size + 2 != len ||
209 list_size % 2 != 0) {
210 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
211 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
212 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
213 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]214 }
215
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]216 /* Should never happen unless client duplicates the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]217 if (ssl->handshake->curves_tls_id != NULL) {
218 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
219 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
220 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
221 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]222 }
223
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]224 /* Don't allow our peer to make us allocate too much memory,
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]225 * and leave room for a final 0 */
226 our_size = list_size / 2 + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]227 if (our_size > MBEDTLS_ECP_DP_MAX) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]228 our_size = MBEDTLS_ECP_DP_MAX;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]229 }
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]230
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]231 if ((curves_tls_id = mbedtls_calloc(our_size,
232 sizeof(*curves_tls_id))) == NULL) {
233 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
234 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
235 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]236 }
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]237
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]238 ssl->handshake->curves_tls_id = curves_tls_id;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]239
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]240 p = buf + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]241 while (list_size > 0 && our_size > 1) {
242 uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0);
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200[diff] [blame]243
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]244 if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) !=
245 MBEDTLS_ECP_DP_NONE) {
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]246 *curves_tls_id++ = curr_tls_id;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]247 our_size--;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]248 }
249
250 list_size -= 2;
251 p += 2;
252 }
253
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]254 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]255}
256
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]257MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]258static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
259 const unsigned char *buf,
260 size_t len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]261{
262 size_t list_size;
263 const unsigned char *p;
264
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]265 if (len == 0 || (size_t) (buf[0] + 1) != len) {
266 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
267 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
268 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
269 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]270 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]271 list_size = buf[0];
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]272
Manuel Pégourié-Gonnardc1b46d02015-09-16 11:18:32 +0200[diff] [blame]273 p = buf + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]274 while (list_size > 0) {
275 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
276 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]277#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
278 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]279 ssl->handshake->ecdh_ctx.point_format = p[0];
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]280#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]281#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]282 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
283 mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
284 p[0]);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]285#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]286 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
287 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]288 }
289
290 list_size--;
291 p++;
292 }
293
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]294 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]295}
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]296#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
Valerio Settic2232ea2023-07-05 18:57:52 +0200[diff] [blame]297 MBEDTLS_PK_CAN_ECDSA_SOME || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]298
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]299#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]300MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]301static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
302 const unsigned char *buf,
303 size_t len)
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]304{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]305 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]306
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]307#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]308 if (ssl->handshake->psa_pake_ctx_is_ok != 1)
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]309#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]310 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]311#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]312 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]313 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
314 return 0;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]315 }
316
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]317#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]318 if ((ret = mbedtls_psa_ecjpake_read_round(
319 &ssl->handshake->psa_pake_ctx, buf, len,
320 MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
321 psa_destroy_key(ssl->handshake->psa_pake_password);
322 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]323
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]324 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]325 mbedtls_ssl_send_alert_message(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]326 ssl,
327 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
328 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]329
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]330 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]331 }
332#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]333 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
334 buf, len)) != 0) {
335 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
336 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
337 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
338 return ret;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]339 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]340#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]341
342 /* Only mark the extension as OK when we're sure it is */
343 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
344
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]345 return 0;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]346}
347#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
348
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]349#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]350MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]351static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
352 const unsigned char *buf,
353 size_t len)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]354{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]355 if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) {
356 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
357 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
358 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
359 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]360 }
361
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]362 ssl->session_negotiate->mfl_code = buf[0];
363
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]364 return 0;
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]365}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]366#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]367
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]368#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]369MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]370static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
371 const unsigned char *buf,
372 size_t len)
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]373{
374 size_t peer_cid_len;
375
376 /* CID extension only makes sense in DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]377 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
378 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
379 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
380 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
381 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]382 }
383
384 /*
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]385 * struct {
386 * opaque cid<0..2^8-1>;
387 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]388 */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]390 if (len < 1) {
391 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
392 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
393 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
394 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]395 }
396
397 peer_cid_len = *buf++;
398 len--;
399
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]400 if (len != peer_cid_len) {
401 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
402 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
403 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
404 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]405 }
406
407 /* Ignore CID if the user has disabled its use. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]408 if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]409 /* Leave ssl->handshake->cid_in_use in its default
410 * value of MBEDTLS_SSL_CID_DISABLED. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]411 MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled"));
412 return 0;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]413 }
414
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]415 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
416 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
417 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
418 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
419 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]420 }
421
Hanno Becker08556bf2019-05-03 12:43:44 +0100[diff] [blame]422 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]423 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]424 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]425
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]426 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
427 MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len);
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]428
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]429 return 0;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]430}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]431#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]432
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]433#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]434MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]435static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
436 const unsigned char *buf,
437 size_t len)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]438{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]439 if (len != 0) {
440 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
441 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
442 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
443 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]444 }
445
446 ((void) buf);
447
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]448 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]449 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]450 }
451
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]452 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]453}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]454#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]455
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]456#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]457MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]458static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
459 const unsigned char *buf,
460 size_t len)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]461{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]462 if (len != 0) {
463 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
464 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
465 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
466 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]467 }
468
469 ((void) buf);
470
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]471 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]472 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]473 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]474
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]475 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]476}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]477#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]478
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]479#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]480MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]481static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
482 unsigned char *buf,
483 size_t len)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]484{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]485 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]486 mbedtls_ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]487
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]488 mbedtls_ssl_session_init(&session);
Manuel Pégourié-Gonnardbae389b2015-06-24 10:45:58 +0200[diff] [blame]489
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]490 if (ssl->conf->f_ticket_parse == NULL ||
491 ssl->conf->f_ticket_write == NULL) {
492 return 0;
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]493 }
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]494
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]495 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]496 ssl->handshake->new_session_ticket = 1;
497
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]498 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len));
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]499
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]500 if (len == 0) {
501 return 0;
502 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]503
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]504#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]505 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
506 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating"));
507 return 0;
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]508 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]509#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]510
511 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]512 * Failures are ok: just ignore the ticket and proceed.
513 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]514 if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session,
515 buf, len)) != 0) {
516 mbedtls_ssl_session_free(&session);
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]517
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]518 if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
519 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
520 } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
521 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
522 } else {
523 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret);
524 }
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]525
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]526 return 0;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]527 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]528
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]529 /*
530 * Keep the session ID sent by the client, since we MUST send it back to
531 * inform them we're accepting the ticket (RFC 5077 section 3.4)
532 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]533 session.id_len = ssl->session_negotiate->id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]534 memcpy(&session.id, ssl->session_negotiate->id, session.id_len);
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]535
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]536 mbedtls_ssl_session_free(ssl->session_negotiate);
537 memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session));
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]538
539 /* Zeroize instead of free as we copied the content */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]540 mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session));
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]541
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]542 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket"));
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]543
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]544 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]545
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]546 /* Don't send a new ticket after all, this one is OK */
547 ssl->handshake->new_session_ticket = 0;
548
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]549 return 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]550}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]551#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]552
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]553#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]554MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]555static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
556 const unsigned char *buf,
557 size_t len)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]558{
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]559 mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]560 size_t i, j;
Johan Pascalf6417ec2020-09-22 15:15:19 +0200[diff] [blame]561 size_t profile_length;
562 uint16_t mki_length;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]563 /*! 2 bytes for profile length and 1 byte for mki len */
564 const size_t size_of_lengths = 3;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]565
566 /* If use_srtp is not configured, just ignore the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]567 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
568 (ssl->conf->dtls_srtp_profile_list == NULL) ||
569 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
570 return 0;
Johan Pascal85269572020-08-25 10:01:54 +0200[diff] [blame]571 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]572
573 /* RFC5764 section 4.1.1
574 * uint8 SRTPProtectionProfile[2];
575 *
576 * struct {
577 * SRTPProtectionProfiles SRTPProtectionProfiles;
578 * opaque srtp_mki<0..255>;
579 * } UseSRTPData;
580
581 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]582 */
583
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]584 /*
585 * Min length is 5: at least one protection profile(2 bytes)
586 * and length(2 bytes) + srtp_mki length(1 byte)
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]587 * Check here that we have at least 2 bytes of protection profiles length
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]588 * and one of srtp_mki length
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]589 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]590 if (len < size_of_lengths) {
591 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
592 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
593 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]594 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]595
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]596 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]597
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]598 /* first 2 bytes are protection profile length(in bytes) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]599 profile_length = (buf[0] << 8) | buf[1];
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]600 buf += 2;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]601
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]602 /* The profile length cannot be bigger than input buffer size - lengths fields */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]603 if (profile_length > len - size_of_lengths ||
604 profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */
605 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
606 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
607 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]608 }
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]609 /*
610 * parse the extension list values are defined in
611 * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
612 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]613 for (j = 0; j < profile_length; j += 2) {
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]614 uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]615 client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]616
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]617 if (client_protection != MBEDTLS_TLS_SRTP_UNSET) {
618 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
619 mbedtls_ssl_get_srtp_profile_as_string(
620 client_protection)));
621 } else {
Johan Pascal85269572020-08-25 10:01:54 +0200[diff] [blame]622 continue;
623 }
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]624 /* check if suggested profile is in our list */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]625 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
626 if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) {
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]627 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]628 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
629 mbedtls_ssl_get_srtp_profile_as_string(
630 client_protection)));
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]631 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]632 }
633 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]635 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]636 }
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]637 }
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]638 buf += profile_length; /* buf points to the mki length */
639 mki_length = *buf;
640 buf++;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]641
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]642 if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH ||
643 mki_length + profile_length + size_of_lengths != len) {
644 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
645 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
646 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]647 }
648
649 /* Parse the mki only if present and mki is supported locally */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]650 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
651 mki_length > 0) {
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]652 ssl->dtls_srtp_info.mki_len = mki_length;
653
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]654 memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length);
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]655
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]656 MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value,
657 ssl->dtls_srtp_info.mki_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]658 }
659
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]660 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]661}
662#endif /* MBEDTLS_SSL_DTLS_SRTP */
663
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]664/*
665 * Auxiliary functions for ServerHello parsing and related actions
666 */
667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]668#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]669/*
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100[diff] [blame]670 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]671 */
Valerio Setti1fa5c562023-03-20 13:56:38 +0100[diff] [blame]672#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]673MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]674static int ssl_check_key_curve(mbedtls_pk_context *pk,
675 uint16_t *curves_tls_id)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]676{
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]677 uint16_t *curr_tls_id = curves_tls_id;
Valerio Setti77a75682023-05-15 11:18:46 +0200[diff] [blame]678 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec_ro(*pk)->grp.id;
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]679 mbedtls_ecp_group_id curr_grp_id;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]680
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]681 while (*curr_tls_id != 0) {
682 curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
683 if (curr_grp_id == grp_id) {
684 return 0;
685 }
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]686 curr_tls_id++;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]687 }
688
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]689 return -1;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]690}
Valerio Setti1fa5c562023-03-20 13:56:38 +0100[diff] [blame]691#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]692
693/*
694 * Try picking a certificate for this ciphersuite,
695 * return 0 on success and -1 on failure.
696 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]697MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]698static int ssl_pick_cert(mbedtls_ssl_context *ssl,
699 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]700{
Glenn Strauss041a3762022-03-15 06:08:29 -0400[diff] [blame]701 mbedtls_ssl_key_cert *cur, *list;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]702#if defined(MBEDTLS_USE_PSA_CRYPTO)
703 psa_algorithm_t pk_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]704 mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]705 psa_key_usage_t pk_usage =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]706 mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]707#else
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]708 mbedtls_pk_type_t pk_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]709 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]710#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +0200[diff] [blame]711 uint32_t flags;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]712
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]713#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]714 if (ssl->handshake->sni_key_cert != NULL) {
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]715 list = ssl->handshake->sni_key_cert;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]716 } else
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]717#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]718 list = ssl->conf->key_cert;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]719
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]720 int pk_alg_is_none = 0;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]721#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]722 pk_alg_is_none = (pk_alg == PSA_ALG_NONE);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]723#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]724 pk_alg_is_none = (pk_alg == MBEDTLS_PK_NONE);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]725#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]726 if (pk_alg_is_none) {
727 return 0;
Manuel Pégourié-Gonnarde540b492015-07-07 12:44:38 +0200[diff] [blame]728 }
729
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]730 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate"));
731
732 if (list == NULL) {
733 MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
734 return -1;
735 }
736
737 for (cur = list; cur != NULL; cur = cur->next) {
Andrzej Kurek7ed01e82020-03-18 11:51:59 -0400[diff] [blame]738 flags = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]739 MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate",
740 cur->cert);
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]741
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]742 int key_type_matches = 0;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]743#if defined(MBEDTLS_USE_PSA_CRYPTO)
744#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]745 key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
746 ssl->conf->f_async_decrypt_start != NULL ||
747 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
748 mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]749#else
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]750 key_type_matches = (
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]751 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]752#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
753#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]754 key_type_matches = mbedtls_pk_can_do(&cur->cert->pk, pk_alg);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]755#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]756 if (!key_type_matches) {
757 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]758 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]759 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]760
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]761 /*
762 * This avoids sending the client a cert it'll reject based on
763 * keyUsage or other extensions.
764 *
765 * It also allows the user to provision different certificates for
766 * different uses based on keyUsage, eg if they want to avoid signing
767 * and decrypting with the same RSA key.
768 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]769 if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
770 MBEDTLS_SSL_IS_SERVER, &flags) != 0) {
771 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
772 "(extended) key usage extension"));
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]773 continue;
774 }
775
Valerio Setti1fa5c562023-03-20 13:56:38 +0100[diff] [blame]776#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]777 if (pk_alg == MBEDTLS_PK_ECDSA &&
778 ssl_check_key_curve(&cur->cert->pk,
779 ssl->handshake->curves_tls_id) != 0) {
780 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve"));
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]781 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]782 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]783#endif
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]784
785 /* If we get there, we got a winner */
786 break;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]787 }
788
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]789 /* Do not update ssl->handshake->key_cert unless there is a match */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]790 if (cur != NULL) {
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]791 ssl->handshake->key_cert = cur;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]792 MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate",
793 ssl->handshake->key_cert->cert);
794 return 0;
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]795 }
796
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]797 return -1;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]798}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]799#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]800
801/*
802 * Check if a given ciphersuite is suitable for use with our config/keys/etc
803 * Sets ciphersuite_info only if the suite matches.
804 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]805MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]806static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
807 const mbedtls_ssl_ciphersuite_t **ciphersuite_info)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]808{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]809 const mbedtls_ssl_ciphersuite_t *suite_info;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]810
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]811#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]812 mbedtls_pk_type_t sig_type;
813#endif
814
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]815 suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
816 if (suite_info == NULL) {
817 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
818 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]819 }
820
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]821 MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)",
822 (unsigned int) suite_id, suite_info->name));
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]823
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]824 if (suite_info->min_tls_version > ssl->tls_version ||
825 suite_info->max_tls_version < ssl->tls_version) {
826 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version"));
827 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]828 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]829
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]830#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]831 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
832 (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) {
833 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake "
834 "not configured or ext missing"));
835 return 0;
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]836 }
837#endif
838
839
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]840#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settic2232ea2023-07-05 18:57:52 +0200[diff] [blame]841 defined(MBEDTLS_PK_CAN_ECDSA_SOME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]842 if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
843 (ssl->handshake->curves_tls_id == NULL ||
844 ssl->handshake->curves_tls_id[0] == 0)) {
845 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
846 "no common elliptic curve"));
847 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]848 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]849#endif
850
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]851#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]852 /* If the ciphersuite requires a pre-shared key and we don't
853 * have one, skip it now rather than failing later */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]854 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
855 ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
856 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key"));
857 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]858 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]859#endif
860
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]861#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]862 /*
863 * Final check: if ciphersuite requires us to have a
864 * certificate/key of a particular type:
865 * - select the appropriate certificate if we have one, or
866 * - try the next ciphersuite if we don't
867 * This must be done last since we modify the key_cert list.
868 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]869 if (ssl_pick_cert(ssl, suite_info) != 0) {
870 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
871 "no suitable certificate"));
872 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]873 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]874#endif
875
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]876#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
877 /* If the ciphersuite requires signing, check whether
878 * a suitable hash algorithm is present. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]879 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
880 if (sig_type != MBEDTLS_PK_NONE &&
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]881 mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]882 ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) {
883 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm "
884 "for signature algorithm %u", (unsigned) sig_type));
885 return 0;
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]886 }
887
888#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
889
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]890 *ciphersuite_info = suite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]891 return 0;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]892}
893
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]894/* This function doesn't alert on errors that happen early during
895 ClientHello parsing because they might indicate that the client is
896 not talking SSL/TLS at all and would not understand our alert. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]897MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]898static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]899{
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]900 int ret, got_common_suite;
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]901 size_t i, j;
902 size_t ciph_offset, comp_offset, ext_offset;
903 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]904#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]905 size_t cookie_offset, cookie_len;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]906#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]907 unsigned char *buf, *p, *ext;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]908#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]909 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]910#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]911 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]912 const int *ciphersuites;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]913 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]914
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]915 /* If there is no signature-algorithm extension present,
916 * we need to fall back to the default values for allowed
917 * signature-hash pairs. */
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]918#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]919 int sig_hash_alg_ext_present = 0;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]920#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]921
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]922 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]923
David Horstmanne0af39a2022-10-06 18:19:18 +0100[diff] [blame]924 int renegotiating;
925
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]926#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]927read_record_header:
928#endif
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]929 /*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]930 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]931 * otherwise read it ourselves manually in order to support SSLv2
932 * ClientHello, which doesn't use the same record layer format.
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]933 * Otherwise in a scenario of TLS 1.3/TLS 1.2 version negotiation, the
934 * ClientHello has been already fully fetched by the TLS 1.3 code and the
935 * flag ssl->keep_current_message is raised.
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]936 */
David Horstmanne0af39a2022-10-06 18:19:18 +0100[diff] [blame]937 renegotiating = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]938#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]939 renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]940#endif
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]941 if (!renegotiating && !ssl->keep_current_message) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]942 if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]943 /* No alert on a read error. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]944 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
945 return ret;
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]946 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]947 }
948
949 buf = ssl->in_hdr;
950
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]951 MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl));
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]952
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]953 /*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]954 * TLS Client Hello
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]955 *
956 * Record layer:
957 * 0 . 0 message type
958 * 1 . 2 protocol version
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]959 * 3 . 11 DTLS: epoch + record sequence number
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]960 * 3 . 4 message length
961 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]962 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message type: %d",
963 buf[0]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]964
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]965 if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
966 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
967 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]968 }
969
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]970 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d",
971 (ssl->in_len[0] << 8) | ssl->in_len[1]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]972
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]973 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, protocol version: [%d:%d]",
974 buf[1], buf[2]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]975
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]976 /* For DTLS if this is the initial handshake, remember the client sequence
977 * number to use it in our next message (RFC 6347 4.2.1) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]978#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]979 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]980#if defined(MBEDTLS_SSL_RENEGOTIATION)
981 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
Manuel Pégourié-Gonnard3a173f42015-01-22 13:30:33 +0000[diff] [blame]982#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]983 ) {
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]984 /* Epoch should be 0 for initial handshakes */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]985 if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
986 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
987 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]988 }
989
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]990 memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2,
991 sizeof(ssl->cur_out_ctr) - 2);
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]992
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]993#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]994 if (mbedtls_ssl_dtls_replay_check(ssl) != 0) {
995 MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding"));
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]996 ssl->next_record_offset = 0;
997 ssl->in_left = 0;
998 goto read_record_header;
999 }
1000
1001 /* No MAC to check yet, so we can update right now */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1002 mbedtls_ssl_dtls_replay_update(ssl);
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]1003#endif
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1004 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1005#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1006
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1007 msg_len = (ssl->in_len[0] << 8) | ssl->in_len[1];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1008
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1009#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1010 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1011 /* Set by mbedtls_ssl_read_record() */
Manuel Pégourié-Gonnardb89c4f32015-01-21 13:24:10 +0000[diff] [blame]1012 msg_len = ssl->in_hslen;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1013 } else
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1014#endif
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1015 {
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1016 if (ssl->keep_current_message) {
1017 ssl->keep_current_message = 0;
1018 } else {
1019 if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
1020 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1021 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1022 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1023
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1024 if ((ret = mbedtls_ssl_fetch_input(ssl,
1025 mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) {
1026 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
1027 return ret;
1028 }
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1029
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1030 /* Done reading this record, get ready for the next one */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1031#if defined(MBEDTLS_SSL_PROTO_DTLS)
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1032 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1033 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl);
1034 } else
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1035#endif
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]1036 ssl->in_left = 0;
1037 }
Manuel Pégourié-Gonnardd6b721c2014-03-24 12:13:54 +0100[diff] [blame]1038 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1039
1040 buf = ssl->in_msg;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1041
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1042 MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len);
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1043
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]1044 ret = ssl->handshake->update_checksum(ssl, buf, msg_len);
1045 if (0 != ret) {
1046 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
1047 return ret;
1048 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1049
1050 /*
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1051 * Handshake layer:
1052 * 0 . 0 handshake type
1053 * 1 . 3 handshake length
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1054 * 4 . 5 DTLS only: message sequence number
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1055 * 6 . 8 DTLS only: fragment offset
1056 * 9 . 11 DTLS only: fragment length
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1057 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1058 if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) {
1059 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1060 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1061 }
1062
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1063 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0]));
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1064
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1065 if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
1066 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1067 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1068 }
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1069 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1070 size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1);
1071 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u",
1072 (unsigned) handshake_len));
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1073
1074 /* The record layer has a record size limit of 2^14 - 1 and
1075 * fragmentation is not supported, so buf[1] should be zero. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1076 if (buf[1] != 0) {
1077 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0",
1078 (unsigned) buf[1]));
1079 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1080 }
1081
1082 /* We don't support fragmentation of ClientHello (yet?) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1083 if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) {
1084 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u",
1085 (unsigned) msg_len,
1086 (unsigned) mbedtls_ssl_hs_hdr_len(ssl),
1087 (unsigned) handshake_len));
1088 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1089 }
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1090 }
1091
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1092#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1093 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1094 /*
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1095 * Copy the client's handshake message_seq on initial handshakes,
1096 * check sequence number on renego.
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1097 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1098#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1099 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]1100 /* This couldn't be done in ssl_prepare_handshake_record() */
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +0100[diff] [blame]1101 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1102 if (cli_msg_seq != ssl->handshake->in_msg_seq) {
1103 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
1104 "%u (expected %u)", cli_msg_seq,
1105 ssl->handshake->in_msg_seq));
1106 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]1107 }
1108
1109 ssl->handshake->in_msg_seq++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1110 } else
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1111#endif
1112 {
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +0100[diff] [blame]1113 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1114 ssl->handshake->out_msg_seq = cli_msg_seq;
1115 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
1116 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1117 {
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1118 /*
1119 * For now we don't support fragmentation, so make sure
1120 * fragment_offset == 0 and fragment_length == length
1121 */
1122 size_t fragment_offset, fragment_length, length;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1123 fragment_offset = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6);
1124 fragment_length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9);
1125 length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1);
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1126 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1127 4, ("fragment_offset=%u fragment_length=%u length=%u",
1128 (unsigned) fragment_offset, (unsigned) fragment_length,
1129 (unsigned) length));
1130 if (fragment_offset != 0 || length != fragment_length) {
1131 MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported"));
1132 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1133 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1134 }
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1135 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1136#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1137
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1138 buf += mbedtls_ssl_hs_hdr_len(ssl);
1139 msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1140
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1141 /*
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1142 * ClientHello layer:
1143 * 0 . 1 protocol version
1144 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
1145 * 34 . 35 session id length (1 byte)
1146 * 35 . 34+x session id
1147 * 35+x . 35+x DTLS only: cookie length (1 byte)
1148 * 36+x . .. DTLS only: cookie
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1149 * .. . .. ciphersuite list length (2 bytes)
1150 * .. . .. ciphersuite list
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1151 * .. . .. compression alg. list length (1 byte)
1152 * .. . .. compression alg. list
1153 * .. . .. extensions length (2 bytes, optional)
1154 * .. . .. extensions (optional)
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1155 */
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1156
1157 /*
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]1158 * Minimal length (with everything empty and extensions omitted) is
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1159 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1160 * read at least up to session id length without worrying.
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1161 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1162 if (msg_len < 38) {
1163 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1164 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1165 }
1166
1167 /*
1168 * Check and save the protocol version
1169 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1170 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1171
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]1172 ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
1173 ssl->conf->transport);
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1174 ssl->session_negotiate->tls_version = ssl->tls_version;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1175
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1176 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
1177 MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2"));
1178 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1179 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1180 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1181 }
1182
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1183 /*
1184 * Save client random (inc. Unix time)
1185 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1186 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1187
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1188 memcpy(ssl->handshake->randbytes, buf + 2, 32);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1189
1190 /*
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1191 * Check the session ID length and save session ID
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1192 */
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1193 sess_len = buf[34];
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1194
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1195 if (sess_len > sizeof(ssl->session_negotiate->id) ||
1196 sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */
1197 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1198 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1199 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1200 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1201 }
1202
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1203 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1204
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1205 ssl->session_negotiate->id_len = sess_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1206 memset(ssl->session_negotiate->id, 0,
1207 sizeof(ssl->session_negotiate->id));
1208 memcpy(ssl->session_negotiate->id, buf + 35,
1209 ssl->session_negotiate->id_len);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1210
1211 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1212 * Check the cookie length and content
1213 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1214#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1215 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1216 cookie_offset = 35 + sess_len;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1217 cookie_len = buf[cookie_offset];
1218
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1219 if (cookie_offset + 1 + cookie_len + 2 > msg_len) {
1220 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1221 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1222 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1223 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1224 }
1225
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1226 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
1227 buf + cookie_offset + 1, cookie_len);
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1228
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1229#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1230 if (ssl->conf->f_cookie_check != NULL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1231#if defined(MBEDTLS_SSL_RENEGOTIATION)
1232 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1233#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1234 ) {
1235 if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
1236 buf + cookie_offset + 1, cookie_len,
1237 ssl->cli_id, ssl->cli_id_len) != 0) {
1238 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed"));
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1239 ssl->handshake->cookie_verify_result = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1240 } else {
1241 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed"));
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1242 ssl->handshake->cookie_verify_result = 0;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1243 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1244 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1245#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1246 {
1247 /* We know we didn't send a cookie, so it should be empty */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1248 if (cookie_len != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1249 /* This may be an attacker's probe, so don't send an alert */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1250 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1251 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1252 }
1253
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1254 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped"));
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1255 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1256
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1257 /*
1258 * Check the ciphersuitelist length (will be parsed later)
1259 */
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1260 ciph_offset = cookie_offset + 1 + cookie_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1261 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1262#endif /* MBEDTLS_SSL_PROTO_DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1263 ciph_offset = 35 + sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1264
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1265 ciph_len = (buf[ciph_offset + 0] << 8)
1266 | (buf[ciph_offset + 1]);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1267
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1268 if (ciph_len < 2 ||
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1269 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1270 (ciph_len % 2) != 0) {
1271 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1272 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1273 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1274 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1275 }
1276
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1277 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
1278 buf + ciph_offset + 2, ciph_len);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1279
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1280 /*
Thomas Daubney20f89a92022-06-20 15:12:19 +0100[diff] [blame]1281 * Check the compression algorithm's length.
1282 * The list contents are ignored because implementing
1283 * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only
1284 * option supported by Mbed TLS.
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1285 */
1286 comp_offset = ciph_offset + 2 + ciph_len;
1287
1288 comp_len = buf[comp_offset];
1289
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1290 if (comp_len < 1 ||
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1291 comp_len > 16 ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1292 comp_len + comp_offset + 1 > msg_len) {
1293 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1294 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1295 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1296 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1297 }
1298
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1299 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression",
1300 buf + comp_offset + 1, comp_len);
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1301
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1302 /*
1303 * Check the extension length
1304 */
1305 ext_offset = comp_offset + 1 + comp_len;
1306 if (msg_len > ext_offset) {
1307 if (msg_len < ext_offset + 2) {
1308 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1309 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1310 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1311 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1312 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1313
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1314 ext_len = (buf[ext_offset + 0] << 8)
1315 | (buf[ext_offset + 1]);
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1316
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1317 if (msg_len != ext_offset + 2 + ext_len) {
1318 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1319 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1320 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1321 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1322 }
1323 } else {
1324 ext_len = 0;
1325 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1326
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1327 ext = buf + ext_offset + 2;
1328 MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len);
1329
1330 while (ext_len != 0) {
1331 unsigned int ext_id;
1332 unsigned int ext_size;
1333 if (ext_len < 4) {
1334 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1335 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1336 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1337 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1338 }
1339 ext_id = ((ext[0] << 8) | (ext[1]));
1340 ext_size = ((ext[2] << 8) | (ext[3]));
1341
1342 if (ext_size + 4 > ext_len) {
1343 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1344 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1345 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1346 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1347 }
1348 switch (ext_id) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1349#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1350 case MBEDTLS_TLS_EXT_SERVERNAME:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1351 MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1352 ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4,
1353 ext + 4 + ext_size);
1354 if (ret != 0) {
1355 return ret;
1356 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1357 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1358#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]1359
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1360 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1361 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1362#if defined(MBEDTLS_SSL_RENEGOTIATION)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1363 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1364#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1365
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1366 ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size);
1367 if (ret != 0) {
1368 return ret;
1369 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1370 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1371
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1372#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1373 case MBEDTLS_TLS_EXT_SIG_ALG:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1374 MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
Ron Eldor73a38172017-10-03 15:58:26 +0300[diff] [blame]1375
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1376 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size);
1377 if (ret != 0) {
1378 return ret;
1379 }
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1380
1381 sig_hash_alg_ext_present = 1;
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1382 break;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1383#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1384
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]1385#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settic2232ea2023-07-05 18:57:52 +0200[diff] [blame]1386 defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1387 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yub47d0f82021-12-20 17:34:40 +0800[diff] [blame]1388 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1389 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1390
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1391 ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size);
1392 if (ret != 0) {
1393 return ret;
1394 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1395 break;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1396
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1397 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1398 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension"));
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1399 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1400
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1401 ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size);
1402 if (ret != 0) {
1403 return ret;
1404 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1405 break;
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]1406#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || \
Valerio Settic2232ea2023-07-05 18:57:52 +0200[diff] [blame]1407 MBEDTLS_PK_CAN_ECDSA_SOME || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1408
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1409#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1410 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1411 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension"));
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1412
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1413 ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size);
1414 if (ret != 0) {
1415 return ret;
1416 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1417 break;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1418#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1419
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1420#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1421 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1422 MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension"));
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1423
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1424 ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size);
1425 if (ret != 0) {
1426 return ret;
1427 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1428 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1429#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1430
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1431#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1432 case MBEDTLS_TLS_EXT_CID:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1433 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1434
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1435 ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size);
1436 if (ret != 0) {
1437 return ret;
1438 }
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1439 break;
Thomas Daubneye1c9a402021-06-15 11:26:43 +0100[diff] [blame]1440#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1441
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1442#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1443 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1444 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1445
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1446 ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size);
1447 if (ret != 0) {
1448 return ret;
1449 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1450 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1451#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1452
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1453#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1454 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1455 MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1456
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1457 ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size);
1458 if (ret != 0) {
1459 return ret;
1460 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1461 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1462#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1463
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1464#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1465 case MBEDTLS_TLS_EXT_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1466 MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1467
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1468 ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size);
1469 if (ret != 0) {
1470 return ret;
1471 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1472 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1473#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1474
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1475#if defined(MBEDTLS_SSL_ALPN)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1476 case MBEDTLS_TLS_EXT_ALPN:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1477 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1478
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1479 ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4,
1480 ext + 4 + ext_size);
1481 if (ret != 0) {
1482 return ret;
1483 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1484 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1485#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1486
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1487#if defined(MBEDTLS_SSL_DTLS_SRTP)
1488 case MBEDTLS_TLS_EXT_USE_SRTP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1489 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
Johan Pascald576fdb2020-09-22 10:39:53 +0200[diff] [blame]1490
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1491 ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size);
1492 if (ret != 0) {
1493 return ret;
1494 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1495 break;
1496#endif /* MBEDTLS_SSL_DTLS_SRTP */
1497
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1498 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1499 MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)",
1500 ext_id));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1501 }
Janos Follathc6dab2b2016-05-23 14:27:02 +0100[diff] [blame]1502
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1503 ext_len -= 4 + ext_size;
1504 ext += 4 + ext_size;
1505 }
1506
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1507#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1508
1509 /*
1510 * Try to fall back to default hash SHA1 if the client
1511 * hasn't provided any preferred signature-hash combinations.
1512 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1513 if (!sig_hash_alg_ext_present) {
Gabor Mezei86acf052022-05-10 13:29:02 +0200[diff] [blame]1514 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
1515 const uint16_t default_sig_algs[] = {
Valerio Setti1fa5c562023-03-20 13:56:38 +0100[diff] [blame]1516#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1517 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA,
1518 MBEDTLS_SSL_HASH_SHA1),
Gabor Mezeic1051b62022-05-10 13:13:58 +0200[diff] [blame]1519#endif
1520#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1521 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA,
1522 MBEDTLS_SSL_HASH_SHA1),
Gabor Mezeic1051b62022-05-10 13:13:58 +0200[diff] [blame]1523#endif
Gabor Mezei86acf052022-05-10 13:29:02 +0200[diff] [blame]1524 MBEDTLS_TLS_SIG_NONE
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1525 };
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1526
Tom Cosgrove6ef9bb32023-03-08 14:19:51 +0000[diff] [blame]1527 MBEDTLS_STATIC_ASSERT(sizeof(default_sig_algs) / sizeof(default_sig_algs[0])
1528 <= MBEDTLS_RECEIVED_SIG_ALGS_SIZE,
1529 "default_sig_algs is too big");
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1530
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1531 memcpy(received_sig_algs, default_sig_algs, sizeof(default_sig_algs));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1532 }
1533
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1534#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1535
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1536 /*
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1537 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1538 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1539 for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
1540 if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
1541 MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1542#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1543 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1544 MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
1545 "during renegotiation"));
1546 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1547 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1548 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1549 }
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1550#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1551 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1552 break;
1553 }
1554 }
1555
1556 /*
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1557 * Renegotiation security checks
1558 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1559 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1560 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1561 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1562 handshake_failure = 1;
1563 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1564#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1565 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1566 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1567 renegotiation_info_seen == 0) {
1568 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1569 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1570 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1571 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1572 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1573 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1574 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1575 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1576 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1577 renegotiation_info_seen == 1) {
1578 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1579 handshake_failure = 1;
1580 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1581#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1582
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1583 if (handshake_failure == 1) {
1584 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1585 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1586 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1587 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1588
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1589 /*
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1590 * Server certification selection (after processing TLS extensions)
1591 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1592 if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
1593 MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
1594 return ret;
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1595 }
Glenn Strauss69894072022-01-24 12:58:00 -0500[diff] [blame]1596#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1597 ssl->handshake->sni_name = NULL;
1598 ssl->handshake->sni_name_len = 0;
1599#endif
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1600
1601 /*
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1602 * Search for a matching ciphersuite
Manuel Pégourié-Gonnard3ebb2cd2013-09-23 17:00:18 +0200[diff] [blame]1603 * (At the end because we need information from the EC-based extensions
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1604 * and certificate from the SNI callback triggered by the SNI extension
1605 * or certificate from server certificate selection callback.)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1606 */
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1607 got_common_suite = 0;
Hanno Beckerd60b6c62021-04-29 12:04:11 +0100[diff] [blame]1608 ciphersuites = ssl->conf->ciphersuite_list;
Manuel Pégourié-Gonnard59b81d72013-11-30 17:46:04 +0100[diff] [blame]1609 ciphersuite_info = NULL;
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1610
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1611 if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) {
1612 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1613 for (i = 0; ciphersuites[i] != 0; i++) {
1614 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1615 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1616 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1617
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1618 got_common_suite = 1;
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1619
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1620 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1621 &ciphersuite_info)) != 0) {
1622 return ret;
1623 }
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +0100[diff] [blame]1624
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1625 if (ciphersuite_info != NULL) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1626 goto have_ciphersuite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1627 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1628 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1629 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1630 } else {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1631 for (i = 0; ciphersuites[i] != 0; i++) {
1632 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1633 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1634 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1635 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1636
1637 got_common_suite = 1;
1638
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1639 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1640 &ciphersuite_info)) != 0) {
1641 return ret;
1642 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1643
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1644 if (ciphersuite_info != NULL) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1645 goto have_ciphersuite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1646 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1647 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1648 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1649 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1650
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1651 if (got_common_suite) {
1652 MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
1653 "but none of them usable"));
1654 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1655 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1656 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1657 } else {
1658 MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
1659 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1660 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1661 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1662 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1663
1664have_ciphersuite:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1665 MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]1666
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1667 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]1668 ssl->handshake->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1669
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1670 ssl->state++;
1671
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1672#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1673 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1674 mbedtls_ssl_recv_flight_completed(ssl);
1675 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1676#endif
1677
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1678 /* Debugging-only output for testsuite */
1679#if defined(MBEDTLS_DEBUG_C) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1680 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1681 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
1682 if (sig_alg != MBEDTLS_PK_NONE) {
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]1683 unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1684 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
1685 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u",
1686 sig_hash));
1687 } else {
1688 MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm "
1689 "%u - should not happen", (unsigned) sig_alg));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1690 }
1691#endif
1692
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1693 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1694
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1695 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1696}
1697
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1698#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1699static void ssl_write_cid_ext(mbedtls_ssl_context *ssl,
1700 unsigned char *buf,
1701 size_t *olen)
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1702{
1703 unsigned char *p = buf;
1704 size_t ext_len;
1705 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1706
1707 *olen = 0;
1708
1709 /* Skip writing the extension if we don't want to use it or if
1710 * the client hasn't offered it. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1711 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) {
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1712 return;
1713 }
1714
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1715 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
1716 * which is at most 255, so the increment cannot overflow. */
1717 if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) {
1718 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1719 return;
1720 }
1721
1722 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension"));
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1723
1724 /*
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1725 * struct {
1726 * opaque cid<0..2^8-1>;
1727 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1728 */
1729 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1730 p += 2;
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1731 ext_len = (size_t) ssl->own_cid_len + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1732 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1733 p += 2;
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1734
1735 *p++ = (uint8_t) ssl->own_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1736 memcpy(p, ssl->own_cid, ssl->own_cid_len);
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1737
1738 *olen = ssl->own_cid_len + 5;
1739}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1740#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1741
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]1742#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1743static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
1744 unsigned char *buf,
1745 size_t *olen)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1746{
1747 unsigned char *p = buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1748 const mbedtls_ssl_ciphersuite_t *suite = NULL;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1749
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1750 /*
1751 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
1752 * from a client and then selects a stream or Authenticated Encryption
1753 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
1754 * encrypt-then-MAC response extension back to the client."
1755 */
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1756 suite = mbedtls_ssl_ciphersuite_from_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1757 ssl->session_negotiate->ciphersuite);
1758 if (suite == NULL) {
Ronald Cron862902d2022-03-24 14:15:28 +0100[diff] [blame]1759 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1760 } else {
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1761 mbedtls_ssl_mode_t ssl_mode =
Neil Armstrongab555e02022-04-04 11:07:59 +0200[diff] [blame]1762 mbedtls_ssl_get_mode_from_ciphersuite(
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1763 ssl->session_negotiate->encrypt_then_mac,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1764 suite);
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1765
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1766 if (ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM) {
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1767 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1768 }
Ronald Cron862902d2022-03-24 14:15:28 +0100[diff] [blame]1769 }
1770
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1771 if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1772 *olen = 0;
1773 return;
1774 }
1775
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1776 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1777
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1778 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1779 p += 2;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1780
1781 *p++ = 0x00;
1782 *p++ = 0x00;
1783
1784 *olen = 4;
1785}
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]1786#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1787
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1788#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1789static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
1790 unsigned char *buf,
1791 size_t *olen)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1792{
1793 unsigned char *p = buf;
1794
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1795 if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1796 *olen = 0;
1797 return;
1798 }
1799
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1800 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret "
1801 "extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1802
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1803 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1804 p += 2;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1805
1806 *p++ = 0x00;
1807 *p++ = 0x00;
1808
1809 *olen = 4;
1810}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1811#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1812
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1813#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1814static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
1815 unsigned char *buf,
1816 size_t *olen)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1817{
1818 unsigned char *p = buf;
1819
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1820 if (ssl->handshake->new_session_ticket == 0) {
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1821 *olen = 0;
1822 return;
1823 }
1824
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1825 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1826
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1827 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1828 p += 2;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1829
1830 *p++ = 0x00;
1831 *p++ = 0x00;
1832
1833 *olen = 4;
1834}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1835#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1836
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1837static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
1838 unsigned char *buf,
1839 size_t *olen)
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1840{
1841 unsigned char *p = buf;
1842
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1843 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) {
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1844 *olen = 0;
1845 return;
1846 }
1847
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1848 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension"));
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1849
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1850 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1851 p += 2;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1852
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1853#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1854 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1855 *p++ = 0x00;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1856 *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1857 *p++ = ssl->verify_data_len * 2 & 0xFF;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1858
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1859 memcpy(p, ssl->peer_verify_data, ssl->verify_data_len);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1860 p += ssl->verify_data_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1861 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1862 p += ssl->verify_data_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1863 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1864#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1865 {
1866 *p++ = 0x00;
1867 *p++ = 0x01;
1868 *p++ = 0x00;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1869 }
Manuel Pégourié-Gonnard19389752015-06-23 13:46:44 +0200[diff] [blame]1870
1871 *olen = p - buf;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1872}
1873
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1874#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1875static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
1876 unsigned char *buf,
1877 size_t *olen)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1878{
1879 unsigned char *p = buf;
1880
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1881 if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1882 *olen = 0;
1883 return;
1884 }
1885
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1886 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension"));
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1887
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1888 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1889 p += 2;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1890
1891 *p++ = 0x00;
1892 *p++ = 1;
1893
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]1894 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1895
1896 *olen = 5;
1897}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1898#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1899
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]1900#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
1901 defined(MBEDTLS_ECDSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1902static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
1903 unsigned char *buf,
1904 size_t *olen)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1905{
1906 unsigned char *p = buf;
1907 ((void) ssl);
1908
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1909 if ((ssl->handshake->cli_exts &
1910 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) {
Paul Bakker677377f2013-10-28 12:54:26 +0100[diff] [blame]1911 *olen = 0;
1912 return;
1913 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1914
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1915 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension"));
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1916
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1917 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1918 p += 2;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1919
1920 *p++ = 0x00;
1921 *p++ = 2;
1922
1923 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1924 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1925
1926 *olen = 6;
1927}
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]1928#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || MBEDTLS_ECDSA_C ||
1929 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1930
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1931#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1932static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
1933 unsigned char *buf,
1934 size_t *olen)
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1935{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1936 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1937 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]1938 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1939 size_t kkpp_len;
1940
1941 *olen = 0;
1942
1943 /* Skip costly computation if not needed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1944 if (ssl->handshake->ciphersuite_info->key_exchange !=
1945 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1946 return;
1947 }
1948
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1949 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension"));
1950
1951 if (end - p < 4) {
1952 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1953 return;
1954 }
1955
1956 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1957 p += 2;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1958
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1959#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1960 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
1961 p + 2, end - p - 2, &kkpp_len,
1962 MBEDTLS_ECJPAKE_ROUND_ONE);
1963 if (ret != 0) {
1964 psa_destroy_key(ssl->handshake->psa_pake_password);
1965 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
1966 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
Valerio Settia9883642022-11-17 15:34:59 +0100[diff] [blame]1967 return;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1968 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1969#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1970 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
1971 p + 2, end - p - 2, &kkpp_len,
1972 ssl->conf->f_rng, ssl->conf->p_rng);
1973 if (ret != 0) {
1974 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret);
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1975 return;
1976 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1977#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1978
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1979 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1980 p += 2;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1981
1982 *olen = kkpp_len + 4;
1983}
1984#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1985
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1986#if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS)
1987static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
1988 unsigned char *buf,
1989 size_t *olen)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1990{
Ron Eldor75870ec2018-12-06 17:31:55 +0200[diff] [blame]1991 size_t mki_len = 0, ext_len = 0;
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1992 uint16_t profile_value = 0;
Johan Pascal8f70fba2020-09-02 10:32:06 +0200[diff] [blame]1993 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1994
1995 *olen = 0;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1996
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1997 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
1998 (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) {
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1999 return;
2000 }
2001
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2002 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension"));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2003
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2004 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]2005 mki_len = ssl->dtls_srtp_info.mki_len;
2006 }
2007
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]2008 /* The extension total size is 9 bytes :
2009 * - 2 bytes for the extension tag
2010 * - 2 bytes for the total size
2011 * - 2 bytes for the protection profile length
2012 * - 2 bytes for the protection profile
2013 * - 1 byte for the mki length
2014 * + the actual mki length
2015 * Check we have enough room in the output buffer */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2016 if ((size_t) (end - buf) < mki_len + 9) {
2017 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
Johan Pascal8f70fba2020-09-02 10:32:06 +0200[diff] [blame]2018 return;
2019 }
2020
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2021 /* extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2022 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0);
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]2023 /*
2024 * total length 5 and mki value: only one profile(2 bytes)
2025 * and length(2 bytes) and srtp_mki )
2026 */
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]2027 ext_len = 5 + mki_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2028 MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2029
2030 /* protection profile length: 2 */
2031 buf[4] = 0x00;
2032 buf[5] = 0x02;
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]2033 profile_value = mbedtls_ssl_check_srtp_profile_value(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2034 ssl->dtls_srtp_info.chosen_dtls_srtp_profile);
2035 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
2036 MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6);
2037 } else {
2038 MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile"));
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]2039 return;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2040 }
2041
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]2042 buf[8] = mki_len & 0xFF;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2043 memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2044
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]2045 *olen = 9 + mki_len;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2046}
2047#endif /* MBEDTLS_SSL_DTLS_SRTP */
2048
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2049#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2050MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2051static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2052{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2053 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2054 unsigned char *p = ssl->out_msg + 4;
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2055 unsigned char *cookie_len_byte;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2056
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2057 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2058
2059 /*
2060 * struct {
2061 * ProtocolVersion server_version;
2062 * opaque cookie<0..2^8-1>;
2063 * } HelloVerifyRequest;
2064 */
2065
Manuel Pégourié-Gonnardb35fe562014-08-09 17:00:46 +0200[diff] [blame]2066 /* The RFC is not clear on this point, but sending the actual negotiated
2067 * version looks like the most interoperable thing to do. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2068 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
2069 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2070 p += 2;
2071
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]2072 /* If we get here, f_cookie_check is not null */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2073 if (ssl->conf->f_cookie_write == NULL) {
2074 MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks"));
2075 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]2076 }
2077
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2078 /* Skip length byte until we know the length */
2079 cookie_len_byte = p++;
2080
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2081 if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie,
2082 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2083 ssl->cli_id, ssl->cli_id_len)) != 0) {
2084 MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret);
2085 return ret;
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2086 }
2087
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2088 *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1));
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2089
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2090 MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2091
2092 ssl->out_msglen = p - ssl->out_msg;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2093 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2094 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2095
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2096 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2097
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2098 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
2099 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
2100 return ret;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2101 }
2102
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2103#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2104 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2105 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
2106 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
2107 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2108 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]2109#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2110
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2111 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2112
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2113 return 0;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2114}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2115#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2116
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2117static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl)
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2118{
2119 int ret;
Hanno Beckera5b1a392021-04-15 16:48:01 +0100[diff] [blame]2120 mbedtls_ssl_session session_tmp;
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2121 mbedtls_ssl_session * const session = ssl->session_negotiate;
2122
2123 /* Resume is 0 by default, see ssl_handshake_init().
2124 * It may be already set to 1 by ssl_parse_session_ticket_ext(). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2125 if (ssl->handshake->resume == 1) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2126 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2127 }
2128 if (session->id_len == 0) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2129 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2130 }
2131 if (ssl->conf->f_get_cache == NULL) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2132 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2133 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2134#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2135 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2136 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2137 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2138#endif
2139
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2140 mbedtls_ssl_session_init(&session_tmp);
Hanno Beckera5b1a392021-04-15 16:48:01 +0100[diff] [blame]2141
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2142 ret = ssl->conf->f_get_cache(ssl->conf->p_cache,
2143 session->id,
2144 session->id_len,
2145 &session_tmp);
2146 if (ret != 0) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2147 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2148 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2149
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2150 if (session->ciphersuite != session_tmp.ciphersuite) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2151 /* Mismatch between cached and negotiated session */
2152 goto exit;
2153 }
2154
2155 /* Move semantics */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2156 mbedtls_ssl_session_free(session);
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2157 *session = session_tmp;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2158 memset(&session_tmp, 0, sizeof(session_tmp));
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2159
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2160 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache"));
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2161 ssl->handshake->resume = 1;
2162
2163exit:
2164
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2165 mbedtls_ssl_session_free(&session_tmp);
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2166}
2167
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2168MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2169static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2170{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2171#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]2172 mbedtls_time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2173#endif
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2174 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2175 size_t olen, ext_len = 0, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2176 unsigned char *buf, *p;
2177
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2178 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2179
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2180#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2181 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2182 ssl->handshake->cookie_verify_result != 0) {
2183 MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated"));
2184 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2185
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2186 return ssl_write_hello_verify_request(ssl);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2187 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2188#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2189
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2190 if (ssl->conf->f_rng == NULL) {
2191 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
2192 return MBEDTLS_ERR_SSL_NO_RNG;
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]2193 }
2194
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2195 /*
2196 * 0 . 0 handshake type
2197 * 1 . 3 handshake length
2198 * 4 . 5 protocol version
2199 * 6 . 9 UNIX time()
2200 * 10 . 37 random bytes
2201 */
2202 buf = ssl->out_msg;
2203 p = buf + 4;
2204
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2205 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]2206 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2207
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2208 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]",
2209 buf[4], buf[5]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2210
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2211#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2212 t = mbedtls_time(NULL);
2213 MBEDTLS_PUT_UINT32_BE(t, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2214 p += 4;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2215
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2216 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
2217 (long long) t));
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2218#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2219 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) {
2220 return ret;
2221 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2222
2223 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2224#endif /* MBEDTLS_HAVE_TIME */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2225
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2226 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2227 return ret;
2228 }
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2229 p += 20;
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2230
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2231#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2232 /*
2233 * RFC 8446
2234 * TLS 1.3 has a downgrade protection mechanism embedded in the server's
2235 * random value. TLS 1.3 servers which negotiate TLS 1.2 or below in
2236 * response to a ClientHello MUST set the last 8 bytes of their Random
2237 * value specially in their ServerHello.
2238 */
2239 if (mbedtls_ssl_conf_is_tls13_enabled(ssl->conf)) {
2240 static const unsigned char magic_tls12_downgrade_string[] =
2241 { 'D', 'O', 'W', 'N', 'G', 'R', 'D', 1 };
2242
2243 MBEDTLS_STATIC_ASSERT(
2244 sizeof(magic_tls12_downgrade_string) == 8,
2245 "magic_tls12_downgrade_string does not have the expected size");
2246
Ronald Cronfe01ec22023-04-06 09:56:53 +0200[diff] [blame]2247 memcpy(p, magic_tls12_downgrade_string,
2248 sizeof(magic_tls12_downgrade_string));
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2249 } else
2250#endif
2251 {
2252 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) {
2253 return ret;
2254 }
2255 }
2256 p += 8;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2257
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2258 memcpy(ssl->handshake->randbytes + 32, buf + 6, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2259
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2260 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2261
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2262 ssl_handle_id_based_session_resumption(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2263
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2264 if (ssl->handshake->resume == 0) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2265 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2266 * New session, create a new session id,
2267 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2268 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2269 ssl->state++;
2270
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2271#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2272 ssl->session_negotiate->start = mbedtls_time(NULL);
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]2273#endif
2274
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2275#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2276 if (ssl->handshake->new_session_ticket != 0) {
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2277 ssl->session_negotiate->id_len = n = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2278 memset(ssl->session_negotiate->id, 0, 32);
2279 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2280#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2281 {
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2282 ssl->session_negotiate->id_len = n = 32;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2283 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id,
2284 n)) != 0) {
2285 return ret;
2286 }
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2287 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2288 } else {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2289 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2290 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2291 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2292 n = ssl->session_negotiate->id_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2293 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2294
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2295 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
2296 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
2297 return ret;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2298 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2299 }
2300
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2301 /*
2302 * 38 . 38 session id length
2303 * 39 . 38+n session id
2304 * 39+n . 40+n chosen ciphersuite
2305 * 41+n . 41+n chosen compression alg.
2306 * 42+n . 43+n extensions length
2307 * 44+n . 43+n+m extensions
2308 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2309 *p++ = (unsigned char) ssl->session_negotiate->id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2310 memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2311 p += ssl->session_negotiate->id_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2312
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2313 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
2314 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n);
2315 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
2316 ssl->handshake->resume ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2317
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2318 MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2319 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2320 *p++ = MBEDTLS_BYTE_0(MBEDTLS_SSL_COMPRESS_NULL);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2321
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2322 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s",
2323 mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite)));
2324 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X",
2325 (unsigned int) MBEDTLS_SSL_COMPRESS_NULL));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2326
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2327 /*
2328 * First write extensions, then the total length
2329 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2330 ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2331 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2332
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2333#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2334 ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2335 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]2336#endif
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2337
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2338#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2339 ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen);
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]2340 ext_len += olen;
2341#endif
2342
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]2343#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2344 ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2345 ext_len += olen;
2346#endif
2347
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2348#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2349 ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2350 ext_len += olen;
2351#endif
2352
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2353#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2354 ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2355 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2356#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2357
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]2358#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
2359 defined(MBEDTLS_ECDSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Leonid Rozenboim28752702022-04-21 18:00:52 -0700[diff] [blame]2360 const mbedtls_ssl_ciphersuite_t *suite =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2361 mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite);
2362 if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) {
2363 ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen);
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]2364 ext_len += olen;
2365 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2366#endif
2367
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]2368#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2369 ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]2370 ext_len += olen;
2371#endif
2372
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2373#if defined(MBEDTLS_SSL_ALPN)
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2374 unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2375 if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen))
2376 != 0) {
Paul Elliottf518f812022-07-11 12:36:20 +0100[diff] [blame]2377 return ret;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2378 }
Paul Elliottf518f812022-07-11 12:36:20 +0100[diff] [blame]2379
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]2380 ext_len += olen;
2381#endif
2382
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2383#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2384 ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen);
Johan Pascalc3ccd982020-10-28 17:18:18 +0100[diff] [blame]2385 ext_len += olen;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2386#endif
2387
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2388 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
2389 ext_len));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2390
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2391 if (ext_len > 0) {
2392 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani94180e72021-08-20 16:20:44 +0100[diff] [blame]2393 p += 2 + ext_len;
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]2394 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2395
2396 ssl->out_msglen = p - buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2397 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2398 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2399
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2400 ret = mbedtls_ssl_write_handshake_msg(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2401
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2402 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2403
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2404 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2405}
2406
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2407#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2408MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2409static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2410{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2411 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2412 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2413
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2414 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2415
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2416 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2417 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2418 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2419 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2420 }
2421
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2422 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2423 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2424}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2425#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2426MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2427static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2428{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2429 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2430 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2431 ssl->handshake->ciphersuite_info;
irwirc9bc3002020-04-01 13:46:36 +0300[diff] [blame]2432 uint16_t dn_size, total_dn_size; /* excluding length bytes */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2433 size_t ct_len, sa_len; /* including length bytes */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2434 unsigned char *buf, *p;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2435 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2436 const mbedtls_x509_crt *crt;
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2437 int authmode;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2438
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2439 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2440
2441 ssl->state++;
2442
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2443#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2444 if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2445 authmode = ssl->handshake->sni_authmode;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2446 } else
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2447#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2448 authmode = ssl->conf->authmode;
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2449
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2450 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) ||
2451 authmode == MBEDTLS_SSL_VERIFY_NONE) {
2452 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2453 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2454 }
2455
2456 /*
2457 * 0 . 0 handshake type
2458 * 1 . 3 handshake length
2459 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2460 * 5 .. m-1 cert types
2461 * m .. m+1 sig alg length (TLS 1.2 only)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]2462 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2463 * n .. n+1 length of all DNs
2464 * n+2 .. n+3 length of DN 1
2465 * n+4 .. ... Distinguished Name #1
2466 * ... .. ... length of DN 2, etc.
2467 */
2468 buf = ssl->out_msg;
2469 p = buf + 4;
2470
2471 /*
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2472 * Supported certificate types
2473 *
2474 * ClientCertificateType certificate_types<1..2^8-1>;
2475 * enum { (255) } ClientCertificateType;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2476 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2477 ct_len = 0;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2478
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2479#if defined(MBEDTLS_RSA_C)
2480 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2481#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2482#if defined(MBEDTLS_ECDSA_C)
2483 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2484#endif
2485
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2486 p[0] = (unsigned char) ct_len++;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2487 p += ct_len;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2488
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2489 sa_len = 0;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]2490
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2491 /*
2492 * Add signature_algorithms for verify (TLS 1.2)
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2493 *
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2494 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2495 *
2496 * struct {
2497 * HashAlgorithm hash;
2498 * SignatureAlgorithm signature;
2499 * } SignatureAndHashAlgorithm;
2500 *
2501 * enum { (255) } HashAlgorithm;
2502 * enum { (255) } SignatureAlgorithm;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2503 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2504 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
2505 if (sig_alg == NULL) {
2506 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2507 }
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2508
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2509 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2510 unsigned char hash = MBEDTLS_BYTE_1(*sig_alg);
Jerry Yu6106fdc2022-01-12 16:36:14 +0800[diff] [blame]2511
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2512 if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2513 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2514 }
2515 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2516 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2517 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2518
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2519 /* Write elements at offsets starting from 1 (offset 0 is for the
2520 * length). Thus the offset of each element is the length of the
2521 * partial list including that element. */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2522 sa_len += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2523 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, sa_len);
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2524
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2525 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2526
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2527 /* Fill in list length. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2528 MBEDTLS_PUT_UINT16_BE(sa_len, p, 0);
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2529 sa_len += 2;
2530 p += sa_len;
2531
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2532 /*
2533 * DistinguishedName certificate_authorities<0..2^16-1>;
2534 * opaque DistinguishedName<1..2^16-1>;
2535 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2536 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2537
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]2538 total_dn_size = 0;
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2539
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2540 if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) {
Hanno Becker8bf74f32019-03-27 11:01:30 +0000[diff] [blame]2541 /* NOTE: If trusted certificates are provisioned
2542 * via a CA callback (configured through
2543 * `mbedtls_ssl_conf_ca_cb()`, then the
2544 * CertificateRequest is currently left empty. */
2545
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2546#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2547#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2548 if (ssl->handshake->dn_hints != NULL) {
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2549 crt = ssl->handshake->dn_hints;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2550 } else
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2551#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2552 if (ssl->conf->dn_hints != NULL) {
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2553 crt = ssl->conf->dn_hints;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2554 } else
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2555#endif
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2556#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2557 if (ssl->handshake->sni_ca_chain != NULL) {
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2558 crt = ssl->handshake->sni_ca_chain;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2559 } else
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2560#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2561 crt = ssl->conf->ca_chain;
Manuel Pégourié-Gonnardbc1babb2015-10-02 11:16:47 +0200[diff] [blame]2562
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2563 while (crt != NULL && crt->version != 0) {
irwirc9bc3002020-04-01 13:46:36 +0300[diff] [blame]2564 /* It follows from RFC 5280 A.1 that this length
2565 * can be represented in at most 11 bits. */
2566 dn_size = (uint16_t) crt->subject_raw.len;
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2567
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2568 if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) {
2569 MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short"));
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2570 break;
2571 }
2572
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2573 MBEDTLS_PUT_UINT16_BE(dn_size, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2574 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2575 memcpy(p, crt->subject_raw.p, dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2576 p += dn_size;
2577
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2578 MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2579
2580 total_dn_size += 2 + dn_size;
2581 crt = crt->next;
Manuel Pégourié-Gonnardbc1babb2015-10-02 11:16:47 +0200[diff] [blame]2582 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2583 }
2584
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2585 ssl->out_msglen = p - buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2586 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2587 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2588 MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2589
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2590 ret = mbedtls_ssl_write_handshake_msg(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2591
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2592 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2593
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2594 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2595}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2596#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2597
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2598#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2599 (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2600 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED))
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2601MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2602static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2603{
2604 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2605 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2606 mbedtls_pk_context *pk;
2607 mbedtls_pk_type_t pk_type;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2608 psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2609#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2610 uint16_t tls_id = 0;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2611 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2612 size_t key_len;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2613 mbedtls_ecp_group_id grp_id;
Valerio Setti3589a4c2023-06-22 09:02:44 +0200[diff] [blame]2614 unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2615 mbedtls_ecp_keypair *key;
2616#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2617
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2618 pk = mbedtls_ssl_own_key(ssl);
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2619
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2620 if (pk == NULL) {
2621 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2622 }
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2623
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2624 pk_type = mbedtls_pk_get_type(pk);
Valerio Settid0405092023-05-24 13:16:40 +0200[diff] [blame]2625
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2626 switch (pk_type) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2627 case MBEDTLS_PK_OPAQUE:
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2628#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2629 case MBEDTLS_PK_ECKEY:
2630 case MBEDTLS_PK_ECKEY_DH:
2631 case MBEDTLS_PK_ECDSA:
2632#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2633 if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
2634 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2635 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2636
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2637 ssl->handshake->xxdh_psa_privkey = pk->priv_id;
Neil Armstronge88d1902022-04-04 11:25:23 +0200[diff] [blame]2638
Przemek Stekiel6f199852023-06-29 08:59:26 +0200[diff] [blame]2639 /* Key should not be destroyed in the TLS library */
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2640 ssl->handshake->xxdh_psa_privkey_is_external = 1;
Przemek Stekiel6f199852023-06-29 08:59:26 +0200[diff] [blame]2641
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2642 status = psa_get_key_attributes(ssl->handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2643 &key_attributes);
2644 if (status != PSA_SUCCESS) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2645 ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2646 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2647 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2648
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2649 ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2650 ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2651
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2652 psa_reset_key_attributes(&key_attributes);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2653
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2654 ret = 0;
2655 break;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2656#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2657 case MBEDTLS_PK_ECKEY:
2658 case MBEDTLS_PK_ECKEY_DH:
2659 case MBEDTLS_PK_ECDSA:
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2660 key = mbedtls_pk_ec_rw(*pk);
Valerio Settid0405092023-05-24 13:16:40 +0200[diff] [blame]2661 grp_id = mbedtls_pk_get_group_id(pk);
2662 if (grp_id == MBEDTLS_ECP_DP_NONE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2663 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2664 }
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2665 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2666 if (tls_id == 0) {
2667 /* This elliptic curve is not supported */
2668 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2669 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2670
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2671 /* If the above conversion to TLS ID was fine, then also this one will
2672 be, so there is no need to check the return value here */
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2673 mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2674 &ssl->handshake->xxdh_psa_bits);
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2675
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2676 ssl->handshake->xxdh_psa_type = key_type;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2677
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2678 key_attributes = psa_key_attributes_init();
2679 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2680 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2681 psa_set_key_type(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2682 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2683 psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2684
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2685 key_len = PSA_BITS_TO_BYTES(key->grp.pbits);
2686 ret = mbedtls_ecp_write_key(key, buf, key_len);
2687 if (ret != 0) {
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2688 mbedtls_platform_zeroize(buf, sizeof(buf));
2689 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2690 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2691
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2692 status = psa_import_key(&key_attributes, buf, key_len,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2693 &ssl->handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2694 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2695 ret = PSA_TO_MBEDTLS_ERR(status);
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2696 mbedtls_platform_zeroize(buf, sizeof(buf));
2697 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2698 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2699
Valerio Setti6835b4a2023-06-22 09:06:31 +0200[diff] [blame]2700 mbedtls_platform_zeroize(buf, sizeof(buf));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2701 ret = 0;
2702 break;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2703#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2704 default:
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2705 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2706 }
2707
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2708 return ret;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2709}
2710#elif defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2711 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2712MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2713static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2714{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2715 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2716
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2717 const mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
2718 if (private_key == NULL) {
2719 MBEDTLS_SSL_DEBUG_MSG(1, ("got no server private key"));
2720 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Leonid Rozenboim28752702022-04-21 18:00:52 -0700[diff] [blame]2721 }
2722
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2723 if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_ECKEY)) {
2724 MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
2725 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2726 }
2727
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2728 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx,
Valerio Setti77a75682023-05-15 11:18:46 +0200[diff] [blame]2729 mbedtls_pk_ec_ro(*mbedtls_ssl_own_key(ssl)),
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2730 MBEDTLS_ECDH_OURS)) != 0) {
2731 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
2732 return ret;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2733 }
2734
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2735 return 0;
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2736}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2737#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2738 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2739
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2740#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2741 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2742MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2743static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl,
2744 size_t *signature_len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2745{
Gilles Peskine0fd90dd2018-04-26 07:41:09 +0200[diff] [blame]2746 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
2747 * signature length which will be added in ssl_write_server_key_exchange
2748 * after the call to ssl_prepare_server_key_exchange.
2749 * ssl_write_server_key_exchange also takes care of incrementing
2750 * ssl->out_msglen. */
2751 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2752 size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
2753 - sig_start);
2754 int ret = ssl->conf->f_async_resume(ssl,
2755 sig_start, signature_len, sig_max_len);
2756 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]2757 ssl->handshake->async_in_progress = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2758 mbedtls_ssl_set_async_operation_data(ssl, NULL);
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2759 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2760 MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret);
2761 return ret;
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2762}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2763#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2764 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2765
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]2766/* Prepare the ServerKeyExchange message, up to and including
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]2767 * calculating the signature if any, but excluding formatting the
2768 * signature and sending the message. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2769MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2770static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
2771 size_t *signature_len)
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]2772{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2773 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2774 ssl->handshake->ciphersuite_info;
2775
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2776#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2777#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine3ce9b902018-01-06 01:34:21 +0100[diff] [blame]2778 unsigned char *dig_signed = NULL;
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2779#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2780#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2781
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2782 (void) ciphersuite_info; /* unused in some configurations */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2783#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine22e695f2018-04-26 00:22:50 +0200[diff] [blame]2784 (void) signature_len;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2785#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2786
Gilles Peskine16fe8fc2021-06-22 09:45:56 +0200[diff] [blame]2787#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2788#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2789 size_t out_buf_len = ssl->out_buf_len - (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2790#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2791 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2792#endif
Gilles Peskine16fe8fc2021-06-22 09:45:56 +0200[diff] [blame]2793#endif
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2794
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2795 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2796
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2797 /*
2798 *
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2799 * Part 1: Provide key exchange parameters for chosen ciphersuite.
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2800 *
2801 */
2802
2803 /*
2804 * - ECJPAKE key exchanges
2805 */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2806#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2807 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2808 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2809#if defined(MBEDTLS_USE_PSA_CRYPTO)
2810 unsigned char *out_p = ssl->out_msg + ssl->out_msglen;
2811 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
2812 ssl->out_msglen;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2813 size_t output_offset = 0;
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]2814 size_t output_len = 0;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2815
Valerio Setti6f1b5742022-11-16 10:00:32 +0100[diff] [blame]2816 /*
2817 * The first 3 bytes are:
2818 * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
2819 * [1, 2] elliptic curve's TLS ID
2820 *
2821 * However since we only support secp256r1 for now, we hardcode its
2822 * TLS ID here
2823 */
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2824 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2825 MBEDTLS_ECP_DP_SECP256R1);
2826 if (tls_id == 0) {
2827 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Valerio Setti6f1b5742022-11-16 10:00:32 +0100[diff] [blame]2828 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2829 *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2830 MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1);
Valerio Setti819de862022-11-17 18:05:19 +0100[diff] [blame]2831 output_offset += 3;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2832
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2833 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
2834 out_p + output_offset,
2835 end_p - out_p - output_offset, &output_len,
2836 MBEDTLS_ECJPAKE_ROUND_TWO);
2837 if (ret != 0) {
2838 psa_destroy_key(ssl->handshake->psa_pake_password);
2839 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2840 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
2841 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2842 }
2843
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]2844 output_offset += output_len;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2845 ssl->out_msglen += output_offset;
2846#else
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2847 size_t len = 0;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2848
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2849 ret = mbedtls_ecjpake_write_round_two(
2850 &ssl->handshake->ecjpake_ctx,
2851 ssl->out_msg + ssl->out_msglen,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2852 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2853 ssl->conf->f_rng, ssl->conf->p_rng);
2854 if (ret != 0) {
2855 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
2856 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2857 }
2858
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2859 ssl->out_msglen += len;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2860#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2861 }
2862#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2863
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2864 /*
2865 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
2866 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
2867 * we use empty support identity hints here.
2868 **/
2869#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2870 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2871 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2872 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2873 ssl->out_msg[ssl->out_msglen++] = 0x00;
2874 ssl->out_msg[ssl->out_msglen++] = 0x00;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2875 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2876#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2877 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2878
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]2879 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2880 * - DHE key exchanges
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2881 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2882#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2883 if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2884 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2885 size_t len = 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2886
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2887 if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) {
2888 MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set"));
2889 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard1028b742015-05-06 17:33:07 +0100[diff] [blame]2890 }
2891
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2892 /*
2893 * Ephemeral DH parameters:
2894 *
2895 * struct {
2896 * opaque dh_p<1..2^16-1>;
2897 * opaque dh_g<1..2^16-1>;
2898 * opaque dh_Ys<1..2^16-1>;
2899 * } ServerDHParams;
2900 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2901 if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx,
2902 &ssl->conf->dhm_P,
2903 &ssl->conf->dhm_G)) != 0) {
2904 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret);
2905 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2906 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2907
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2908 if ((ret = mbedtls_dhm_make_params(
2909 &ssl->handshake->dhm_ctx,
2910 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
2911 ssl->out_msg + ssl->out_msglen, &len,
2912 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2913 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret);
2914 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2915 }
2916
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2917#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2918 dig_signed = ssl->out_msg + ssl->out_msglen;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2919#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2920
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2921 ssl->out_msglen += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2922
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2923 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
2924 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
2925 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
2926 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2927 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2928#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2929
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2930 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2931 * - ECDHE key exchanges
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2932 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2933#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2934 if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2935 /*
2936 * Ephemeral ECDH parameters:
2937 *
2938 * struct {
2939 * ECParameters curve_params;
2940 * ECPoint public;
2941 * } ServerECDHParams;
2942 */
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2943 uint16_t *curr_tls_id = ssl->handshake->curves_tls_id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2944 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2945 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2946 size_t len = 0;
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2947
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2948 /* Match our preference list against the offered curves */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2949 if ((group_list == NULL) || (curr_tls_id == NULL)) {
2950 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2951 }
2952 for (; *group_list != 0; group_list++) {
2953 for (curr_tls_id = ssl->handshake->curves_tls_id;
2954 *curr_tls_id != 0; curr_tls_id++) {
2955 if (*curr_tls_id == *group_list) {
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2956 goto curve_matching_done;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2957 }
2958 }
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2959 }
Manuel Pégourié-Gonnardde053902014-02-04 13:58:39 +0100[diff] [blame]2960
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2961curve_matching_done:
2962 if (*curr_tls_id == 0) {
2963 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE"));
2964 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2965 }
2966
2967 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s",
2968 mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id)));
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2969
Przemek Stekielb6ce0b62022-03-09 15:38:24 +0100[diff] [blame]2970#if defined(MBEDTLS_USE_PSA_CRYPTO)
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2971 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
2972 psa_key_attributes_t key_attributes;
2973 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2974 uint8_t *p = ssl->out_msg + ssl->out_msglen;
2975 const size_t header_size = 4; // curve_type(1), namedcurve(2),
2976 // data length(1)
2977 const size_t data_length_size = 1;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2978 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]2979 size_t ec_bits = 0;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2980
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2981 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2982
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]2983 /* Convert EC's TLS ID to PSA key type. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2984 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id,
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2985 &key_type,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2986 &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
2987 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse."));
2988 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Przemek Stekielb6ce0b62022-03-09 15:38:24 +0100[diff] [blame]2989 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2990 handshake->xxdh_psa_type = key_type;
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2991 handshake->xxdh_psa_bits = ec_bits;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2992
2993 key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2994 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2995 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2996 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2997 psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2998
2999 /*
3000 * ECParameters curve_params
3001 *
3002 * First byte is curve_type, always named_curve
3003 */
3004 *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
3005
3006 /*
3007 * Next two bytes are the namedcurve value
3008 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3009 MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0);
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3010 p += 2;
3011
3012 /* Generate ECDH private key. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3013 status = psa_generate_key(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3014 &handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3015 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3016 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3017 MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
3018 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3019 }
3020
3021 /*
3022 * ECPoint public
3023 *
3024 * First byte is data length.
3025 * It will be filled later. p holds now the data length location.
3026 */
3027
3028 /* Export the public part of the ECDH private key from PSA.
3029 * Make one byte space for the length.
3030 */
3031 unsigned char *own_pubkey = p + data_length_size;
3032
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3033 size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN
3034 - (own_pubkey - ssl->out_msg));
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3035
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3036 status = psa_export_public_key(handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3037 own_pubkey, own_pubkey_max_len,
3038 &len);
3039 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3040 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3041 MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3042 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
3043 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3044 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3045 }
3046
3047 /* Store the length of the exported public key. */
3048 *p = (uint8_t) len;
3049
3050 /* Determine full message length. */
3051 len += header_size;
3052#else
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]3053 mbedtls_ecp_group_id curr_grp_id =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3054 mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]3055
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3056 if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx,
3057 curr_grp_id)) != 0) {
3058 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret);
3059 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3060 }
3061
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3062 if ((ret = mbedtls_ecdh_make_params(
3063 &ssl->handshake->ecdh_ctx, &len,
3064 ssl->out_msg + ssl->out_msglen,
3065 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
3066 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3067 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret);
3068 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3069 }
3070
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3071 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3072 MBEDTLS_DEBUG_ECDH_Q);
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3073#endif /* MBEDTLS_USE_PSA_CRYPTO */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3074
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]3075#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]3076 dig_signed = ssl->out_msg + ssl->out_msglen;
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]3077#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3078
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]3079 ssl->out_msglen += len;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3080 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3081#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3082
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3083 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]3084 *
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3085 * Part 2: For key exchanges involving the server signing the
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]3086 * exchange parameters, compute and add the signature here.
3087 *
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3088 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3089#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3090 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
3091 if (dig_signed == NULL) {
3092 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3093 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Elliott11420382022-05-13 17:43:47 +0100[diff] [blame]3094 }
3095
Gilles Peskine1004c192018-01-08 16:59:14 +0100[diff] [blame]3096 size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]3097 size_t hashlen = 0;
Manuel Pégourié-Gonnard88579842023-03-28 11:20:23 +0200[diff] [blame]3098 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
Przemek Stekiel51669542022-09-13 12:57:05 +0200[diff] [blame]3099
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3100 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]3101
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3102 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3103 * 2.1: Choose hash algorithm:
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]3104 * For TLS 1.2, obey signature-hash-algorithm extension
3105 * to choose appropriate hash.
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3106 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3107
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3108 mbedtls_pk_type_t sig_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3109 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3110
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]3111 unsigned int sig_hash =
3112 mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3113 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]3114
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3115 mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash);
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]3116
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3117 /* For TLS 1.2, obey signature-hash-algorithm extension
3118 * (RFC 5246, Sec. 7.4.1.4.1). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3119 if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) {
3120 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3121 /* (... because we choose a cipher suite
3122 * only if there is a matching hash.) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3123 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3124 }
3125
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3126 MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3127
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3128 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3129 * 2.2: Compute the hash to be signed
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3130 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3131 if (md_alg != MBEDTLS_MD_NONE) {
3132 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
3133 dig_signed,
3134 dig_signed_len,
3135 md_alg);
3136 if (ret != 0) {
3137 return ret;
3138 }
3139 } else {
3140 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3141 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3142 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3143
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3144 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3145
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3146 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3147 * 2.3: Compute and add the signature
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]3148 */
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3149 /*
3150 * We need to specify signature and hash algorithm explicitly through
3151 * a prefix to the signature.
3152 *
3153 * struct {
3154 * HashAlgorithm hash;
3155 * SignatureAlgorithm signature;
3156 * } SignatureAndHashAlgorithm;
3157 *
3158 * struct {
3159 * SignatureAndHashAlgorithm algorithm;
3160 * opaque signature<0..2^16-1>;
3161 * } DigitallySigned;
3162 *
3163 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]3164
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3165 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg);
3166 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3167
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3168#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3169 if (ssl->conf->f_async_sign_start != NULL) {
3170 ret = ssl->conf->f_async_sign_start(ssl,
3171 mbedtls_ssl_own_cert(ssl),
3172 md_alg, hash, hashlen);
3173 switch (ret) {
3174 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3175 /* act as if f_async_sign was null */
3176 break;
3177 case 0:
3178 ssl->handshake->async_in_progress = 1;
3179 return ssl_resume_server_key_exchange(ssl, signature_len);
3180 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3181 ssl->handshake->async_in_progress = 1;
3182 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3183 default:
3184 MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret);
3185 return ret;
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3186 }
3187 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3188#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3189
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3190 if (mbedtls_ssl_own_key(ssl) == NULL) {
3191 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key"));
3192 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3193 }
3194
Gilles Peskine0fd90dd2018-04-26 07:41:09 +0200[diff] [blame]3195 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3196 * signature length which will be added in ssl_write_server_key_exchange
3197 * after the call to ssl_prepare_server_key_exchange.
3198 * ssl_write_server_key_exchange also takes care of incrementing
3199 * ssl->out_msglen. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3200 if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl),
3201 md_alg, hash, hashlen,
3202 ssl->out_msg + ssl->out_msglen + 2,
3203 out_buf_len - ssl->out_msglen - 2,
3204 signature_len,
3205 ssl->conf->f_rng,
3206 ssl->conf->p_rng)) != 0) {
3207 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
3208 return ret;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]3209 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3210 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3211#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3212
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3213 return 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3214}
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3215
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3216/* Prepare the ServerKeyExchange message and send it. For ciphersuites
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3217 * that do not include a ServerKeyExchange message, do nothing. Either
3218 * way, if successful, move on to the next step in the SSL state
3219 * machine. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3220MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3221static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3222{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3223 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3224 size_t signature_len = 0;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3225#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3226 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3227 ssl->handshake->ciphersuite_info;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3228#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3229
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3230 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange"));
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3231
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3232#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3233 /* Extract static ECDH parameters and abort if ServerKeyExchange
3234 * is not needed. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3235 if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) {
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3236 /* For suites involving ECDH, extract DH parameters
3237 * from certificate at this point. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3238#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3239 if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) {
3240 ret = ssl_get_ecdh_params_from_cert(ssl);
3241 if (ret != 0) {
3242 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
3243 return ret;
Manuel Pégourié-Gonnardb64fb622022-06-10 09:34:20 +0200[diff] [blame]3244 }
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3245 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3246#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3247
3248 /* Key exchanges not involving ephemeral keys don't use
3249 * ServerKeyExchange, so end here. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3250 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3251 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3252 return 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3253 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3254#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3255
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3256#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3257 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3258 /* If we have already prepared the message and there is an ongoing
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3259 * signature operation, resume signing. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3260 if (ssl->handshake->async_in_progress != 0) {
3261 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation"));
3262 ret = ssl_resume_server_key_exchange(ssl, &signature_len);
3263 } else
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3264#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3265 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]3266 {
3267 /* ServerKeyExchange is needed. Prepare the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3268 ret = ssl_prepare_server_key_exchange(ssl, &signature_len);
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3269 }
3270
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3271 if (ret != 0) {
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]3272 /* If we're starting to write a new message, set ssl->out_msglen
3273 * to 0. But if we're resuming after an asynchronous message,
3274 * out_msglen is the amount of data written so far and mst be
3275 * preserved. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3276 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3277 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)"));
3278 } else {
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3279 ssl->out_msglen = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3280 }
3281 return ret;
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]3282 }
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3283
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3284 /* If there is a signature, write its length.
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3285 * ssl_prepare_server_key_exchange already wrote the signature
3286 * itself at its proper place in the output buffer. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3287#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3288 if (signature_len != 0) {
3289 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len);
3290 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len);
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3291
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3292 MBEDTLS_SSL_DEBUG_BUF(3, "my signature",
3293 ssl->out_msg + ssl->out_msglen,
3294 signature_len);
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3295
3296 /* Skip over the already-written signature */
3297 ssl->out_msglen += signature_len;
3298 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3299#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3300
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3301 /* Add header and send. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3302 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3303 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3304
3305 ssl->state++;
3306
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3307 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3308 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3309 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3310 }
3311
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3312 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange"));
3313 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3314}
3315
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3316MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3317static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3318{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3319 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3320
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3321 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3322
3323 ssl->out_msglen = 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3324 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3325 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3326
3327 ssl->state++;
3328
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3329#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3330 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3331 mbedtls_ssl_send_flight_completed(ssl);
3332 }
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3333#endif
3334
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3335 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3336 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3337 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3338 }
3339
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3340#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3341 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3342 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
3343 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
3344 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3345 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]3346#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3347
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3348 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3349
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3350 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3351}
3352
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3353#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3354 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3355MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3356static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p,
3357 const unsigned char *end)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3358{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3359 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3360 size_t n;
3361
3362 /*
3363 * Receive G^Y mod P, premaster = (G^Y)^X mod P
3364 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3365 if (*p + 2 > end) {
3366 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3367 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3368 }
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3369
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3370 n = ((*p)[0] << 8) | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3371 *p += 2;
3372
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3373 if (*p + n > end) {
3374 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3375 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3376 }
3377
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3378 if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) {
3379 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret);
3380 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3381 }
3382
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3383 *p += n;
3384
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3385 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3386
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3387 return ret;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3388}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3389#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3390 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3391
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3392#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3393 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3394
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3395#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3396MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3397static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
3398 unsigned char *peer_pms,
3399 size_t *peer_pmslen,
3400 size_t peer_pmssize)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3401{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3402 int ret = ssl->conf->f_async_resume(ssl,
3403 peer_pms, peer_pmslen, peer_pmssize);
3404 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]3405 ssl->handshake->async_in_progress = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3406 mbedtls_ssl_set_async_operation_data(ssl, NULL);
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3407 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3408 MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
3409 return ret;
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3410}
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3411#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3412
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3413MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3414static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
3415 const unsigned char *p,
3416 const unsigned char *end,
3417 unsigned char *peer_pms,
3418 size_t *peer_pmslen,
3419 size_t peer_pmssize)
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3420{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3421 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Leonid Rozenboim70dfd4c2022-08-08 15:43:44 -0700[diff] [blame]3422
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3423 mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl);
3424 if (own_cert == NULL) {
3425 MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate"));
3426 return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
Leonid Rozenboim70dfd4c2022-08-08 15:43:44 -0700[diff] [blame]3427 }
3428 mbedtls_pk_context *public_key = &own_cert->pk;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3429 mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
3430 size_t len = mbedtls_pk_get_len(public_key);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3431
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3432#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3433 /* If we have already started decoding the message and there is an ongoing
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3434 * decryption operation, resume signing. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3435 if (ssl->handshake->async_in_progress != 0) {
3436 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
3437 return ssl_resume_decrypt_pms(ssl,
3438 peer_pms, peer_pmslen, peer_pmssize);
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3439 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3440#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3441
3442 /*
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3443 * Prepare to decrypt the premaster using own private RSA key
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3444 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3445 if (p + 2 > end) {
3446 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3447 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]3448 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3449 if (*p++ != MBEDTLS_BYTE_1(len) ||
3450 *p++ != MBEDTLS_BYTE_0(len)) {
3451 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3452 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3453 }
3454
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3455 if (p + len != end) {
3456 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3457 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3458 }
3459
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3460 /*
3461 * Decrypt the premaster secret
3462 */
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3463#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3464 if (ssl->conf->f_async_decrypt_start != NULL) {
3465 ret = ssl->conf->f_async_decrypt_start(ssl,
3466 mbedtls_ssl_own_cert(ssl),
3467 p, len);
3468 switch (ret) {
3469 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3470 /* act as if f_async_decrypt_start was null */
3471 break;
3472 case 0:
3473 ssl->handshake->async_in_progress = 1;
3474 return ssl_resume_decrypt_pms(ssl,
3475 peer_pms,
3476 peer_pmslen,
3477 peer_pmssize);
3478 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3479 ssl->handshake->async_in_progress = 1;
3480 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3481 default:
3482 MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
3483 return ret;
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3484 }
3485 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3486#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3487
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3488 if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
3489 MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
3490 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3491 }
3492
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3493 ret = mbedtls_pk_decrypt(private_key, p, len,
3494 peer_pms, peer_pmslen, peer_pmssize,
3495 ssl->conf->f_rng, ssl->conf->p_rng);
3496 return ret;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3497}
3498
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3499MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3500static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
3501 const unsigned char *p,
3502 const unsigned char *end,
3503 size_t pms_offset)
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3504{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3505 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3506 unsigned char *pms = ssl->handshake->premaster + pms_offset;
3507 unsigned char ver[2];
3508 unsigned char fake_pms[48], peer_pms[48];
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3509 size_t peer_pmslen;
3510 mbedtls_ct_condition_t diff;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3511
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3512 /* In case of a failure in decryption, the decryption may write less than
3513 * 2 bytes of output, but we always read the first two bytes. It doesn't
3514 * matter in the end because diff will be nonzero in that case due to
André Maroneze79533292020-11-12 09:37:42 +0100[diff] [blame]3515 * ret being nonzero, and we only care whether diff is 0.
3516 * But do initialize peer_pms and peer_pmslen for robustness anyway. This
3517 * also makes memory analyzers happy (don't access uninitialized memory,
3518 * even if it's an unsigned char). */
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3519 peer_pms[0] = peer_pms[1] = ~0;
André Maroneze79533292020-11-12 09:37:42 +0100[diff] [blame]3520 peer_pmslen = 0;
Gilles Peskine0a8352b2018-06-13 18:16:41 +0200[diff] [blame]3521
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3522 ret = ssl_decrypt_encrypted_pms(ssl, p, end,
3523 peer_pms,
3524 &peer_pmslen,
3525 sizeof(peer_pms));
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3526
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3527#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3528 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3529 return ret;
3530 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3531#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3532
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3533 mbedtls_ssl_write_version(ver, ssl->conf->transport,
3534 ssl->session_negotiate->tls_version);
Gilles Peskine2e333372018-04-24 13:22:10 +0200[diff] [blame]3535
3536 /* Avoid data-dependent branches while checking for invalid
3537 * padding, to protect against timing-based Bleichenbacher-type
3538 * attacks. */
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3539 diff = mbedtls_ct_bool(ret);
3540 diff = mbedtls_ct_bool_or(diff, mbedtls_ct_bool_ne(peer_pmslen, 48));
3541 diff = mbedtls_ct_bool_or(diff, mbedtls_ct_bool_ne(peer_pms[0], ver[0]));
3542 diff = mbedtls_ct_bool_or(diff, mbedtls_ct_bool_ne(peer_pms[1], ver[1]));
Manuel Pégourié-Gonnardb9c93d02015-06-23 13:53:15 +0200[diff] [blame]3543
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3544 /*
3545 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3546 * must not cause the connection to end immediately; instead, send a
3547 * bad_record_mac later in the handshake.
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3548 * To protect against timing-based variants of the attack, we must
3549 * not have any branch that depends on whether the decryption was
3550 * successful. In particular, always generate the fake premaster secret,
3551 * regardless of whether it will ultimately influence the output or not.
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3552 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3553 ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
3554 if (ret != 0) {
Gilles Peskinee1416382018-04-26 10:23:21 +0200[diff] [blame]3555 /* It's ok to abort on an RNG failure, since this does not reveal
3556 * anything about the RSA decryption. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3557 return ret;
Gilles Peskinebcd98a52018-01-11 21:30:40 +0100[diff] [blame]3558 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3559
Manuel Pégourié-Gonnard331ba572015-04-20 12:33:57 +0100[diff] [blame]3560#if defined(MBEDTLS_SSL_DEBUG_ALL)
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3561 if (diff != MBEDTLS_CT_FALSE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3562 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3563 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3564#endif
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3565
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3566 if (sizeof(ssl->handshake->premaster) < pms_offset ||
3567 sizeof(ssl->handshake->premaster) - pms_offset < 48) {
3568 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3569 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3570 }
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3571 ssl->handshake->pmslen = 48;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3572
Gilles Peskine422ccab2018-01-11 18:29:01 +0100[diff] [blame]3573 /* Set pms to either the true or the fake PMS, without
3574 * data-dependent branches. */
Dave Rodgman293eedd2023-05-17 12:31:36 +0100[diff] [blame]3575 mbedtls_ct_memcpy_if(diff, pms, fake_pms, peer_pms, ssl->handshake->pmslen);
Manuel Pégourié-Gonnard6674cce2015-02-06 10:30:58 +0000[diff] [blame]3576
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3577 return 0;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3578}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3579#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
3580 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3581
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3582#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3583MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3584static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
3585 const unsigned char *end)
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3586{
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]3587 int ret = 0;
irwir6527bd62019-09-21 18:51:25 +0300[diff] [blame]3588 uint16_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3589
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3590 if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
3591 MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key"));
3592 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3593 }
3594
3595 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3596 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3597 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3598 if (end - *p < 2) {
3599 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3600 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3601 }
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3602
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3603 n = ((*p)[0] << 8) | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3604 *p += 2;
3605
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3606 if (n == 0 || n > end - *p) {
3607 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3608 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3609 }
3610
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3611 if (ssl->conf->f_psk != NULL) {
3612 if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3613 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3614 }
3615 } else {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]3616 /* Identity is not a big secret since clients send it in the clear,
3617 * but treat it carefully anyway, just in case */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3618 if (n != ssl->conf->psk_identity_len ||
3619 mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3620 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]3621 }
3622 }
3623
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3624 if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
3625 MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n);
3626 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3627 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY);
3628 return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3629 }
3630
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3631 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3632
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3633 return 0;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3634}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3635#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3636
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3637MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3638static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3639{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3640 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3641 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Manuel Pégourié-Gonnard2114d722014-09-10 13:59:41 +0000[diff] [blame]3642 unsigned char *p, *end;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3643
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3644 ciphersuite_info = ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3645
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3646 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3647
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3648#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3649 (defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3650 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED))
3651 if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3652 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) &&
3653 (ssl->handshake->async_in_progress != 0)) {
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3654 /* We've already read a record and there is an asynchronous
3655 * operation in progress to decrypt it. So skip reading the
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3656 * record. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3657 MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
3658 } else
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3659#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3660 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3661 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3662 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3663 }
3664
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3665 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard2114d722014-09-10 13:59:41 +0000[diff] [blame]3666 end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnardf8995832014-09-10 08:25:12 +0000[diff] [blame]3667
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3668 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3669 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3670 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3671 }
3672
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3673 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) {
3674 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3675 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3676 }
3677
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3678#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3679 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
3680 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3681 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
3682 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3683 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3684
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3685 if (p != end) {
3686 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3687 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3688 }
3689
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3690 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3691 ssl->handshake->premaster,
3692 MBEDTLS_PREMASTER_SIZE,
3693 &ssl->handshake->pmslen,
3694 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3695 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3696 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3697 }
3698
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3699 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3700 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3701#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3702#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3703 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3704 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3705 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3706 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]3707 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3708 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3709 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]3710#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3711 size_t data_len = (size_t) (*p++);
3712 size_t buf_len = (size_t) (end - p);
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3713 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
3714 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3715
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3716 MBEDTLS_SSL_DEBUG_MSG(1, ("Read the peer's public key."));
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3717
3718 /*
Przemek Stekiel338b61d2022-03-15 08:03:43 +0100[diff] [blame]3719 * We must have at least two bytes (1 for length, at least 1 for data)
3720 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3721 if (buf_len < 2) {
3722 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length"));
3723 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3724 }
3725
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3726 if (data_len < 1 || data_len > buf_len) {
3727 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length"));
3728 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3729 }
3730
3731 /* Store peer's ECDH public key. */
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3732 memcpy(handshake->xxdh_psa_peerkey, p, data_len);
3733 handshake->xxdh_psa_peerkey_len = data_len;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3734
3735 /* Compute ECDH shared secret. */
3736 status = psa_raw_key_agreement(
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3737 PSA_ALG_ECDH, handshake->xxdh_psa_privkey,
3738 handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3739 handshake->premaster, sizeof(handshake->premaster),
3740 &handshake->pmslen);
3741 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3742 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3743 MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3744 if (handshake->xxdh_psa_privkey_is_external == 0) {
3745 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3746 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3747 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3748 return ret;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3749 }
3750
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3751 if (handshake->xxdh_psa_privkey_is_external == 0) {
3752 status = psa_destroy_key(handshake->xxdh_psa_privkey);
Neil Armstrong8113d252022-03-23 10:57:04 +0100[diff] [blame]3753
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3754 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3755 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3756 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
3757 return ret;
Neil Armstrong8113d252022-03-23 10:57:04 +0100[diff] [blame]3758 }
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3759 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3760 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3761#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3762 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
3763 p, end - p)) != 0) {
3764 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
3765 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3766 }
3767
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3768 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3769 MBEDTLS_DEBUG_ECDH_QP);
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3770
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3771 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
3772 &ssl->handshake->pmslen,
3773 ssl->handshake->premaster,
3774 MBEDTLS_MPI_MAX_SIZE,
3775 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3776 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
3777 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3778 }
3779
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3780 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3781 MBEDTLS_DEBUG_ECDH_Z);
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]3782#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3783 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3784#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3785 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3786 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3787 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3788#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3789 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
3790 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3791 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3792 return ret;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3793 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3794
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3795 if (p != end) {
3796 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3797 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3798 }
3799
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3800#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3801 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]3802 (mbedtls_key_exchange_type_t) ciphersuite_info->
3803 key_exchange)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3804 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3805 return ret;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]3806 }
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3807#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3808 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3809#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
3810#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3811 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3812#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3813 if (ssl->handshake->async_in_progress != 0) {
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3814 /* There is an asynchronous operation in progress to
3815 * decrypt the encrypted premaster secret, so skip
3816 * directly to resuming this operation. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3817 MBEDTLS_SSL_DEBUG_MSG(3, ("PSK identity already parsed"));
Gilles Peskine2c6078e2018-01-12 13:46:43 +0100[diff] [blame]3818 /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
3819 * won't actually use it, but maintain p anyway for robustness. */
3820 p += ssl->conf->psk_identity_len + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3821 } else
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3822#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3823 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3824 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3825 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3826 }
3827
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3828 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) {
3829 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_encrypted_pms"), ret);
3830 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3831 }
3832
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3833#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3834 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]3835 (mbedtls_key_exchange_type_t) ciphersuite_info->
3836 key_exchange)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3837 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3838 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3839 }
Neil Armstrongcd05f0b2022-05-03 10:28:37 +0200[diff] [blame]3840#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3841 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3842#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3843#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3844 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
3845 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3846 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3847 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3848 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3849 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3850 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
3851 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3852 }
3853
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3854 if (p != end) {
3855 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3856 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3857 }
3858
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3859#if defined(MBEDTLS_USE_PSA_CRYPTO)
3860 unsigned char *pms = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3861 unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3862 size_t pms_len;
3863
3864 /* Write length only when we know the actual value */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3865 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3866 pms + 2, pms_end - (pms + 2), &pms_len,
3867 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3868 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3869 return ret;
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3870 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3871 MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3872 pms += 2 + pms_len;
3873
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3874 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3875#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3876 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]3877 (mbedtls_key_exchange_type_t) ciphersuite_info->
3878 key_exchange)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3879 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3880 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3881 }
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3882#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3883 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3884#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3885#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3886 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]3887#if defined(MBEDTLS_USE_PSA_CRYPTO)
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3888 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3889 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
3890 uint8_t ecpoint_len;
3891
3892 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3893
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3894 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3895 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3896 psa_destroy_key(handshake->xxdh_psa_privkey);
3897 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3898 return ret;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3899 }
3900
3901 /* Keep a copy of the peer's public key */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3902 if (p >= end) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3903 psa_destroy_key(handshake->xxdh_psa_privkey);
3904 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3905 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Neil Armstrong3cae1672022-04-05 10:01:15 +0200[diff] [blame]3906 }
3907
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3908 ecpoint_len = *(p++);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3909 if ((size_t) (end - p) < ecpoint_len) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3910 psa_destroy_key(handshake->xxdh_psa_privkey);
3911 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3912 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3913 }
3914
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]3915 /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
3916 the sizes of the FFDH keys which are at least 2048 bits.
3917 The size of the array is thus greater than 256 bytes which is greater than any
3918 possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]3919#if !defined(PSA_WANT_ALG_FFDH)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3920 if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
3921 psa_destroy_key(handshake->xxdh_psa_privkey);
3922 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3923 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3924 }
Przemek Stekiel615cbcd2023-07-06 11:08:39 +0200[diff] [blame]3925#else
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]3926 MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
3927 "peer key buffer too small");
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]3928#endif
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3929
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3930 memcpy(handshake->xxdh_psa_peerkey, p, ecpoint_len);
3931 handshake->xxdh_psa_peerkey_len = ecpoint_len;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3932 p += ecpoint_len;
3933
Neil Armstrong3bcef082022-03-23 18:16:54 +0100[diff] [blame]3934 /* As RFC 5489 section 2, the premaster secret is formed as follows:
Neil Armstrongfdf20cb2022-03-24 09:43:02 +0100[diff] [blame]3935 * - a uint16 containing the length (in octets) of the ECDH computation
3936 * - the octet string produced by the ECDH computation
3937 * - a uint16 containing the length (in octets) of the PSK
3938 * - the PSK itself
3939 */
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3940 unsigned char *psm = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3941 const unsigned char * const psm_end =
3942 psm + sizeof(ssl->handshake->premaster);
Neil Armstrong2d63da92022-03-23 18:17:31 +0100[diff] [blame]3943 /* uint16 to store length (in octets) of the ECDH computation */
3944 const size_t zlen_size = 2;
Neil Armstrong549a3e42022-03-23 18:16:24 +0100[diff] [blame]3945 size_t zlen = 0;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3946
3947 /* Compute ECDH shared secret. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3948 status = psa_raw_key_agreement(PSA_ALG_ECDH,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3949 handshake->xxdh_psa_privkey,
3950 handshake->xxdh_psa_peerkey,
3951 handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3952 psm + zlen_size,
3953 psm_end - (psm + zlen_size),
3954 &zlen);
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3955
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3956 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
3957 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3958
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3959 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3960 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3961 } else if (destruction_status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3962 return PSA_TO_MBEDTLS_ERR(destruction_status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3963 }
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3964
Neil Armstrong3bcef082022-03-23 18:16:54 +0100[diff] [blame]3965 /* Write the ECDH computation length before the ECDH computation */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3966 MBEDTLS_PUT_UINT16_BE(zlen, psm, 0);
Neil Armstrong2d63da92022-03-23 18:17:31 +0100[diff] [blame]3967 psm += zlen_size + zlen;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3968
Przemek Stekiel14d11b02022-04-14 08:33:29 +0200[diff] [blame]3969#else /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3970 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3971 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3972 return ret;
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3973 }
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3974
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3975 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
3976 p, end - p)) != 0) {
3977 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
3978 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3979 }
3980
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3981 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3982 MBEDTLS_DEBUG_ECDH_QP);
Manuel Pégourié-Gonnardb59d6992013-10-14 12:00:45 +0200[diff] [blame]3983
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3984 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]3985 (mbedtls_key_exchange_type_t) ciphersuite_info->
3986 key_exchange)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3987 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3988 return ret;
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3989 }
Neil Armstrong913b3642022-04-13 14:59:48 +0200[diff] [blame]3990#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3991 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3992#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3993#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3994 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
3995 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
3996 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
3997 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3998 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3999 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4000#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4001#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4002 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4003#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4004 if ((ret = mbedtls_psa_ecjpake_read_round(
4005 &ssl->handshake->psa_pake_ctx, p, end - p,
4006 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
4007 psa_destroy_key(ssl->handshake->psa_pake_password);
4008 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4009
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4010 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
4011 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4012 }
4013#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4014 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
4015 p, end - p);
4016 if (ret != 0) {
4017 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
4018 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4019 }
4020
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4021 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
4022 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
4023 ssl->conf->f_rng, ssl->conf->p_rng);
4024 if (ret != 0) {
4025 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
4026 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4027 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]4028#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4029 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]4030#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4031 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4032 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4033 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4034 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4035
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4036 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
4037 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
4038 return ret;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]4039 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4040
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4041 ssl->state++;
4042
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4043 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4044
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4045 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4046}
4047
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4048#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]4049MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4050static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4051{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]4052 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]4053 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4054
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4055 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4056
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4057 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4058 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]4059 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4060 return 0;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]4061 }
4062
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4063 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4064 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4065}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4066#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]4067MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4068static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4069{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4070 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4071 size_t i, sig_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4072 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]4073 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]4074 size_t hashlen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4075 mbedtls_pk_type_t pk_alg;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4076 mbedtls_md_type_t md_alg;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]4077 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]4078 ssl->handshake->ciphersuite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4079 mbedtls_pk_context *peer_pk;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4080
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4081 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4082
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4083 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4084 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4085 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4086 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]4087 }
4088
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4089#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4090 if (ssl->session_negotiate->peer_cert == NULL) {
4091 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4092 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4093 return 0;
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4094 }
4095#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4096 if (ssl->session_negotiate->peer_cert_digest == NULL) {
4097 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4098 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4099 return 0;
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]4100 }
4101#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4102
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4103 /* Read the message without adding it to the checksum */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4104 ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */);
4105 if (0 != ret) {
4106 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret);
4107 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4108 }
4109
4110 ssl->state++;
4111
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4112 /* Process the message contents */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4113 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
4114 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) {
4115 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4116 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4117 }
4118
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4119 i = mbedtls_ssl_hs_hdr_len(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4120
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]4121#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4122 peer_pk = &ssl->handshake->peer_pubkey;
4123#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4124 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]4125 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4126 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]4127 }
4128 peer_pk = &ssl->session_negotiate->peer_cert->pk;
4129#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4130
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4131 /*
4132 * struct {
4133 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
4134 * opaque signature<0..2^16-1>;
4135 * } DigitallySigned;
4136 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4137 if (i + 2 > ssl->in_hslen) {
4138 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4139 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4140 }
Manuel Pégourié-Gonnard5ee96542014-09-10 14:27:21 +0000[diff] [blame]4141
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4142 /*
4143 * Hash
4144 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4145 md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]);
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4146
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4147 if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) {
4148 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4149 " for verify message"));
4150 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4151 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4152
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4153#if !defined(MBEDTLS_MD_SHA1)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4154 if (MBEDTLS_MD_SHA1 == md_alg) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4155 hash_start += 16;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4156 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4157#endif
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]4158
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4159 /* Info from md_alg will be used instead */
4160 hashlen = 0;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]4161
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4162 i++;
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4163
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4164 /*
4165 * Signature
4166 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4167 if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i]))
4168 == MBEDTLS_PK_NONE) {
4169 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4170 " for verify message"));
4171 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]4172 }
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]4173
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4174 /*
4175 * Check the certificate's key type matches the signature alg
4176 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4177 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
4178 MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
4179 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]4180 }
4181
4182 i++;
4183
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4184 if (i + 2 > ssl->in_hslen) {
4185 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4186 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard5ee96542014-09-10 14:27:21 +0000[diff] [blame]4187 }
4188
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4189 sig_len = (ssl->in_msg[i] << 8) | ssl->in_msg[i+1];
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]4190 i += 2;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]4191
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4192 if (i + sig_len != ssl->in_hslen) {
4193 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4194 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4195 }
4196
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4197 /* Calculate hash and verify signature */
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]4198 {
4199 size_t dummy_hlen;
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]4200 ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
4201 if (0 != ret) {
4202 MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
4203 return ret;
4204 }
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]4205 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4206
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4207 if ((ret = mbedtls_pk_verify(peer_pk,
4208 md_alg, hash_start, hashlen,
4209 ssl->in_msg + i, sig_len)) != 0) {
4210 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
4211 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4212 }
4213
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]4214 ret = mbedtls_ssl_update_handshake_status(ssl);
4215 if (0 != ret) {
4216 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
4217 return ret;
4218 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4219
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4220 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4221
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4222 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4223}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]4224#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4225
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4226#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]4227MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4228static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4229{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]4230 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]4231 size_t tlen;
Manuel Pégourié-Gonnardb0394be2015-05-19 11:40:30 +0200[diff] [blame]4232 uint32_t lifetime;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4233
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4234 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4235
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4236 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4237 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4238
4239 /*
4240 * struct {
4241 * uint32 ticket_lifetime_hint;
4242 * opaque ticket<0..2^16-1>;
4243 * } NewSessionTicket;
4244 *
4245 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
4246 * 8 . 9 ticket_len (n)
4247 * 10 . 9+n ticket content
4248 */
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]4249
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4250 if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
4251 ssl->session_negotiate,
4252 ssl->out_msg + 10,
4253 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
4254 &tlen, &lifetime)) != 0) {
4255 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret);
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]4256 tlen = 0;
4257 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4258
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4259 MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4);
4260 MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8);
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]4261 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4262
Manuel Pégourié-Gonnard145dfcb2014-02-26 14:23:33 +0100[diff] [blame]4263 /*
4264 * Morally equivalent to updating ssl->state, but NewSessionTicket and
4265 * ChangeCipherSpec share the same state.
4266 */
4267 ssl->handshake->new_session_ticket = 0;
4268
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4269 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4270 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4271 return ret;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4272 }
4273
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4274 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4275
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4276 return 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4277}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4278#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4279
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4280/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4281 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4282 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4283int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4284{
4285 int ret = 0;
4286
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4287 MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state));
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4288
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4289 switch (ssl->state) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4290 case MBEDTLS_SSL_HELLO_REQUEST:
4291 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4292 break;
4293
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4294 /*
4295 * <== ClientHello
4296 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4297 case MBEDTLS_SSL_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4298 ret = ssl_parse_client_hello(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4299 break;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4300
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4301#if defined(MBEDTLS_SSL_PROTO_DTLS)
4302 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4303 return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED;
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]4304#endif
4305
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4306 /*
4307 * ==> ServerHello
4308 * Certificate
4309 * ( ServerKeyExchange )
4310 * ( CertificateRequest )
4311 * ServerHelloDone
4312 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4313 case MBEDTLS_SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4314 ret = ssl_write_server_hello(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4315 break;
4316
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4317 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4318 ret = mbedtls_ssl_write_certificate(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4319 break;
4320
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4321 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4322 ret = ssl_write_server_key_exchange(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4323 break;
4324
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4325 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4326 ret = ssl_write_certificate_request(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4327 break;
4328
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4329 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4330 ret = ssl_write_server_hello_done(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4331 break;
4332
4333 /*
4334 * <== ( Certificate/Alert )
4335 * ClientKeyExchange
4336 * ( CertificateVerify )
4337 * ChangeCipherSpec
4338 * Finished
4339 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4340 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4341 ret = mbedtls_ssl_parse_certificate(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4342 break;
4343
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4344 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4345 ret = ssl_parse_client_key_exchange(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4346 break;
4347
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4348 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4349 ret = ssl_parse_certificate_verify(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4350 break;
4351
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4352 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4353 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4354 break;
4355
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4356 case MBEDTLS_SSL_CLIENT_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4357 ret = mbedtls_ssl_parse_finished(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4358 break;
4359
4360 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]4361 * ==> ( NewSessionTicket )
4362 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4363 * Finished
4364 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4365 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4366#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4367 if (ssl->handshake->new_session_ticket != 0) {
4368 ret = ssl_write_new_session_ticket(ssl);
4369 } else
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]4370#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4371 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4372 break;
4373
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4374 case MBEDTLS_SSL_SERVER_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4375 ret = mbedtls_ssl_write_finished(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4376 break;
4377
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4378 case MBEDTLS_SSL_FLUSH_BUFFERS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4379 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4380 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4381 break;
4382
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4383 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4384 mbedtls_ssl_handshake_wrapup(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]4385 break;
4386
4387 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4388 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
4389 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4390 }
4391
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4392 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]4393}
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4394
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]4395void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order)
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4396{
TRodziewicz3946f792021-06-14 12:11:18 +0200[diff] [blame]4397 conf->respect_cli_pref = order;
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]4398}
4399
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]4400#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */