| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1 | /* |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 2 | * TLS server-side functions |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3 | * |
| Bence Szépkúti | 1e14827 | 2020-08-07 13:07:28 +0200 | [diff] [blame] | 4 | * Copyright The Mbed TLS Contributors |
| Manuel Pégourié-Gonnard | 37ff140 | 2015-09-04 14:21:07 +0200 | [diff] [blame] | 5 | * SPDX-License-Identifier: Apache-2.0 |
| 6 | * |
| 7 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 8 | * not use this file except in compliance with the License. |
| 9 | * You may obtain a copy of the License at |
| 10 | * |
| 11 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | * |
| 13 | * Unless required by applicable law or agreed to in writing, software |
| 14 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 15 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 16 | * See the License for the specific language governing permissions and |
| 17 | * limitations under the License. |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 18 | */ |
| 19 | |
| Gilles Peskine | db09ef6 | 2020-06-03 01:43:33 +0200 | [diff] [blame] | 20 | #include "common.h" |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 21 | |
| Jerry Yu | fb4b647 | 2022-01-27 15:03:26 +0800 | [diff] [blame] | 22 | #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 23 | |
| SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 24 | #include "mbedtls/platform.h" |
| SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 25 | |
| Manuel Pégourié-Gonnard | 7f80997 | 2015-03-09 17:05:11 +0000 | [diff] [blame] | 26 | #include "mbedtls/ssl.h" |
| Chris Jones | 84a773f | 2021-03-05 18:38:47 +0000 | [diff] [blame] | 27 | #include "ssl_misc.h" |
| Janos Follath | 73c616b | 2019-12-18 15:07:04 +0000 | [diff] [blame] | 28 | #include "mbedtls/debug.h" |
| 29 | #include "mbedtls/error.h" |
| Andres Amaya Garcia | 8491406 | 2018-04-24 08:40:46 -0500 | [diff] [blame] | 30 | #include "mbedtls/platform_util.h" |
| Gabor Mezei | 22c9a6f | 2021-10-20 12:09:35 +0200 | [diff] [blame] | 31 | #include "constant_time_internal.h" |
| Gabor Mezei | 765862c | 2021-10-19 12:22:25 +0200 | [diff] [blame] | 32 | #include "mbedtls/constant_time.h" |
| Rich Evans | 00ab470 | 2015-02-06 13:43:58 +0000 | [diff] [blame] | 33 | |
| 34 | #include <string.h> |
| 35 | |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 36 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Andrzej Kurek | 0064484 | 2023-05-30 05:45:00 -0400 | [diff] [blame] | 37 | /* Define a local translating function to save code size by not using too many |
| 38 | * arguments in each translating place. */ |
| Andrzej Kurek | 1c7a998 | 2023-05-30 09:21:20 -0400 | [diff] [blame] | 39 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \ |
| 40 | defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) |
| Andrzej Kurek | 0064484 | 2023-05-30 05:45:00 -0400 | [diff] [blame] | 41 | static int local_err_translation(psa_status_t status) |
| 42 | { |
| 43 | return psa_status_to_mbedtls(status, psa_to_ssl_errors, |
| Andrzej Kurek | 1e4a030 | 2023-05-30 09:45:17 -0400 | [diff] [blame] | 44 | ARRAY_LENGTH(psa_to_ssl_errors), |
| Andrzej Kurek | 0064484 | 2023-05-30 05:45:00 -0400 | [diff] [blame] | 45 | psa_generic_status_to_mbedtls); |
| 46 | } |
| 47 | #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status) |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 48 | #endif |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 49 | #endif |
| 50 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 51 | #if defined(MBEDTLS_ECP_C) |
| Manuel Pégourié-Gonnard | 7f80997 | 2015-03-09 17:05:11 +0000 | [diff] [blame] | 52 | #include "mbedtls/ecp.h" |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 53 | #endif |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 54 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 55 | #if defined(MBEDTLS_HAVE_TIME) |
| Simon Butcher | b5b6af2 | 2016-07-13 14:46:18 +0100 | [diff] [blame] | 56 | #include "mbedtls/platform_time.h" |
| Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 57 | #endif |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 58 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 59 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 60 | int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl, |
| 61 | const unsigned char *info, |
| 62 | size_t ilen) |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 63 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 64 | if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) { |
| 65 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| 66 | } |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 67 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 68 | mbedtls_free(ssl->cli_id); |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 69 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 70 | if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) { |
| 71 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
| 72 | } |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 73 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 74 | memcpy(ssl->cli_id, info, ilen); |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 75 | ssl->cli_id_len = ilen; |
| 76 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 77 | return 0; |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 78 | } |
| Manuel Pégourié-Gonnard | d485d19 | 2014-07-23 14:56:15 +0200 | [diff] [blame] | 79 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 80 | void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf, |
| 81 | mbedtls_ssl_cookie_write_t *f_cookie_write, |
| 82 | mbedtls_ssl_cookie_check_t *f_cookie_check, |
| 83 | void *p_cookie) |
| Manuel Pégourié-Gonnard | d485d19 | 2014-07-23 14:56:15 +0200 | [diff] [blame] | 84 | { |
| Manuel Pégourié-Gonnard | d36e33f | 2015-05-05 10:45:39 +0200 | [diff] [blame] | 85 | conf->f_cookie_write = f_cookie_write; |
| 86 | conf->f_cookie_check = f_cookie_check; |
| 87 | conf->p_cookie = p_cookie; |
| Manuel Pégourié-Gonnard | d485d19 | 2014-07-23 14:56:15 +0200 | [diff] [blame] | 88 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 89 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| Manuel Pégourié-Gonnard | 43c0218 | 2014-07-22 17:32:01 +0200 | [diff] [blame] | 90 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 91 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 92 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 93 | static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf) |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 94 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 95 | if (conf->f_psk != NULL) { |
| 96 | return 1; |
| 97 | } |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 98 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 99 | if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) { |
| 100 | return 0; |
| 101 | } |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 102 | |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 103 | |
| 104 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 105 | if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { |
| 106 | return 1; |
| 107 | } |
| Neil Armstrong | 8ecd668 | 2022-05-05 11:40:35 +0200 | [diff] [blame] | 108 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 109 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 110 | if (conf->psk != NULL && conf->psk_len != 0) { |
| 111 | return 1; |
| 112 | } |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 113 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 114 | return 0; |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 115 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 116 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
| Hanno Becker | 845b946 | 2018-10-26 12:07:29 +0100 | [diff] [blame] | 117 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 118 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 119 | static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl, |
| 120 | const unsigned char *buf, |
| 121 | size_t len) |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 122 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 123 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 124 | if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 125 | /* Check verify-data in constant-time. The length OTOH is no secret */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 126 | if (len != 1 + ssl->verify_data_len || |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 127 | buf[0] != ssl->verify_data_len || |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 128 | mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data, |
| 129 | ssl->verify_data_len) != 0) { |
| 130 | MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info")); |
| 131 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 132 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 133 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 134 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 135 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 136 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 137 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 138 | if (len != 1 || buf[0] != 0x0) { |
| 139 | MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info")); |
| 140 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 141 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 142 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 143 | } |
| 144 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 145 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 146 | } |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 147 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 148 | return 0; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 149 | } |
| 150 | |
| Valerio Setti | 1fa5c56 | 2023-03-20 13:56:38 +0100 | [diff] [blame] | 151 | #if defined(MBEDTLS_PK_CAN_ECDH) || defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \ |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 152 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Jerry Yu | b925f21 | 2022-01-12 11:17:02 +0800 | [diff] [blame] | 153 | /* |
| Jerry Yu | d491ea4 | 2022-01-13 16:15:25 +0800 | [diff] [blame] | 154 | * Function for parsing a supported groups (TLS 1.3) or supported elliptic |
| 155 | * curves (TLS 1.2) extension. |
| 156 | * |
| 157 | * The "extension_data" field of a supported groups extension contains a |
| 158 | * "NamedGroupList" value (TLS 1.3 RFC8446): |
| 159 | * enum { |
| 160 | * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019), |
| 161 | * x25519(0x001D), x448(0x001E), |
| 162 | * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102), |
| 163 | * ffdhe6144(0x0103), ffdhe8192(0x0104), |
| 164 | * ffdhe_private_use(0x01FC..0x01FF), |
| 165 | * ecdhe_private_use(0xFE00..0xFEFF), |
| 166 | * (0xFFFF) |
| 167 | * } NamedGroup; |
| 168 | * struct { |
| 169 | * NamedGroup named_group_list<2..2^16-1>; |
| 170 | * } NamedGroupList; |
| 171 | * |
| 172 | * The "extension_data" field of a supported elliptic curves extension contains |
| 173 | * a "NamedCurveList" value (TLS 1.2 RFC 8422): |
| 174 | * enum { |
| 175 | * deprecated(1..22), |
| 176 | * secp256r1 (23), secp384r1 (24), secp521r1 (25), |
| 177 | * x25519(29), x448(30), |
| 178 | * reserved (0xFE00..0xFEFF), |
| 179 | * deprecated(0xFF01..0xFF02), |
| 180 | * (0xFFFF) |
| 181 | * } NamedCurve; |
| 182 | * struct { |
| 183 | * NamedCurve named_curve_list<2..2^16-1> |
| 184 | * } NamedCurveList; |
| 185 | * |
| Jerry Yu | b925f21 | 2022-01-12 11:17:02 +0800 | [diff] [blame] | 186 | * The TLS 1.3 supported groups extension was defined to be a compatible |
| 187 | * generalization of the TLS 1.2 supported elliptic curves extension. They both |
| 188 | * share the same extension identifier. |
| Jerry Yu | d491ea4 | 2022-01-13 16:15:25 +0800 | [diff] [blame] | 189 | * |
| Jerry Yu | b925f21 | 2022-01-12 11:17:02 +0800 | [diff] [blame] | 190 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 191 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 192 | static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl, |
| 193 | const unsigned char *buf, |
| 194 | size_t len) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 195 | { |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 196 | size_t list_size, our_size; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 197 | const unsigned char *p; |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 198 | uint16_t *curves_tls_id; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 199 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 200 | if (len < 2) { |
| 201 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 202 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 203 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 204 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Philippe Antoine | 747fd53 | 2018-05-30 09:13:21 +0200 | [diff] [blame] | 205 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 206 | list_size = ((buf[0] << 8) | (buf[1])); |
| 207 | if (list_size + 2 != len || |
| 208 | list_size % 2 != 0) { |
| 209 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 210 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 211 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 212 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 213 | } |
| 214 | |
| Manuel Pégourié-Gonnard | 43c3b28 | 2014-10-17 12:42:11 +0200 | [diff] [blame] | 215 | /* Should never happen unless client duplicates the extension */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 216 | if (ssl->handshake->curves_tls_id != NULL) { |
| 217 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 218 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 219 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 220 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Manuel Pégourié-Gonnard | 43c3b28 | 2014-10-17 12:42:11 +0200 | [diff] [blame] | 221 | } |
| 222 | |
| Manuel Pégourié-Gonnard | c3f6b62c | 2014-02-06 10:13:09 +0100 | [diff] [blame] | 223 | /* Don't allow our peer to make us allocate too much memory, |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 224 | * and leave room for a final 0 */ |
| 225 | our_size = list_size / 2 + 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 226 | if (our_size > MBEDTLS_ECP_DP_MAX) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 227 | our_size = MBEDTLS_ECP_DP_MAX; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 228 | } |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 229 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 230 | if ((curves_tls_id = mbedtls_calloc(our_size, |
| 231 | sizeof(*curves_tls_id))) == NULL) { |
| 232 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 233 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); |
| 234 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 235 | } |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 236 | |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 237 | ssl->handshake->curves_tls_id = curves_tls_id; |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 238 | |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 239 | p = buf + 2; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 240 | while (list_size > 0 && our_size > 1) { |
| 241 | uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0); |
| Manuel Pégourié-Gonnard | 568c9cf | 2013-09-16 17:30:04 +0200 | [diff] [blame] | 242 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 243 | if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) != |
| 244 | MBEDTLS_ECP_DP_NONE) { |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 245 | *curves_tls_id++ = curr_tls_id; |
| Manuel Pégourié-Gonnard | d09453c | 2013-09-23 19:11:32 +0200 | [diff] [blame] | 246 | our_size--; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 247 | } |
| 248 | |
| 249 | list_size -= 2; |
| 250 | p += 2; |
| 251 | } |
| 252 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 253 | return 0; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 254 | } |
| 255 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 256 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 257 | static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl, |
| 258 | const unsigned char *buf, |
| 259 | size_t len) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 260 | { |
| 261 | size_t list_size; |
| 262 | const unsigned char *p; |
| 263 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 264 | if (len == 0 || (size_t) (buf[0] + 1) != len) { |
| 265 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 266 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 267 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 268 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 269 | } |
| Philippe Antoine | 747fd53 | 2018-05-30 09:13:21 +0200 | [diff] [blame] | 270 | list_size = buf[0]; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 271 | |
| Manuel Pégourié-Gonnard | c1b46d0 | 2015-09-16 11:18:32 +0200 | [diff] [blame] | 272 | p = buf + 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 273 | while (list_size > 0) { |
| 274 | if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || |
| 275 | p[0] == MBEDTLS_ECP_PF_COMPRESSED) { |
| Valerio Setti | 77a904c | 2023-03-24 07:28:49 +0100 | [diff] [blame] | 276 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C) |
| Manuel Pégourié-Gonnard | 5734b2d | 2013-08-15 19:04:02 +0200 | [diff] [blame] | 277 | ssl->handshake->ecdh_ctx.point_format = p[0]; |
| Valerio Setti | 77a904c | 2023-03-24 07:28:49 +0100 | [diff] [blame] | 278 | #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_ECDH_C */ |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 279 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 280 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 281 | mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx, |
| 282 | p[0]); |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 283 | #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 284 | MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0])); |
| 285 | return 0; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 286 | } |
| 287 | |
| 288 | list_size--; |
| 289 | p++; |
| 290 | } |
| 291 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 292 | return 0; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 293 | } |
| Valerio Setti | 1fa5c56 | 2023-03-20 13:56:38 +0100 | [diff] [blame] | 294 | #endif /* MBEDTLS_PK_CAN_ECDH || MBEDTLS_PK_CAN_ECDSA_SOME || |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 295 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 296 | |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 297 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 298 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 299 | static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl, |
| 300 | const unsigned char *buf, |
| 301 | size_t len) |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 302 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 303 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 304 | |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 305 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 306 | if (ssl->handshake->psa_pake_ctx_is_ok != 1) |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 307 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 308 | if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 309 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 310 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 311 | MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension")); |
| 312 | return 0; |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 313 | } |
| 314 | |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 315 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 316 | if ((ret = mbedtls_psa_ecjpake_read_round( |
| 317 | &ssl->handshake->psa_pake_ctx, buf, len, |
| 318 | MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) { |
| 319 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 320 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 321 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 322 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret); |
| Valerio Setti | 02c25b5 | 2022-11-15 14:08:42 +0100 | [diff] [blame] | 323 | mbedtls_ssl_send_alert_message( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 324 | ssl, |
| 325 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 326 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 327 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 328 | return ret; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 329 | } |
| 330 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 331 | if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx, |
| 332 | buf, len)) != 0) { |
| 333 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret); |
| 334 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 335 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 336 | return ret; |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 337 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 338 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 339 | |
| 340 | /* Only mark the extension as OK when we're sure it is */ |
| 341 | ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; |
| 342 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 343 | return 0; |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 344 | } |
| 345 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 346 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 347 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 348 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 349 | static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl, |
| 350 | const unsigned char *buf, |
| 351 | size_t len) |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 352 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 353 | if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) { |
| 354 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 355 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 356 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 357 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 358 | } |
| 359 | |
| Manuel Pégourié-Gonnard | ed4af8b | 2013-07-18 14:07:09 +0200 | [diff] [blame] | 360 | ssl->session_negotiate->mfl_code = buf[0]; |
| 361 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 362 | return 0; |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 363 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 364 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 365 | |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 366 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 367 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 368 | static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl, |
| 369 | const unsigned char *buf, |
| 370 | size_t len) |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 371 | { |
| 372 | size_t peer_cid_len; |
| 373 | |
| 374 | /* CID extension only makes sense in DTLS */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 375 | if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| 376 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 377 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 378 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 379 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 380 | } |
| 381 | |
| 382 | /* |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 383 | * struct { |
| 384 | * opaque cid<0..2^8-1>; |
| 385 | * } ConnectionId; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 386 | */ |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 387 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 388 | if (len < 1) { |
| 389 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 390 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 391 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 392 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 393 | } |
| 394 | |
| 395 | peer_cid_len = *buf++; |
| 396 | len--; |
| 397 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 398 | if (len != peer_cid_len) { |
| 399 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 400 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 401 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 402 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 403 | } |
| 404 | |
| 405 | /* Ignore CID if the user has disabled its use. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 406 | if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) { |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 407 | /* Leave ssl->handshake->cid_in_use in its default |
| 408 | * value of MBEDTLS_SSL_CID_DISABLED. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 409 | MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled")); |
| 410 | return 0; |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 411 | } |
| 412 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 413 | if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) { |
| 414 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 415 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 416 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 417 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 418 | } |
| 419 | |
| Hanno Becker | 08556bf | 2019-05-03 12:43:44 +0100 | [diff] [blame] | 420 | ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED; |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 421 | ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 422 | memcpy(ssl->handshake->peer_cid, buf, peer_cid_len); |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 423 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 424 | MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated")); |
| 425 | MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len); |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 426 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 427 | return 0; |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 428 | } |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 429 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 430 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 431 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 432 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 433 | static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl, |
| 434 | const unsigned char *buf, |
| 435 | size_t len) |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 436 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 437 | if (len != 0) { |
| 438 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 439 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 440 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 441 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 442 | } |
| 443 | |
| 444 | ((void) buf); |
| 445 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 446 | if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 447 | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 448 | } |
| 449 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 450 | return 0; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 451 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 452 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 453 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 454 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 455 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 456 | static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl, |
| 457 | const unsigned char *buf, |
| 458 | size_t len) |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 459 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 460 | if (len != 0) { |
| 461 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 462 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 463 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 464 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 465 | } |
| 466 | |
| 467 | ((void) buf); |
| 468 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 469 | if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 470 | ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; |
| Manuel Pégourié-Gonnard | b575b54 | 2014-10-24 15:12:31 +0200 | [diff] [blame] | 471 | } |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 472 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 473 | return 0; |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 474 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 475 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 476 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 477 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 478 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 479 | static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl, |
| 480 | unsigned char *buf, |
| 481 | size_t len) |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 482 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 483 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 69f1728 | 2015-05-18 14:35:08 +0200 | [diff] [blame] | 484 | mbedtls_ssl_session session; |
| Manuel Pégourié-Gonnard | 990c51a | 2013-08-03 15:37:58 +0200 | [diff] [blame] | 485 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 486 | mbedtls_ssl_session_init(&session); |
| Manuel Pégourié-Gonnard | bae389b | 2015-06-24 10:45:58 +0200 | [diff] [blame] | 487 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 488 | if (ssl->conf->f_ticket_parse == NULL || |
| 489 | ssl->conf->f_ticket_write == NULL) { |
| 490 | return 0; |
| Manuel Pégourié-Gonnard | d59675d | 2015-05-19 15:28:00 +0200 | [diff] [blame] | 491 | } |
| Manuel Pégourié-Gonnard | aa0d4d1 | 2013-08-03 13:02:31 +0200 | [diff] [blame] | 492 | |
| Manuel Pégourié-Gonnard | 306827e | 2013-08-02 18:05:14 +0200 | [diff] [blame] | 493 | /* Remember the client asked us to send a new ticket */ |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 494 | ssl->handshake->new_session_ticket = 1; |
| 495 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 496 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len)); |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 497 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 498 | if (len == 0) { |
| 499 | return 0; |
| 500 | } |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 501 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 502 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 503 | if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { |
| 504 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating")); |
| 505 | return 0; |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 506 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 507 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 508 | |
| 509 | /* |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 510 | * Failures are ok: just ignore the ticket and proceed. |
| 511 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 512 | if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session, |
| 513 | buf, len)) != 0) { |
| 514 | mbedtls_ssl_session_free(&session); |
| Manuel Pégourié-Gonnard | d59675d | 2015-05-19 15:28:00 +0200 | [diff] [blame] | 515 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 516 | if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) { |
| 517 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic")); |
| 518 | } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) { |
| 519 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired")); |
| 520 | } else { |
| 521 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret); |
| 522 | } |
| Manuel Pégourié-Gonnard | d59675d | 2015-05-19 15:28:00 +0200 | [diff] [blame] | 523 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 524 | return 0; |
| Manuel Pégourié-Gonnard | 990c51a | 2013-08-03 15:37:58 +0200 | [diff] [blame] | 525 | } |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 526 | |
| Manuel Pégourié-Gonnard | 69f1728 | 2015-05-18 14:35:08 +0200 | [diff] [blame] | 527 | /* |
| 528 | * Keep the session ID sent by the client, since we MUST send it back to |
| 529 | * inform them we're accepting the ticket (RFC 5077 section 3.4) |
| 530 | */ |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 531 | session.id_len = ssl->session_negotiate->id_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 532 | memcpy(&session.id, ssl->session_negotiate->id, session.id_len); |
| Manuel Pégourié-Gonnard | 69f1728 | 2015-05-18 14:35:08 +0200 | [diff] [blame] | 533 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 534 | mbedtls_ssl_session_free(ssl->session_negotiate); |
| 535 | memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session)); |
| Manuel Pégourié-Gonnard | 69f1728 | 2015-05-18 14:35:08 +0200 | [diff] [blame] | 536 | |
| 537 | /* Zeroize instead of free as we copied the content */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 538 | mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session)); |
| Manuel Pégourié-Gonnard | 69f1728 | 2015-05-18 14:35:08 +0200 | [diff] [blame] | 539 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 540 | MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket")); |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 541 | |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 542 | ssl->handshake->resume = 1; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 543 | |
| Manuel Pégourié-Gonnard | 306827e | 2013-08-02 18:05:14 +0200 | [diff] [blame] | 544 | /* Don't send a new ticket after all, this one is OK */ |
| 545 | ssl->handshake->new_session_ticket = 0; |
| 546 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 547 | return 0; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 548 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 549 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 550 | |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 551 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 552 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 553 | static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl, |
| 554 | const unsigned char *buf, |
| 555 | size_t len) |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 556 | { |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 557 | mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 558 | size_t i, j; |
| Johan Pascal | f6417ec | 2020-09-22 15:15:19 +0200 | [diff] [blame] | 559 | size_t profile_length; |
| 560 | uint16_t mki_length; |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 561 | /*! 2 bytes for profile length and 1 byte for mki len */ |
| 562 | const size_t size_of_lengths = 3; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 563 | |
| 564 | /* If use_srtp is not configured, just ignore the extension */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 565 | if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || |
| 566 | (ssl->conf->dtls_srtp_profile_list == NULL) || |
| 567 | (ssl->conf->dtls_srtp_profile_list_len == 0)) { |
| 568 | return 0; |
| Johan Pascal | 8526957 | 2020-08-25 10:01:54 +0200 | [diff] [blame] | 569 | } |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 570 | |
| 571 | /* RFC5764 section 4.1.1 |
| 572 | * uint8 SRTPProtectionProfile[2]; |
| 573 | * |
| 574 | * struct { |
| 575 | * SRTPProtectionProfiles SRTPProtectionProfiles; |
| 576 | * opaque srtp_mki<0..255>; |
| 577 | * } UseSRTPData; |
| 578 | |
| 579 | * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 580 | */ |
| 581 | |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 582 | /* |
| 583 | * Min length is 5: at least one protection profile(2 bytes) |
| 584 | * and length(2 bytes) + srtp_mki length(1 byte) |
| Johan Pascal | 042d456 | 2020-08-25 12:14:02 +0200 | [diff] [blame] | 585 | * Check here that we have at least 2 bytes of protection profiles length |
| Johan Pascal | 76fdf1d | 2020-10-22 23:31:00 +0200 | [diff] [blame] | 586 | * and one of srtp_mki length |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 587 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 588 | if (len < size_of_lengths) { |
| 589 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 590 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 591 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 592 | } |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 593 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 594 | ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 595 | |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 596 | /* first 2 bytes are protection profile length(in bytes) */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 597 | profile_length = (buf[0] << 8) | buf[1]; |
| Johan Pascal | 042d456 | 2020-08-25 12:14:02 +0200 | [diff] [blame] | 598 | buf += 2; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 599 | |
| Johan Pascal | 76fdf1d | 2020-10-22 23:31:00 +0200 | [diff] [blame] | 600 | /* The profile length cannot be bigger than input buffer size - lengths fields */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 601 | if (profile_length > len - size_of_lengths || |
| 602 | profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */ |
| 603 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 604 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 605 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Ron Eldor | 313d7b5 | 2018-12-10 14:56:21 +0200 | [diff] [blame] | 606 | } |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 607 | /* |
| 608 | * parse the extension list values are defined in |
| 609 | * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml |
| 610 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 611 | for (j = 0; j < profile_length; j += 2) { |
| Johan Pascal | 76fdf1d | 2020-10-22 23:31:00 +0200 | [diff] [blame] | 612 | uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1]; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 613 | client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 614 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 615 | if (client_protection != MBEDTLS_TLS_SRTP_UNSET) { |
| 616 | MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s", |
| 617 | mbedtls_ssl_get_srtp_profile_as_string( |
| 618 | client_protection))); |
| 619 | } else { |
| Johan Pascal | 8526957 | 2020-08-25 10:01:54 +0200 | [diff] [blame] | 620 | continue; |
| 621 | } |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 622 | /* check if suggested profile is in our list */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 623 | for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) { |
| 624 | if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) { |
| Ron Eldor | 3adb992 | 2017-12-21 10:15:08 +0200 | [diff] [blame] | 625 | ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i]; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 626 | MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s", |
| 627 | mbedtls_ssl_get_srtp_profile_as_string( |
| 628 | client_protection))); |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 629 | break; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 630 | } |
| 631 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 632 | if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) { |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 633 | break; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 634 | } |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 635 | } |
| Johan Pascal | 042d456 | 2020-08-25 12:14:02 +0200 | [diff] [blame] | 636 | buf += profile_length; /* buf points to the mki length */ |
| 637 | mki_length = *buf; |
| 638 | buf++; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 639 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 640 | if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH || |
| 641 | mki_length + profile_length + size_of_lengths != len) { |
| 642 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 643 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 644 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Johan Pascal | 042d456 | 2020-08-25 12:14:02 +0200 | [diff] [blame] | 645 | } |
| 646 | |
| 647 | /* Parse the mki only if present and mki is supported locally */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 648 | if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED && |
| 649 | mki_length > 0) { |
| Johan Pascal | 042d456 | 2020-08-25 12:14:02 +0200 | [diff] [blame] | 650 | ssl->dtls_srtp_info.mki_len = mki_length; |
| 651 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 652 | memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length); |
| Ron Eldor | b465539 | 2018-07-05 18:25:39 +0300 | [diff] [blame] | 653 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 654 | MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value, |
| 655 | ssl->dtls_srtp_info.mki_len); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 656 | } |
| 657 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 658 | return 0; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 659 | } |
| 660 | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
| 661 | |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 662 | /* |
| 663 | * Auxiliary functions for ServerHello parsing and related actions |
| 664 | */ |
| 665 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 666 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 667 | /* |
| Manuel Pégourié-Gonnard | 6458e3b | 2015-01-08 14:16:56 +0100 | [diff] [blame] | 668 | * Return 0 if the given key uses one of the acceptable curves, -1 otherwise |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 669 | */ |
| Valerio Setti | 1fa5c56 | 2023-03-20 13:56:38 +0100 | [diff] [blame] | 670 | #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 671 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 672 | static int ssl_check_key_curve(mbedtls_pk_context *pk, |
| 673 | uint16_t *curves_tls_id) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 674 | { |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 675 | uint16_t *curr_tls_id = curves_tls_id; |
| Valerio Setti | 77a7568 | 2023-05-15 11:18:46 +0200 | [diff] [blame] | 676 | mbedtls_ecp_group_id grp_id = mbedtls_pk_ec_ro(*pk)->grp.id; |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 677 | mbedtls_ecp_group_id curr_grp_id; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 678 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 679 | while (*curr_tls_id != 0) { |
| 680 | curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id); |
| 681 | if (curr_grp_id == grp_id) { |
| 682 | return 0; |
| 683 | } |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 684 | curr_tls_id++; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 685 | } |
| 686 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 687 | return -1; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 688 | } |
| Valerio Setti | 1fa5c56 | 2023-03-20 13:56:38 +0100 | [diff] [blame] | 689 | #endif /* MBEDTLS_PK_CAN_ECDSA_SOME */ |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 690 | |
| 691 | /* |
| 692 | * Try picking a certificate for this ciphersuite, |
| 693 | * return 0 on success and -1 on failure. |
| 694 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 695 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 696 | static int ssl_pick_cert(mbedtls_ssl_context *ssl, |
| 697 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 698 | { |
| Glenn Strauss | 041a376 | 2022-03-15 06:08:29 -0400 | [diff] [blame] | 699 | mbedtls_ssl_key_cert *cur, *list; |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 700 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 701 | psa_algorithm_t pk_alg = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 702 | mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info); |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 703 | psa_key_usage_t pk_usage = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 704 | mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info); |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 705 | #else |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 706 | mbedtls_pk_type_t pk_alg = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 707 | mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info); |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 708 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | e6ef16f | 2015-05-11 19:54:43 +0200 | [diff] [blame] | 709 | uint32_t flags; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 710 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 711 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 712 | if (ssl->handshake->sni_key_cert != NULL) { |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 713 | list = ssl->handshake->sni_key_cert; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 714 | } else |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 715 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 716 | list = ssl->conf->key_cert; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 717 | |
| David Horstmann | 3a334c2 | 2022-10-25 10:53:44 +0100 | [diff] [blame] | 718 | int pk_alg_is_none = 0; |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 719 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 720 | pk_alg_is_none = (pk_alg == PSA_ALG_NONE); |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 721 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 722 | pk_alg_is_none = (pk_alg == MBEDTLS_PK_NONE); |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 723 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 724 | if (pk_alg_is_none) { |
| 725 | return 0; |
| Manuel Pégourié-Gonnard | e540b49 | 2015-07-07 12:44:38 +0200 | [diff] [blame] | 726 | } |
| 727 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 728 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate")); |
| 729 | |
| 730 | if (list == NULL) { |
| 731 | MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate")); |
| 732 | return -1; |
| 733 | } |
| 734 | |
| 735 | for (cur = list; cur != NULL; cur = cur->next) { |
| Andrzej Kurek | 7ed01e8 | 2020-03-18 11:51:59 -0400 | [diff] [blame] | 736 | flags = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 737 | MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate", |
| 738 | cur->cert); |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 739 | |
| David Horstmann | 3a334c2 | 2022-10-25 10:53:44 +0100 | [diff] [blame] | 740 | int key_type_matches = 0; |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 741 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 742 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 743 | key_type_matches = ((ssl->conf->f_async_sign_start != NULL || |
| 744 | ssl->conf->f_async_decrypt_start != NULL || |
| 745 | mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) && |
| 746 | mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage)); |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 747 | #else |
| David Horstmann | 3a334c2 | 2022-10-25 10:53:44 +0100 | [diff] [blame] | 748 | key_type_matches = ( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 749 | mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)); |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 750 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| 751 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 752 | key_type_matches = mbedtls_pk_can_do(&cur->cert->pk, pk_alg); |
| Neil Armstrong | 0c9c10a | 2022-05-12 14:15:06 +0200 | [diff] [blame] | 753 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 754 | if (!key_type_matches) { |
| 755 | MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type")); |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 756 | continue; |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 757 | } |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 758 | |
| Manuel Pégourié-Gonnard | 7f2a07d | 2014-04-09 09:50:57 +0200 | [diff] [blame] | 759 | /* |
| 760 | * This avoids sending the client a cert it'll reject based on |
| 761 | * keyUsage or other extensions. |
| 762 | * |
| 763 | * It also allows the user to provision different certificates for |
| 764 | * different uses based on keyUsage, eg if they want to avoid signing |
| 765 | * and decrypting with the same RSA key. |
| 766 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 767 | if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info, |
| 768 | MBEDTLS_SSL_IS_SERVER, &flags) != 0) { |
| 769 | MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: " |
| 770 | "(extended) key usage extension")); |
| Manuel Pégourié-Gonnard | 7f2a07d | 2014-04-09 09:50:57 +0200 | [diff] [blame] | 771 | continue; |
| 772 | } |
| 773 | |
| Valerio Setti | 1fa5c56 | 2023-03-20 13:56:38 +0100 | [diff] [blame] | 774 | #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 775 | if (pk_alg == MBEDTLS_PK_ECDSA && |
| 776 | ssl_check_key_curve(&cur->cert->pk, |
| 777 | ssl->handshake->curves_tls_id) != 0) { |
| 778 | MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve")); |
| Manuel Pégourié-Gonnard | 846ba47 | 2015-01-08 13:54:38 +0100 | [diff] [blame] | 779 | continue; |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 780 | } |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 781 | #endif |
| Manuel Pégourié-Gonnard | 846ba47 | 2015-01-08 13:54:38 +0100 | [diff] [blame] | 782 | |
| 783 | /* If we get there, we got a winner */ |
| 784 | break; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 785 | } |
| 786 | |
| Manuel Pégourié-Gonnard | 8f618a8 | 2015-05-10 21:13:36 +0200 | [diff] [blame] | 787 | /* Do not update ssl->handshake->key_cert unless there is a match */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 788 | if (cur != NULL) { |
| Manuel Pégourié-Gonnard | df331a5 | 2015-01-08 16:43:07 +0100 | [diff] [blame] | 789 | ssl->handshake->key_cert = cur; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 790 | MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate", |
| 791 | ssl->handshake->key_cert->cert); |
| 792 | return 0; |
| Manuel Pégourié-Gonnard | df331a5 | 2015-01-08 16:43:07 +0100 | [diff] [blame] | 793 | } |
| 794 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 795 | return -1; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 796 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 797 | #endif /* MBEDTLS_X509_CRT_PARSE_C */ |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 798 | |
| 799 | /* |
| 800 | * Check if a given ciphersuite is suitable for use with our config/keys/etc |
| 801 | * Sets ciphersuite_info only if the suite matches. |
| 802 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 803 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 804 | static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id, |
| 805 | const mbedtls_ssl_ciphersuite_t **ciphersuite_info) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 806 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 807 | const mbedtls_ssl_ciphersuite_t *suite_info; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 808 | |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 809 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 810 | mbedtls_pk_type_t sig_type; |
| 811 | #endif |
| 812 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 813 | suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id); |
| 814 | if (suite_info == NULL) { |
| 815 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 816 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 817 | } |
| 818 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 819 | MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)", |
| 820 | (unsigned int) suite_id, suite_info->name)); |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 821 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 822 | if (suite_info->min_tls_version > ssl->tls_version || |
| 823 | suite_info->max_tls_version < ssl->tls_version) { |
| 824 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version")); |
| 825 | return 0; |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 826 | } |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 827 | |
| Manuel Pégourié-Gonnard | e511b4e | 2015-09-16 14:11:09 +0200 | [diff] [blame] | 828 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 829 | if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && |
| 830 | (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) { |
| 831 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake " |
| 832 | "not configured or ext missing")); |
| 833 | return 0; |
| Manuel Pégourié-Gonnard | e511b4e | 2015-09-16 14:11:09 +0200 | [diff] [blame] | 834 | } |
| 835 | #endif |
| 836 | |
| 837 | |
| Valerio Setti | 1fa5c56 | 2023-03-20 13:56:38 +0100 | [diff] [blame] | 838 | #if defined(MBEDTLS_PK_CAN_ECDH) || defined(MBEDTLS_PK_CAN_ECDSA_SOME) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 839 | if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) && |
| 840 | (ssl->handshake->curves_tls_id == NULL || |
| 841 | ssl->handshake->curves_tls_id[0] == 0)) { |
| 842 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: " |
| 843 | "no common elliptic curve")); |
| 844 | return 0; |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 845 | } |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 846 | #endif |
| 847 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 848 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 849 | /* If the ciphersuite requires a pre-shared key and we don't |
| 850 | * have one, skip it now rather than failing later */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 851 | if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) && |
| 852 | ssl_conf_has_psk_or_cb(ssl->conf) == 0) { |
| 853 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key")); |
| 854 | return 0; |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 855 | } |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 856 | #endif |
| 857 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 858 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 859 | /* |
| 860 | * Final check: if ciphersuite requires us to have a |
| 861 | * certificate/key of a particular type: |
| 862 | * - select the appropriate certificate if we have one, or |
| 863 | * - try the next ciphersuite if we don't |
| 864 | * This must be done last since we modify the key_cert list. |
| 865 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 866 | if (ssl_pick_cert(ssl, suite_info) != 0) { |
| 867 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: " |
| 868 | "no suitable certificate")); |
| 869 | return 0; |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 870 | } |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 871 | #endif |
| 872 | |
| Neil Armstrong | 9f1176a | 2022-06-24 18:19:19 +0200 | [diff] [blame] | 873 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| 874 | /* If the ciphersuite requires signing, check whether |
| 875 | * a suitable hash algorithm is present. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 876 | sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info); |
| 877 | if (sig_type != MBEDTLS_PK_NONE && |
| Neil Armstrong | 9f1176a | 2022-06-24 18:19:19 +0200 | [diff] [blame] | 878 | mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 879 | ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) { |
| 880 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm " |
| 881 | "for signature algorithm %u", (unsigned) sig_type)); |
| 882 | return 0; |
| Neil Armstrong | 9f1176a | 2022-06-24 18:19:19 +0200 | [diff] [blame] | 883 | } |
| 884 | |
| 885 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
| 886 | |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 887 | *ciphersuite_info = suite_info; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 888 | return 0; |
| Manuel Pégourié-Gonnard | 3252560 | 2013-11-30 17:50:32 +0100 | [diff] [blame] | 889 | } |
| 890 | |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 891 | /* This function doesn't alert on errors that happen early during |
| 892 | ClientHello parsing because they might indicate that the client is |
| 893 | not talking SSL/TLS at all and would not understand our alert. */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 894 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 895 | static int ssl_parse_client_hello(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 896 | { |
| Manuel Pégourié-Gonnard | f01768c | 2015-01-08 17:06:16 +0100 | [diff] [blame] | 897 | int ret, got_common_suite; |
| Manuel Pégourié-Gonnard | 9de64f5 | 2015-07-01 15:51:43 +0200 | [diff] [blame] | 898 | size_t i, j; |
| 899 | size_t ciph_offset, comp_offset, ext_offset; |
| 900 | size_t msg_len, ciph_len, sess_len, comp_len, ext_len; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 901 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Manuel Pégourié-Gonnard | 9de64f5 | 2015-07-01 15:51:43 +0200 | [diff] [blame] | 902 | size_t cookie_offset, cookie_len; |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 903 | #endif |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 904 | unsigned char *buf, *p, *ext; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 905 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 906 | int renegotiation_info_seen = 0; |
| Manuel Pégourié-Gonnard | eaecbd3 | 2014-11-06 02:38:02 +0100 | [diff] [blame] | 907 | #endif |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 908 | int handshake_failure = 0; |
| Paul Bakker | 8f4ddae | 2013-04-15 15:09:54 +0200 | [diff] [blame] | 909 | const int *ciphersuites; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 910 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 911 | |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 912 | /* If there is no signature-algorithm extension present, |
| 913 | * we need to fall back to the default values for allowed |
| 914 | * signature-hash pairs. */ |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 915 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 916 | int sig_hash_alg_ext_present = 0; |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 917 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 918 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 919 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 920 | |
| David Horstmann | e0af39a | 2022-10-06 18:19:18 +0100 | [diff] [blame] | 921 | int renegotiating; |
| 922 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 923 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
| Manuel Pégourié-Gonnard | f03c7aa | 2014-09-24 14:54:06 +0200 | [diff] [blame] | 924 | read_record_header: |
| 925 | #endif |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 926 | /* |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 927 | * If renegotiating, then the input was read with mbedtls_ssl_read_record(), |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 928 | * otherwise read it ourselves manually in order to support SSLv2 |
| 929 | * ClientHello, which doesn't use the same record layer format. |
| Ronald Cron | 6291b23 | 2023-03-08 15:51:25 +0100 | [diff] [blame] | 930 | * Otherwise in a scenario of TLS 1.3/TLS 1.2 version negotiation, the |
| 931 | * ClientHello has been already fully fetched by the TLS 1.3 code and the |
| 932 | * flag ssl->keep_current_message is raised. |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 933 | */ |
| David Horstmann | e0af39a | 2022-10-06 18:19:18 +0100 | [diff] [blame] | 934 | renegotiating = 0; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 935 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 936 | renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE); |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 937 | #endif |
| Ronald Cron | 6291b23 | 2023-03-08 15:51:25 +0100 | [diff] [blame] | 938 | if (!renegotiating && !ssl->keep_current_message) { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 939 | if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) { |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 940 | /* No alert on a read error. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 941 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret); |
| 942 | return ret; |
| Manuel Pégourié-Gonnard | 59c6f2e | 2015-01-22 11:06:40 +0000 | [diff] [blame] | 943 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 944 | } |
| 945 | |
| 946 | buf = ssl->in_hdr; |
| 947 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 948 | MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl)); |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 949 | |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 950 | /* |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 951 | * TLS Client Hello |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 952 | * |
| 953 | * Record layer: |
| 954 | * 0 . 0 message type |
| 955 | * 1 . 2 protocol version |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 956 | * 3 . 11 DTLS: epoch + record sequence number |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 957 | * 3 . 4 message length |
| 958 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 959 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message type: %d", |
| 960 | buf[0])); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 961 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 962 | if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) { |
| 963 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 964 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 965 | } |
| 966 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 967 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d", |
| 968 | (ssl->in_len[0] << 8) | ssl->in_len[1])); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 969 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 970 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, protocol version: [%d:%d]", |
| 971 | buf[1], buf[2])); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 972 | |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 973 | /* For DTLS if this is the initial handshake, remember the client sequence |
| 974 | * number to use it in our next message (RFC 6347 4.2.1) */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 975 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 976 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 977 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 978 | && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE |
| Manuel Pégourié-Gonnard | 3a173f4 | 2015-01-22 13:30:33 +0000 | [diff] [blame] | 979 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 980 | ) { |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 981 | /* Epoch should be 0 for initial handshakes */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 982 | if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) { |
| 983 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 984 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 985 | } |
| 986 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 987 | memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2, |
| 988 | sizeof(ssl->cur_out_ctr) - 2); |
| Manuel Pégourié-Gonnard | f03c7aa | 2014-09-24 14:54:06 +0200 | [diff] [blame] | 989 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 990 | #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 991 | if (mbedtls_ssl_dtls_replay_check(ssl) != 0) { |
| 992 | MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding")); |
| Manuel Pégourié-Gonnard | f03c7aa | 2014-09-24 14:54:06 +0200 | [diff] [blame] | 993 | ssl->next_record_offset = 0; |
| 994 | ssl->in_left = 0; |
| 995 | goto read_record_header; |
| 996 | } |
| 997 | |
| 998 | /* No MAC to check yet, so we can update right now */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 999 | mbedtls_ssl_dtls_replay_update(ssl); |
| Manuel Pégourié-Gonnard | f03c7aa | 2014-09-24 14:54:06 +0200 | [diff] [blame] | 1000 | #endif |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 1001 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1002 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 1003 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1004 | msg_len = (ssl->in_len[0] << 8) | ssl->in_len[1]; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1005 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1006 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1007 | if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1008 | /* Set by mbedtls_ssl_read_record() */ |
| Manuel Pégourié-Gonnard | b89c4f3 | 2015-01-21 13:24:10 +0000 | [diff] [blame] | 1009 | msg_len = ssl->in_hslen; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1010 | } else |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 1011 | #endif |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1012 | { |
| Ronald Cron | 6291b23 | 2023-03-08 15:51:25 +0100 | [diff] [blame] | 1013 | if (ssl->keep_current_message) { |
| 1014 | ssl->keep_current_message = 0; |
| 1015 | } else { |
| 1016 | if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) { |
| 1017 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1018 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| 1019 | } |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1020 | |
| Ronald Cron | 6291b23 | 2023-03-08 15:51:25 +0100 | [diff] [blame] | 1021 | if ((ret = mbedtls_ssl_fetch_input(ssl, |
| 1022 | mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) { |
| 1023 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret); |
| 1024 | return ret; |
| 1025 | } |
| Manuel Pégourié-Gonnard | 30d16eb | 2014-08-19 17:43:50 +0200 | [diff] [blame] | 1026 | |
| Ronald Cron | 6291b23 | 2023-03-08 15:51:25 +0100 | [diff] [blame] | 1027 | /* Done reading this record, get ready for the next one */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1028 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Ronald Cron | 6291b23 | 2023-03-08 15:51:25 +0100 | [diff] [blame] | 1029 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| 1030 | ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl); |
| 1031 | } else |
| Manuel Pégourié-Gonnard | 30d16eb | 2014-08-19 17:43:50 +0200 | [diff] [blame] | 1032 | #endif |
| Ronald Cron | 6291b23 | 2023-03-08 15:51:25 +0100 | [diff] [blame] | 1033 | ssl->in_left = 0; |
| 1034 | } |
| Manuel Pégourié-Gonnard | d6b721c | 2014-03-24 12:13:54 +0100 | [diff] [blame] | 1035 | } |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1036 | |
| 1037 | buf = ssl->in_msg; |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1038 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1039 | MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len); |
| Manuel Pégourié-Gonnard | e89bcf0 | 2014-02-18 18:50:02 +0100 | [diff] [blame] | 1040 | |
| Manuel Pégourié-Gonnard | b8b07aa | 2023-02-06 00:34:21 +0100 | [diff] [blame] | 1041 | ret = ssl->handshake->update_checksum(ssl, buf, msg_len); |
| 1042 | if (0 != ret) { |
| 1043 | MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret); |
| 1044 | return ret; |
| 1045 | } |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1046 | |
| 1047 | /* |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1048 | * Handshake layer: |
| 1049 | * 0 . 0 handshake type |
| 1050 | * 1 . 3 handshake length |
| Shaun Case | 8b0ecbc | 2021-12-20 21:14:10 -0800 | [diff] [blame] | 1051 | * 4 . 5 DTLS only: message sequence number |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1052 | * 6 . 8 DTLS only: fragment offset |
| 1053 | * 9 . 11 DTLS only: fragment length |
| Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 1054 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1055 | if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) { |
| 1056 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1057 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1058 | } |
| 1059 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1060 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0])); |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1061 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1062 | if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) { |
| 1063 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1064 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1065 | } |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1066 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1067 | size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1); |
| 1068 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u", |
| 1069 | (unsigned) handshake_len)); |
| Andrzej Kurek | cbe14ec | 2022-06-15 07:17:28 -0400 | [diff] [blame] | 1070 | |
| 1071 | /* The record layer has a record size limit of 2^14 - 1 and |
| 1072 | * fragmentation is not supported, so buf[1] should be zero. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1073 | if (buf[1] != 0) { |
| 1074 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0", |
| 1075 | (unsigned) buf[1])); |
| 1076 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Andrzej Kurek | cbe14ec | 2022-06-15 07:17:28 -0400 | [diff] [blame] | 1077 | } |
| 1078 | |
| 1079 | /* We don't support fragmentation of ClientHello (yet?) */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1080 | if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) { |
| 1081 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u", |
| 1082 | (unsigned) msg_len, |
| 1083 | (unsigned) mbedtls_ssl_hs_hdr_len(ssl), |
| 1084 | (unsigned) handshake_len)); |
| 1085 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Andrzej Kurek | cbe14ec | 2022-06-15 07:17:28 -0400 | [diff] [blame] | 1086 | } |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1087 | } |
| 1088 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1089 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1090 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 1091 | /* |
| Manuel Pégourié-Gonnard | 69849f8 | 2015-03-10 11:54:02 +0000 | [diff] [blame] | 1092 | * Copy the client's handshake message_seq on initial handshakes, |
| 1093 | * check sequence number on renego. |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 1094 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1095 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1096 | if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { |
| Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 1097 | /* This couldn't be done in ssl_prepare_handshake_record() */ |
| Thomas Daubney | f9f0ba8 | 2023-05-23 17:34:33 +0100 | [diff] [blame] | 1098 | unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1099 | if (cli_msg_seq != ssl->handshake->in_msg_seq) { |
| 1100 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: " |
| 1101 | "%u (expected %u)", cli_msg_seq, |
| 1102 | ssl->handshake->in_msg_seq)); |
| 1103 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 1aa586e | 2014-09-03 12:54:04 +0200 | [diff] [blame] | 1104 | } |
| 1105 | |
| 1106 | ssl->handshake->in_msg_seq++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1107 | } else |
| Manuel Pégourié-Gonnard | 69849f8 | 2015-03-10 11:54:02 +0000 | [diff] [blame] | 1108 | #endif |
| 1109 | { |
| Thomas Daubney | f9f0ba8 | 2023-05-23 17:34:33 +0100 | [diff] [blame] | 1110 | unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4); |
| Manuel Pégourié-Gonnard | 69849f8 | 2015-03-10 11:54:02 +0000 | [diff] [blame] | 1111 | ssl->handshake->out_msg_seq = cli_msg_seq; |
| 1112 | ssl->handshake->in_msg_seq = cli_msg_seq + 1; |
| 1113 | } |
| Manuel Pégourié-Gonnard | e89bcf0 | 2014-02-18 18:50:02 +0100 | [diff] [blame] | 1114 | { |
| Andrzej Kurek | cbe14ec | 2022-06-15 07:17:28 -0400 | [diff] [blame] | 1115 | /* |
| 1116 | * For now we don't support fragmentation, so make sure |
| 1117 | * fragment_offset == 0 and fragment_length == length |
| 1118 | */ |
| 1119 | size_t fragment_offset, fragment_length, length; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1120 | fragment_offset = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6); |
| 1121 | fragment_length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9); |
| 1122 | length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1); |
| Andrzej Kurek | cbe14ec | 2022-06-15 07:17:28 -0400 | [diff] [blame] | 1123 | MBEDTLS_SSL_DEBUG_MSG( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1124 | 4, ("fragment_offset=%u fragment_length=%u length=%u", |
| 1125 | (unsigned) fragment_offset, (unsigned) fragment_length, |
| 1126 | (unsigned) length)); |
| 1127 | if (fragment_offset != 0 || length != fragment_length) { |
| 1128 | MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported")); |
| 1129 | return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Andrzej Kurek | cbe14ec | 2022-06-15 07:17:28 -0400 | [diff] [blame] | 1130 | } |
| Manuel Pégourié-Gonnard | e89bcf0 | 2014-02-18 18:50:02 +0100 | [diff] [blame] | 1131 | } |
| Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 1132 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1133 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 1134 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1135 | buf += mbedtls_ssl_hs_hdr_len(ssl); |
| 1136 | msg_len -= mbedtls_ssl_hs_hdr_len(ssl); |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1137 | |
| Manuel Pégourié-Gonnard | ce441b3 | 2014-02-18 17:40:52 +0100 | [diff] [blame] | 1138 | /* |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1139 | * ClientHello layer: |
| 1140 | * 0 . 1 protocol version |
| 1141 | * 2 . 33 random bytes (starting with 4 bytes of Unix time) |
| 1142 | * 34 . 35 session id length (1 byte) |
| 1143 | * 35 . 34+x session id |
| 1144 | * 35+x . 35+x DTLS only: cookie length (1 byte) |
| 1145 | * 36+x . .. DTLS only: cookie |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1146 | * .. . .. ciphersuite list length (2 bytes) |
| 1147 | * .. . .. ciphersuite list |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1148 | * .. . .. compression alg. list length (1 byte) |
| 1149 | * .. . .. compression alg. list |
| 1150 | * .. . .. extensions length (2 bytes, optional) |
| 1151 | * .. . .. extensions (optional) |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1152 | */ |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1153 | |
| 1154 | /* |
| Antonin Décimo | 36e89b5 | 2019-01-23 15:24:37 +0100 | [diff] [blame] | 1155 | * Minimal length (with everything empty and extensions omitted) is |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1156 | * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can |
| 1157 | * read at least up to session id length without worrying. |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1158 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1159 | if (msg_len < 38) { |
| 1160 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1161 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1162 | } |
| 1163 | |
| 1164 | /* |
| 1165 | * Check and save the protocol version |
| 1166 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1167 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1168 | |
| Agathiyan Bragadeesh | 8b52b88 | 2023-07-13 13:12:40 +0100 | [diff] [blame^] | 1169 | ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf, |
| 1170 | ssl->conf->transport); |
| Glenn Strauss | 60bfe60 | 2022-03-14 19:04:24 -0400 | [diff] [blame] | 1171 | ssl->session_negotiate->tls_version = ssl->tls_version; |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1172 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1173 | if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) { |
| 1174 | MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2")); |
| 1175 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1176 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION); |
| 1177 | return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; |
| Paul Bakker | 1d29fb5 | 2012-09-28 13:28:45 +0000 | [diff] [blame] | 1178 | } |
| 1179 | |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1180 | /* |
| 1181 | * Save client random (inc. Unix time) |
| 1182 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1183 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1184 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1185 | memcpy(ssl->handshake->randbytes, buf + 2, 32); |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1186 | |
| 1187 | /* |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1188 | * Check the session ID length and save session ID |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1189 | */ |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1190 | sess_len = buf[34]; |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1191 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1192 | if (sess_len > sizeof(ssl->session_negotiate->id) || |
| 1193 | sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */ |
| 1194 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1195 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1196 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1197 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1198 | } |
| 1199 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1200 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1201 | |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 1202 | ssl->session_negotiate->id_len = sess_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1203 | memset(ssl->session_negotiate->id, 0, |
| 1204 | sizeof(ssl->session_negotiate->id)); |
| 1205 | memcpy(ssl->session_negotiate->id, buf + 35, |
| 1206 | ssl->session_negotiate->id_len); |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1207 | |
| 1208 | /* |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1209 | * Check the cookie length and content |
| 1210 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1211 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1212 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| Manuel Pégourié-Gonnard | 19d438f | 2014-09-09 17:08:52 +0200 | [diff] [blame] | 1213 | cookie_offset = 35 + sess_len; |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1214 | cookie_len = buf[cookie_offset]; |
| 1215 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1216 | if (cookie_offset + 1 + cookie_len + 2 > msg_len) { |
| 1217 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1218 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1219 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1220 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1221 | } |
| 1222 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1223 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie", |
| 1224 | buf + cookie_offset + 1, cookie_len); |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1225 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1226 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1227 | if (ssl->conf->f_cookie_check != NULL |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1228 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 1229 | && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE |
| Manuel Pégourié-Gonnard | 69849f8 | 2015-03-10 11:54:02 +0000 | [diff] [blame] | 1230 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1231 | ) { |
| 1232 | if (ssl->conf->f_cookie_check(ssl->conf->p_cookie, |
| 1233 | buf + cookie_offset + 1, cookie_len, |
| 1234 | ssl->cli_id, ssl->cli_id_len) != 0) { |
| 1235 | MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed")); |
| Jerry Yu | ac5ca5a | 2022-03-04 12:50:46 +0800 | [diff] [blame] | 1236 | ssl->handshake->cookie_verify_result = 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1237 | } else { |
| 1238 | MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed")); |
| Jerry Yu | ac5ca5a | 2022-03-04 12:50:46 +0800 | [diff] [blame] | 1239 | ssl->handshake->cookie_verify_result = 0; |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 1240 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1241 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1242 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 1243 | { |
| 1244 | /* We know we didn't send a cookie, so it should be empty */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1245 | if (cookie_len != 0) { |
| Gilles Peskine | 1cc8e34 | 2017-05-03 16:28:34 +0200 | [diff] [blame] | 1246 | /* This may be an attacker's probe, so don't send an alert */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1247 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1248 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 1249 | } |
| 1250 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1251 | MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped")); |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 1252 | } |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1253 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1254 | /* |
| 1255 | * Check the ciphersuitelist length (will be parsed later) |
| 1256 | */ |
| Manuel Pégourié-Gonnard | 4128aa7 | 2014-03-21 09:40:12 +0100 | [diff] [blame] | 1257 | ciph_offset = cookie_offset + 1 + cookie_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1258 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1259 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1260 | ciph_offset = 35 + sess_len; |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1261 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1262 | ciph_len = (buf[ciph_offset + 0] << 8) |
| 1263 | | (buf[ciph_offset + 1]); |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1264 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1265 | if (ciph_len < 2 || |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1266 | ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1267 | (ciph_len % 2) != 0) { |
| 1268 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1269 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1270 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1271 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1272 | } |
| 1273 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1274 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist", |
| 1275 | buf + ciph_offset + 2, ciph_len); |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1276 | |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1277 | /* |
| Thomas Daubney | 20f89a9 | 2022-06-20 15:12:19 +0100 | [diff] [blame] | 1278 | * Check the compression algorithm's length. |
| 1279 | * The list contents are ignored because implementing |
| 1280 | * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only |
| 1281 | * option supported by Mbed TLS. |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1282 | */ |
| 1283 | comp_offset = ciph_offset + 2 + ciph_len; |
| 1284 | |
| 1285 | comp_len = buf[comp_offset]; |
| 1286 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1287 | if (comp_len < 1 || |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1288 | comp_len > 16 || |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1289 | comp_len + comp_offset + 1 > msg_len) { |
| 1290 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1291 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1292 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1293 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | ec636f3 | 2012-09-09 19:17:02 +0000 | [diff] [blame] | 1294 | } |
| 1295 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1296 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression", |
| 1297 | buf + comp_offset + 1, comp_len); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1298 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1299 | /* |
| 1300 | * Check the extension length |
| 1301 | */ |
| 1302 | ext_offset = comp_offset + 1 + comp_len; |
| 1303 | if (msg_len > ext_offset) { |
| 1304 | if (msg_len < ext_offset + 2) { |
| 1305 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1306 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1307 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1308 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1309 | } |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1310 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1311 | ext_len = (buf[ext_offset + 0] << 8) |
| 1312 | | (buf[ext_offset + 1]); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1313 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1314 | if (msg_len != ext_offset + 2 + ext_len) { |
| 1315 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1316 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1317 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1318 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1319 | } |
| 1320 | } else { |
| 1321 | ext_len = 0; |
| 1322 | } |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1323 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1324 | ext = buf + ext_offset + 2; |
| 1325 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len); |
| 1326 | |
| 1327 | while (ext_len != 0) { |
| 1328 | unsigned int ext_id; |
| 1329 | unsigned int ext_size; |
| 1330 | if (ext_len < 4) { |
| 1331 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1332 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1333 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1334 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1335 | } |
| 1336 | ext_id = ((ext[0] << 8) | (ext[1])); |
| 1337 | ext_size = ((ext[2] << 8) | (ext[3])); |
| 1338 | |
| 1339 | if (ext_size + 4 > ext_len) { |
| 1340 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1341 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1342 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1343 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1344 | } |
| 1345 | switch (ext_id) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1346 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1347 | case MBEDTLS_TLS_EXT_SERVERNAME: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1348 | MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension")); |
| 1349 | ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4, |
| 1350 | ext + 4 + ext_size); |
| 1351 | if (ret != 0) { |
| 1352 | return ret; |
| 1353 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1354 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1355 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ |
| Paul Bakker | 5701cdc | 2012-09-27 21:49:42 +0000 | [diff] [blame] | 1356 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1357 | case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1358 | MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension")); |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1359 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1360 | renegotiation_info_seen = 1; |
| Manuel Pégourié-Gonnard | eaecbd3 | 2014-11-06 02:38:02 +0100 | [diff] [blame] | 1361 | #endif |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1362 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1363 | ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size); |
| 1364 | if (ret != 0) { |
| 1365 | return ret; |
| 1366 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1367 | break; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1368 | |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 1369 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1370 | case MBEDTLS_TLS_EXT_SIG_ALG: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1371 | MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension")); |
| Ron Eldor | 73a3817 | 2017-10-03 15:58:26 +0300 | [diff] [blame] | 1372 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1373 | ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size); |
| 1374 | if (ret != 0) { |
| 1375 | return ret; |
| 1376 | } |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1377 | |
| 1378 | sig_hash_alg_ext_present = 1; |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1379 | break; |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 1380 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1381 | |
| Valerio Setti | 1fa5c56 | 2023-03-20 13:56:38 +0100 | [diff] [blame] | 1382 | #if defined(MBEDTLS_PK_CAN_ECDH) || defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1383 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Jerry Yu | b47d0f8 | 2021-12-20 17:34:40 +0800 | [diff] [blame] | 1384 | case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1385 | MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension")); |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1386 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1387 | ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size); |
| 1388 | if (ret != 0) { |
| 1389 | return ret; |
| 1390 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1391 | break; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1392 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1393 | case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1394 | MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension")); |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1395 | ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1396 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1397 | ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size); |
| 1398 | if (ret != 0) { |
| 1399 | return ret; |
| 1400 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1401 | break; |
| Valerio Setti | 1fa5c56 | 2023-03-20 13:56:38 +0100 | [diff] [blame] | 1402 | #endif /* MBEDTLS_PK_CAN_ECDH || MBEDTLS_PK_CAN_ECDSA_SOME || |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 1403 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1404 | |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 1405 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1406 | case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1407 | MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension")); |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 1408 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1409 | ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size); |
| 1410 | if (ret != 0) { |
| 1411 | return ret; |
| 1412 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1413 | break; |
| Manuel Pégourié-Gonnard | bf57be6 | 2015-09-16 15:04:01 +0200 | [diff] [blame] | 1414 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 1415 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1416 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1417 | case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1418 | MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension")); |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 1419 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1420 | ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size); |
| 1421 | if (ret != 0) { |
| 1422 | return ret; |
| 1423 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1424 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1425 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| Manuel Pégourié-Gonnard | 48f8d0d | 2013-07-17 10:25:37 +0200 | [diff] [blame] | 1426 | |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1427 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 1428 | case MBEDTLS_TLS_EXT_CID: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1429 | MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension")); |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 1430 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1431 | ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size); |
| 1432 | if (ret != 0) { |
| 1433 | return ret; |
| 1434 | } |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 1435 | break; |
| Thomas Daubney | e1c9a40 | 2021-06-15 11:26:43 +0100 | [diff] [blame] | 1436 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| Hanno Becker | 89dcc88 | 2019-04-26 13:56:39 +0100 | [diff] [blame] | 1437 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1438 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1439 | case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1440 | MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension")); |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1441 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1442 | ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size); |
| 1443 | if (ret != 0) { |
| 1444 | return ret; |
| 1445 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1446 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1447 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1448 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1449 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1450 | case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1451 | MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension")); |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1452 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1453 | ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size); |
| 1454 | if (ret != 0) { |
| 1455 | return ret; |
| 1456 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1457 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1458 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1459 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1460 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1461 | case MBEDTLS_TLS_EXT_SESSION_TICKET: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1462 | MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension")); |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 1463 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1464 | ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size); |
| 1465 | if (ret != 0) { |
| 1466 | return ret; |
| 1467 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1468 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1469 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 1470 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1471 | #if defined(MBEDTLS_SSL_ALPN) |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1472 | case MBEDTLS_TLS_EXT_ALPN: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1473 | MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension")); |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 1474 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1475 | ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4, |
| 1476 | ext + 4 + ext_size); |
| 1477 | if (ret != 0) { |
| 1478 | return ret; |
| 1479 | } |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1480 | break; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1481 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 1482 | |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1483 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| 1484 | case MBEDTLS_TLS_EXT_USE_SRTP: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1485 | MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension")); |
| Johan Pascal | d576fdb | 2020-09-22 10:39:53 +0200 | [diff] [blame] | 1486 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1487 | ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size); |
| 1488 | if (ret != 0) { |
| 1489 | return ret; |
| 1490 | } |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1491 | break; |
| 1492 | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
| 1493 | |
| Simon Butcher | 584a547 | 2016-05-23 16:24:52 +0100 | [diff] [blame] | 1494 | default: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1495 | MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)", |
| 1496 | ext_id)); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1497 | } |
| Janos Follath | c6dab2b | 2016-05-23 14:27:02 +0100 | [diff] [blame] | 1498 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1499 | ext_len -= 4 + ext_size; |
| 1500 | ext += 4 + ext_size; |
| 1501 | } |
| 1502 | |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 1503 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1504 | |
| 1505 | /* |
| 1506 | * Try to fall back to default hash SHA1 if the client |
| 1507 | * hasn't provided any preferred signature-hash combinations. |
| 1508 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1509 | if (!sig_hash_alg_ext_present) { |
| Gabor Mezei | 86acf05 | 2022-05-10 13:29:02 +0200 | [diff] [blame] | 1510 | uint16_t *received_sig_algs = ssl->handshake->received_sig_algs; |
| 1511 | const uint16_t default_sig_algs[] = { |
| Valerio Setti | 1fa5c56 | 2023-03-20 13:56:38 +0100 | [diff] [blame] | 1512 | #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1513 | MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, |
| 1514 | MBEDTLS_SSL_HASH_SHA1), |
| Gabor Mezei | c1051b6 | 2022-05-10 13:13:58 +0200 | [diff] [blame] | 1515 | #endif |
| 1516 | #if defined(MBEDTLS_RSA_C) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1517 | MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, |
| 1518 | MBEDTLS_SSL_HASH_SHA1), |
| Gabor Mezei | c1051b6 | 2022-05-10 13:13:58 +0200 | [diff] [blame] | 1519 | #endif |
| Gabor Mezei | 86acf05 | 2022-05-10 13:29:02 +0200 | [diff] [blame] | 1520 | MBEDTLS_TLS_SIG_NONE |
| Gabor Mezei | 078e803 | 2022-04-27 21:17:56 +0200 | [diff] [blame] | 1521 | }; |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1522 | |
| Tom Cosgrove | 6ef9bb3 | 2023-03-08 14:19:51 +0000 | [diff] [blame] | 1523 | MBEDTLS_STATIC_ASSERT(sizeof(default_sig_algs) / sizeof(default_sig_algs[0]) |
| 1524 | <= MBEDTLS_RECEIVED_SIG_ALGS_SIZE, |
| 1525 | "default_sig_algs is too big"); |
| Gabor Mezei | 078e803 | 2022-04-27 21:17:56 +0200 | [diff] [blame] | 1526 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1527 | memcpy(received_sig_algs, default_sig_algs, sizeof(default_sig_algs)); |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1528 | } |
| 1529 | |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 1530 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1531 | |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1532 | /* |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1533 | * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV |
| 1534 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1535 | for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) { |
| 1536 | if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) { |
| 1537 | MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO ")); |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1538 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1539 | if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { |
| 1540 | MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV " |
| 1541 | "during renegotiation")); |
| 1542 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1543 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 1544 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1545 | } |
| Manuel Pégourié-Gonnard | 69849f8 | 2015-03-10 11:54:02 +0000 | [diff] [blame] | 1546 | #endif |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1547 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; |
| Manuel Pégourié-Gonnard | 8933a65 | 2014-03-20 17:29:27 +0100 | [diff] [blame] | 1548 | break; |
| 1549 | } |
| 1550 | } |
| 1551 | |
| 1552 | /* |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1553 | * Renegotiation security checks |
| 1554 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1555 | if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION && |
| 1556 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) { |
| 1557 | MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake")); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1558 | handshake_failure = 1; |
| 1559 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1560 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1561 | else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1562 | ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1563 | renegotiation_info_seen == 0) { |
| 1564 | MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)")); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1565 | handshake_failure = 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1566 | } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| 1567 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| 1568 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) { |
| 1569 | MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed")); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1570 | handshake_failure = 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1571 | } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| 1572 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| 1573 | renegotiation_info_seen == 1) { |
| 1574 | MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)")); |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1575 | handshake_failure = 1; |
| 1576 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1577 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Paul Bakker | d0f6fa7 | 2012-09-17 09:18:12 +0000 | [diff] [blame] | 1578 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1579 | if (handshake_failure == 1) { |
| 1580 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1581 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 1582 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 1583 | } |
| Paul Bakker | 380da53 | 2012-04-18 16:10:25 +0000 | [diff] [blame] | 1584 | |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1585 | /* |
| Glenn Strauss | 2ed9527 | 2022-01-21 18:02:17 -0500 | [diff] [blame] | 1586 | * Server certification selection (after processing TLS extensions) |
| 1587 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1588 | if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) { |
| 1589 | MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret); |
| 1590 | return ret; |
| Glenn Strauss | 2ed9527 | 2022-01-21 18:02:17 -0500 | [diff] [blame] | 1591 | } |
| Glenn Strauss | 6989407 | 2022-01-24 12:58:00 -0500 | [diff] [blame] | 1592 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| 1593 | ssl->handshake->sni_name = NULL; |
| 1594 | ssl->handshake->sni_name_len = 0; |
| 1595 | #endif |
| Glenn Strauss | 2ed9527 | 2022-01-21 18:02:17 -0500 | [diff] [blame] | 1596 | |
| 1597 | /* |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1598 | * Search for a matching ciphersuite |
| Manuel Pégourié-Gonnard | 3ebb2cd | 2013-09-23 17:00:18 +0200 | [diff] [blame] | 1599 | * (At the end because we need information from the EC-based extensions |
| Glenn Strauss | 2ed9527 | 2022-01-21 18:02:17 -0500 | [diff] [blame] | 1600 | * and certificate from the SNI callback triggered by the SNI extension |
| 1601 | * or certificate from server certificate selection callback.) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1602 | */ |
| Manuel Pégourié-Gonnard | f01768c | 2015-01-08 17:06:16 +0100 | [diff] [blame] | 1603 | got_common_suite = 0; |
| Hanno Becker | d60b6c6 | 2021-04-29 12:04:11 +0100 | [diff] [blame] | 1604 | ciphersuites = ssl->conf->ciphersuite_list; |
| Manuel Pégourié-Gonnard | 59b81d7 | 2013-11-30 17:46:04 +0100 | [diff] [blame] | 1605 | ciphersuite_info = NULL; |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1606 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1607 | if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) { |
| 1608 | for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) { |
| 1609 | for (i = 0; ciphersuites[i] != 0; i++) { |
| 1610 | if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) { |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1611 | continue; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1612 | } |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1613 | |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1614 | got_common_suite = 1; |
| Manuel Pégourié-Gonnard | f01768c | 2015-01-08 17:06:16 +0100 | [diff] [blame] | 1615 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1616 | if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i], |
| 1617 | &ciphersuite_info)) != 0) { |
| 1618 | return ret; |
| 1619 | } |
| Manuel Pégourié-Gonnard | 011a8db | 2013-11-30 18:11:07 +0100 | [diff] [blame] | 1620 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1621 | if (ciphersuite_info != NULL) { |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1622 | goto have_ciphersuite; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1623 | } |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1624 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1625 | } |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1626 | } else { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1627 | for (i = 0; ciphersuites[i] != 0; i++) { |
| 1628 | for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) { |
| 1629 | if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) { |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1630 | continue; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1631 | } |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1632 | |
| 1633 | got_common_suite = 1; |
| 1634 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1635 | if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i], |
| 1636 | &ciphersuite_info)) != 0) { |
| 1637 | return ret; |
| 1638 | } |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1639 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1640 | if (ciphersuite_info != NULL) { |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1641 | goto have_ciphersuite; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1642 | } |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1643 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1644 | } |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 1645 | } |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1646 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1647 | if (got_common_suite) { |
| 1648 | MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, " |
| 1649 | "but none of them usable")); |
| 1650 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1651 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 1652 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 1653 | } else { |
| 1654 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common")); |
| 1655 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1656 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 1657 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Manuel Pégourié-Gonnard | f01768c | 2015-01-08 17:06:16 +0100 | [diff] [blame] | 1658 | } |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1659 | |
| 1660 | have_ciphersuite: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1661 | MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name)); |
| Manuel Pégourié-Gonnard | 607d663 | 2015-01-26 11:17:20 +0000 | [diff] [blame] | 1662 | |
| Paul Bakker | 8f4ddae | 2013-04-15 15:09:54 +0200 | [diff] [blame] | 1663 | ssl->session_negotiate->ciphersuite = ciphersuites[i]; |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 1664 | ssl->handshake->ciphersuite_info = ciphersuite_info; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 1665 | |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1666 | ssl->state++; |
| 1667 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1668 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1669 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| 1670 | mbedtls_ssl_recv_flight_completed(ssl); |
| 1671 | } |
| Manuel Pégourié-Gonnard | 5d8ba53 | 2014-09-19 15:09:21 +0200 | [diff] [blame] | 1672 | #endif |
| 1673 | |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1674 | /* Debugging-only output for testsuite */ |
| 1675 | #if defined(MBEDTLS_DEBUG_C) && \ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 1676 | defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1677 | mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info); |
| 1678 | if (sig_alg != MBEDTLS_PK_NONE) { |
| Gabor Mezei | a3d016c | 2022-05-10 12:44:09 +0200 | [diff] [blame] | 1679 | unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1680 | ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg)); |
| 1681 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u", |
| 1682 | sig_hash)); |
| 1683 | } else { |
| 1684 | MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm " |
| 1685 | "%u - should not happen", (unsigned) sig_alg)); |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 1686 | } |
| 1687 | #endif |
| 1688 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1689 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1690 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1691 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1692 | } |
| 1693 | |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1694 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1695 | static void ssl_write_cid_ext(mbedtls_ssl_context *ssl, |
| 1696 | unsigned char *buf, |
| 1697 | size_t *olen) |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1698 | { |
| 1699 | unsigned char *p = buf; |
| 1700 | size_t ext_len; |
| 1701 | const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| 1702 | |
| 1703 | *olen = 0; |
| 1704 | |
| 1705 | /* Skip writing the extension if we don't want to use it or if |
| 1706 | * the client hasn't offered it. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1707 | if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) { |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1708 | return; |
| 1709 | } |
| 1710 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1711 | /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX |
| 1712 | * which is at most 255, so the increment cannot overflow. */ |
| 1713 | if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) { |
| 1714 | MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); |
| 1715 | return; |
| 1716 | } |
| 1717 | |
| 1718 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension")); |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1719 | |
| 1720 | /* |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1721 | * struct { |
| 1722 | * opaque cid<0..2^8-1>; |
| 1723 | * } ConnectionId; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1724 | */ |
| 1725 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1726 | p += 2; |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1727 | ext_len = (size_t) ssl->own_cid_len + 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1728 | MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1729 | p += 2; |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1730 | |
| 1731 | *p++ = (uint8_t) ssl->own_cid_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1732 | memcpy(p, ssl->own_cid, ssl->own_cid_len); |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1733 | |
| 1734 | *olen = ssl->own_cid_len + 5; |
| 1735 | } |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 1736 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 1737 | |
| Neil Armstrong | 76b7407 | 2022-04-06 13:43:54 +0200 | [diff] [blame] | 1738 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1739 | static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl, |
| 1740 | unsigned char *buf, |
| 1741 | size_t *olen) |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1742 | { |
| 1743 | unsigned char *p = buf; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1744 | const mbedtls_ssl_ciphersuite_t *suite = NULL; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1745 | |
| Manuel Pégourié-Gonnard | 78e745f | 2014-11-04 15:44:06 +0100 | [diff] [blame] | 1746 | /* |
| 1747 | * RFC 7366: "If a server receives an encrypt-then-MAC request extension |
| 1748 | * from a client and then selects a stream or Authenticated Encryption |
| 1749 | * with Associated Data (AEAD) ciphersuite, it MUST NOT send an |
| 1750 | * encrypt-then-MAC response extension back to the client." |
| 1751 | */ |
| Neil Armstrong | fe635e4 | 2022-04-01 10:36:09 +0200 | [diff] [blame] | 1752 | suite = mbedtls_ssl_ciphersuite_from_id( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1753 | ssl->session_negotiate->ciphersuite); |
| 1754 | if (suite == NULL) { |
| Ronald Cron | 862902d | 2022-03-24 14:15:28 +0100 | [diff] [blame] | 1755 | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1756 | } else { |
| Neil Armstrong | fe635e4 | 2022-04-01 10:36:09 +0200 | [diff] [blame] | 1757 | mbedtls_ssl_mode_t ssl_mode = |
| Neil Armstrong | ab555e0 | 2022-04-04 11:07:59 +0200 | [diff] [blame] | 1758 | mbedtls_ssl_get_mode_from_ciphersuite( |
| Neil Armstrong | fe635e4 | 2022-04-01 10:36:09 +0200 | [diff] [blame] | 1759 | ssl->session_negotiate->encrypt_then_mac, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1760 | suite); |
| Neil Armstrong | fe635e4 | 2022-04-01 10:36:09 +0200 | [diff] [blame] | 1761 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1762 | if (ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM) { |
| Neil Armstrong | fe635e4 | 2022-04-01 10:36:09 +0200 | [diff] [blame] | 1763 | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1764 | } |
| Ronald Cron | 862902d | 2022-03-24 14:15:28 +0100 | [diff] [blame] | 1765 | } |
| 1766 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1767 | if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) { |
| Manuel Pégourié-Gonnard | 78e745f | 2014-11-04 15:44:06 +0100 | [diff] [blame] | 1768 | *olen = 0; |
| 1769 | return; |
| 1770 | } |
| 1771 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1772 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension")); |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1773 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1774 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1775 | p += 2; |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1776 | |
| 1777 | *p++ = 0x00; |
| 1778 | *p++ = 0x00; |
| 1779 | |
| 1780 | *olen = 4; |
| 1781 | } |
| Neil Armstrong | 76b7407 | 2022-04-06 13:43:54 +0200 | [diff] [blame] | 1782 | #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 1783 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1784 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1785 | static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl, |
| 1786 | unsigned char *buf, |
| 1787 | size_t *olen) |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1788 | { |
| 1789 | unsigned char *p = buf; |
| 1790 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1791 | if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) { |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1792 | *olen = 0; |
| 1793 | return; |
| 1794 | } |
| 1795 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1796 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret " |
| 1797 | "extension")); |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1798 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1799 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1800 | p += 2; |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1801 | |
| 1802 | *p++ = 0x00; |
| 1803 | *p++ = 0x00; |
| 1804 | |
| 1805 | *olen = 4; |
| 1806 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1807 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 1808 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1809 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1810 | static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl, |
| 1811 | unsigned char *buf, |
| 1812 | size_t *olen) |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 1813 | { |
| 1814 | unsigned char *p = buf; |
| 1815 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1816 | if (ssl->handshake->new_session_ticket == 0) { |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 1817 | *olen = 0; |
| 1818 | return; |
| 1819 | } |
| 1820 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1821 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension")); |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 1822 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1823 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1824 | p += 2; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 1825 | |
| 1826 | *p++ = 0x00; |
| 1827 | *p++ = 0x00; |
| 1828 | |
| 1829 | *olen = 4; |
| 1830 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1831 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 1832 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1833 | static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl, |
| 1834 | unsigned char *buf, |
| 1835 | size_t *olen) |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 1836 | { |
| 1837 | unsigned char *p = buf; |
| 1838 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1839 | if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) { |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 1840 | *olen = 0; |
| 1841 | return; |
| 1842 | } |
| 1843 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1844 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension")); |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 1845 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1846 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1847 | p += 2; |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 1848 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1849 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1850 | if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 1851 | *p++ = 0x00; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1852 | *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF; |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 1853 | *p++ = ssl->verify_data_len * 2 & 0xFF; |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 1854 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1855 | memcpy(p, ssl->peer_verify_data, ssl->verify_data_len); |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 1856 | p += ssl->verify_data_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1857 | memcpy(p, ssl->own_verify_data, ssl->verify_data_len); |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 1858 | p += ssl->verify_data_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1859 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1860 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 1861 | { |
| 1862 | *p++ = 0x00; |
| 1863 | *p++ = 0x01; |
| 1864 | *p++ = 0x00; |
| Manuel Pégourié-Gonnard | 615e677 | 2014-11-03 08:23:14 +0100 | [diff] [blame] | 1865 | } |
| Manuel Pégourié-Gonnard | 1938975 | 2015-06-23 13:46:44 +0200 | [diff] [blame] | 1866 | |
| 1867 | *olen = p - buf; |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 1868 | } |
| 1869 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1870 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1871 | static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl, |
| 1872 | unsigned char *buf, |
| 1873 | size_t *olen) |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 1874 | { |
| 1875 | unsigned char *p = buf; |
| 1876 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1877 | if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) { |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 1878 | *olen = 0; |
| 1879 | return; |
| 1880 | } |
| 1881 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1882 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension")); |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 1883 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1884 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1885 | p += 2; |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 1886 | |
| 1887 | *p++ = 0x00; |
| 1888 | *p++ = 1; |
| 1889 | |
| Manuel Pégourié-Gonnard | ed4af8b | 2013-07-18 14:07:09 +0200 | [diff] [blame] | 1890 | *p++ = ssl->session_negotiate->mfl_code; |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 1891 | |
| 1892 | *olen = 5; |
| 1893 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1894 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 1895 | |
| Manuel Pégourié-Gonnard | f472179 | 2015-09-15 10:53:51 +0200 | [diff] [blame] | 1896 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| Manuel Pégourié-Gonnard | eef142d | 2015-09-16 10:05:04 +0200 | [diff] [blame] | 1897 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1898 | static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl, |
| 1899 | unsigned char *buf, |
| 1900 | size_t *olen) |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 1901 | { |
| 1902 | unsigned char *p = buf; |
| 1903 | ((void) ssl); |
| 1904 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1905 | if ((ssl->handshake->cli_exts & |
| 1906 | MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) { |
| Paul Bakker | 677377f | 2013-10-28 12:54:26 +0100 | [diff] [blame] | 1907 | *olen = 0; |
| 1908 | return; |
| 1909 | } |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 1910 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1911 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension")); |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 1912 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1913 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1914 | p += 2; |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 1915 | |
| 1916 | *p++ = 0x00; |
| 1917 | *p++ = 2; |
| 1918 | |
| 1919 | *p++ = 1; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1920 | *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 1921 | |
| 1922 | *olen = 6; |
| 1923 | } |
| Manuel Pégourié-Gonnard | eef142d | 2015-09-16 10:05:04 +0200 | [diff] [blame] | 1924 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 1925 | |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 1926 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1927 | static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl, |
| 1928 | unsigned char *buf, |
| 1929 | size_t *olen) |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 1930 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 1931 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 1932 | unsigned char *p = buf; |
| Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 1933 | const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 1934 | size_t kkpp_len; |
| 1935 | |
| 1936 | *olen = 0; |
| 1937 | |
| 1938 | /* Skip costly computation if not needed */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1939 | if (ssl->handshake->ciphersuite_info->key_exchange != |
| 1940 | MBEDTLS_KEY_EXCHANGE_ECJPAKE) { |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 1941 | return; |
| 1942 | } |
| 1943 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1944 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension")); |
| 1945 | |
| 1946 | if (end - p < 4) { |
| 1947 | MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); |
| 1948 | return; |
| 1949 | } |
| 1950 | |
| 1951 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1952 | p += 2; |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 1953 | |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 1954 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1955 | ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, |
| 1956 | p + 2, end - p - 2, &kkpp_len, |
| 1957 | MBEDTLS_ECJPAKE_ROUND_ONE); |
| 1958 | if (ret != 0) { |
| 1959 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 1960 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| 1961 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret); |
| Valerio Setti | a988364 | 2022-11-17 15:34:59 +0100 | [diff] [blame] | 1962 | return; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 1963 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 1964 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1965 | ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx, |
| 1966 | p + 2, end - p - 2, &kkpp_len, |
| 1967 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 1968 | if (ret != 0) { |
| 1969 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret); |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 1970 | return; |
| 1971 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 1972 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 1973 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1974 | MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 1975 | p += 2; |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 1976 | |
| 1977 | *olen = kkpp_len + 4; |
| 1978 | } |
| 1979 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 1980 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1981 | #if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS) |
| 1982 | static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl, |
| 1983 | unsigned char *buf, |
| 1984 | size_t *olen) |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1985 | { |
| Ron Eldor | 75870ec | 2018-12-06 17:31:55 +0200 | [diff] [blame] | 1986 | size_t mki_len = 0, ext_len = 0; |
| Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 1987 | uint16_t profile_value = 0; |
| Johan Pascal | 8f70fba | 2020-09-02 10:32:06 +0200 | [diff] [blame] | 1988 | const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| 1989 | |
| 1990 | *olen = 0; |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 1991 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1992 | if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || |
| 1993 | (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) { |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1994 | return; |
| 1995 | } |
| 1996 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1997 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension")); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 1998 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1999 | if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) { |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 2000 | mki_len = ssl->dtls_srtp_info.mki_len; |
| 2001 | } |
| 2002 | |
| Johan Pascal | 9bc97ca | 2020-09-21 23:44:45 +0200 | [diff] [blame] | 2003 | /* The extension total size is 9 bytes : |
| 2004 | * - 2 bytes for the extension tag |
| 2005 | * - 2 bytes for the total size |
| 2006 | * - 2 bytes for the protection profile length |
| 2007 | * - 2 bytes for the protection profile |
| 2008 | * - 1 byte for the mki length |
| 2009 | * + the actual mki length |
| 2010 | * Check we have enough room in the output buffer */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2011 | if ((size_t) (end - buf) < mki_len + 9) { |
| 2012 | MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); |
| Johan Pascal | 8f70fba | 2020-09-02 10:32:06 +0200 | [diff] [blame] | 2013 | return; |
| 2014 | } |
| 2015 | |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2016 | /* extension */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2017 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0); |
| Ron Eldor | ef72faf | 2018-07-12 11:54:20 +0300 | [diff] [blame] | 2018 | /* |
| 2019 | * total length 5 and mki value: only one profile(2 bytes) |
| 2020 | * and length(2 bytes) and srtp_mki ) |
| 2021 | */ |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 2022 | ext_len = 5 + mki_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2023 | MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2024 | |
| 2025 | /* protection profile length: 2 */ |
| 2026 | buf[4] = 0x00; |
| 2027 | buf[5] = 0x02; |
| Johan Pascal | 43f9490 | 2020-09-22 12:25:52 +0200 | [diff] [blame] | 2028 | profile_value = mbedtls_ssl_check_srtp_profile_value( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2029 | ssl->dtls_srtp_info.chosen_dtls_srtp_profile); |
| 2030 | if (profile_value != MBEDTLS_TLS_SRTP_UNSET) { |
| 2031 | MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6); |
| 2032 | } else { |
| 2033 | MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile")); |
| Ron Eldor | 089c9fe | 2018-12-06 17:12:49 +0200 | [diff] [blame] | 2034 | return; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2035 | } |
| 2036 | |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 2037 | buf[8] = mki_len & 0xFF; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2038 | memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len); |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2039 | |
| Ron Eldor | 591f162 | 2018-01-22 12:30:04 +0200 | [diff] [blame] | 2040 | *olen = 9 + mki_len; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2041 | } |
| 2042 | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
| 2043 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2044 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2045 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2046 | static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl) |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2047 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2048 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2049 | unsigned char *p = ssl->out_msg + 4; |
| Manuel Pégourié-Gonnard | d7f9bc5 | 2014-07-23 11:09:27 +0200 | [diff] [blame] | 2050 | unsigned char *cookie_len_byte; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2051 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2052 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request")); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2053 | |
| 2054 | /* |
| 2055 | * struct { |
| 2056 | * ProtocolVersion server_version; |
| 2057 | * opaque cookie<0..2^8-1>; |
| 2058 | * } HelloVerifyRequest; |
| 2059 | */ |
| 2060 | |
| Manuel Pégourié-Gonnard | b35fe56 | 2014-08-09 17:00:46 +0200 | [diff] [blame] | 2061 | /* The RFC is not clear on this point, but sending the actual negotiated |
| 2062 | * version looks like the most interoperable thing to do. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2063 | mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version); |
| 2064 | MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2065 | p += 2; |
| 2066 | |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 2067 | /* If we get here, f_cookie_check is not null */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2068 | if (ssl->conf->f_cookie_write == NULL) { |
| 2069 | MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks")); |
| 2070 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Manuel Pégourié-Gonnard | 7d38d21 | 2014-07-23 17:52:09 +0200 | [diff] [blame] | 2071 | } |
| 2072 | |
| Manuel Pégourié-Gonnard | d7f9bc5 | 2014-07-23 11:09:27 +0200 | [diff] [blame] | 2073 | /* Skip length byte until we know the length */ |
| 2074 | cookie_len_byte = p++; |
| 2075 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2076 | if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie, |
| 2077 | &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN, |
| 2078 | ssl->cli_id, ssl->cli_id_len)) != 0) { |
| 2079 | MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret); |
| 2080 | return ret; |
| Manuel Pégourié-Gonnard | d7f9bc5 | 2014-07-23 11:09:27 +0200 | [diff] [blame] | 2081 | } |
| 2082 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2083 | *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1)); |
| Manuel Pégourié-Gonnard | d7f9bc5 | 2014-07-23 11:09:27 +0200 | [diff] [blame] | 2084 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2085 | MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2086 | |
| 2087 | ssl->out_msglen = p - ssl->out_msg; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2088 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 2089 | ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2090 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2091 | ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2092 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2093 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
| 2094 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
| 2095 | return ret; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2096 | } |
| 2097 | |
| Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2098 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2099 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 2100 | (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { |
| 2101 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret); |
| 2102 | return ret; |
| Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2103 | } |
| Hanno Becker | bc2498a | 2018-08-28 10:13:29 +0100 | [diff] [blame] | 2104 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 2105 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2106 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request")); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2107 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2108 | return 0; |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2109 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2110 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2111 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2112 | static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl) |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2113 | { |
| 2114 | int ret; |
| Hanno Becker | a5b1a39 | 2021-04-15 16:48:01 +0100 | [diff] [blame] | 2115 | mbedtls_ssl_session session_tmp; |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2116 | mbedtls_ssl_session * const session = ssl->session_negotiate; |
| 2117 | |
| 2118 | /* Resume is 0 by default, see ssl_handshake_init(). |
| 2119 | * It may be already set to 1 by ssl_parse_session_ticket_ext(). */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2120 | if (ssl->handshake->resume == 1) { |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2121 | return; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2122 | } |
| 2123 | if (session->id_len == 0) { |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2124 | return; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2125 | } |
| 2126 | if (ssl->conf->f_get_cache == NULL) { |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2127 | return; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2128 | } |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2129 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2130 | if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2131 | return; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2132 | } |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2133 | #endif |
| 2134 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2135 | mbedtls_ssl_session_init(&session_tmp); |
| Hanno Becker | a5b1a39 | 2021-04-15 16:48:01 +0100 | [diff] [blame] | 2136 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2137 | ret = ssl->conf->f_get_cache(ssl->conf->p_cache, |
| 2138 | session->id, |
| 2139 | session->id_len, |
| 2140 | &session_tmp); |
| 2141 | if (ret != 0) { |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2142 | goto exit; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2143 | } |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2144 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2145 | if (session->ciphersuite != session_tmp.ciphersuite) { |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2146 | /* Mismatch between cached and negotiated session */ |
| 2147 | goto exit; |
| 2148 | } |
| 2149 | |
| 2150 | /* Move semantics */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2151 | mbedtls_ssl_session_free(session); |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2152 | *session = session_tmp; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2153 | memset(&session_tmp, 0, sizeof(session_tmp)); |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2154 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2155 | MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache")); |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2156 | ssl->handshake->resume = 1; |
| 2157 | |
| 2158 | exit: |
| 2159 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2160 | mbedtls_ssl_session_free(&session_tmp); |
| Hanno Becker | 64ce974 | 2021-04-15 08:19:40 +0100 | [diff] [blame] | 2161 | } |
| 2162 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2163 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2164 | static int ssl_write_server_hello(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2165 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2166 | #if defined(MBEDTLS_HAVE_TIME) |
| SimonB | d5800b7 | 2016-04-26 07:43:27 +0100 | [diff] [blame] | 2167 | mbedtls_time_t t; |
| Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 2168 | #endif |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2169 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Paul Bakker | b9cfaa0 | 2013-10-11 18:58:55 +0200 | [diff] [blame] | 2170 | size_t olen, ext_len = 0, n; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2171 | unsigned char *buf, *p; |
| 2172 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2173 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2174 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2175 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2176 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 2177 | ssl->handshake->cookie_verify_result != 0) { |
| 2178 | MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated")); |
| 2179 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello")); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2180 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2181 | return ssl_write_hello_verify_request(ssl); |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2182 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2183 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| Manuel Pégourié-Gonnard | 2c9ee81 | 2014-07-22 11:45:03 +0200 | [diff] [blame] | 2184 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2185 | if (ssl->conf->f_rng == NULL) { |
| 2186 | MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided")); |
| 2187 | return MBEDTLS_ERR_SSL_NO_RNG; |
| Paul Bakker | a9a028e | 2013-11-21 17:31:06 +0100 | [diff] [blame] | 2188 | } |
| 2189 | |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2190 | /* |
| 2191 | * 0 . 0 handshake type |
| 2192 | * 1 . 3 handshake length |
| 2193 | * 4 . 5 protocol version |
| 2194 | * 6 . 9 UNIX time() |
| 2195 | * 10 . 37 random bytes |
| 2196 | */ |
| 2197 | buf = ssl->out_msg; |
| 2198 | p = buf + 4; |
| 2199 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2200 | mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version); |
| Manuel Pégourié-Gonnard | abc7e3b | 2014-02-11 18:15:03 +0100 | [diff] [blame] | 2201 | p += 2; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2202 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2203 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]", |
| 2204 | buf[4], buf[5])); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2205 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2206 | #if defined(MBEDTLS_HAVE_TIME) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2207 | t = mbedtls_time(NULL); |
| 2208 | MBEDTLS_PUT_UINT32_BE(t, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 2209 | p += 4; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2210 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2211 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG, |
| 2212 | (long long) t)); |
| Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 2213 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2214 | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) { |
| 2215 | return ret; |
| 2216 | } |
| Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 2217 | |
| 2218 | p += 4; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2219 | #endif /* MBEDTLS_HAVE_TIME */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2220 | |
| Ronald Cron | c564938 | 2023-04-04 15:33:42 +0200 | [diff] [blame] | 2221 | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2222 | return ret; |
| 2223 | } |
| Ronald Cron | c564938 | 2023-04-04 15:33:42 +0200 | [diff] [blame] | 2224 | p += 20; |
| Paul Bakker | a3d195c | 2011-11-27 21:07:34 +0000 | [diff] [blame] | 2225 | |
| Ronald Cron | c564938 | 2023-04-04 15:33:42 +0200 | [diff] [blame] | 2226 | #if defined(MBEDTLS_SSL_PROTO_TLS1_3) |
| 2227 | /* |
| 2228 | * RFC 8446 |
| 2229 | * TLS 1.3 has a downgrade protection mechanism embedded in the server's |
| 2230 | * random value. TLS 1.3 servers which negotiate TLS 1.2 or below in |
| 2231 | * response to a ClientHello MUST set the last 8 bytes of their Random |
| 2232 | * value specially in their ServerHello. |
| 2233 | */ |
| 2234 | if (mbedtls_ssl_conf_is_tls13_enabled(ssl->conf)) { |
| 2235 | static const unsigned char magic_tls12_downgrade_string[] = |
| 2236 | { 'D', 'O', 'W', 'N', 'G', 'R', 'D', 1 }; |
| 2237 | |
| 2238 | MBEDTLS_STATIC_ASSERT( |
| 2239 | sizeof(magic_tls12_downgrade_string) == 8, |
| 2240 | "magic_tls12_downgrade_string does not have the expected size"); |
| 2241 | |
| Ronald Cron | fe01ec2 | 2023-04-06 09:56:53 +0200 | [diff] [blame] | 2242 | memcpy(p, magic_tls12_downgrade_string, |
| 2243 | sizeof(magic_tls12_downgrade_string)); |
| Ronald Cron | c564938 | 2023-04-04 15:33:42 +0200 | [diff] [blame] | 2244 | } else |
| 2245 | #endif |
| 2246 | { |
| 2247 | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) { |
| 2248 | return ret; |
| 2249 | } |
| 2250 | } |
| 2251 | p += 8; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2252 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2253 | memcpy(ssl->handshake->randbytes + 32, buf + 6, 32); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2254 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2255 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2256 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2257 | ssl_handle_id_based_session_resumption(ssl); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2258 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2259 | if (ssl->handshake->resume == 0) { |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2260 | /* |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 2261 | * New session, create a new session id, |
| 2262 | * unless we're about to issue a session ticket |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2263 | */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2264 | ssl->state++; |
| 2265 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2266 | #if defined(MBEDTLS_HAVE_TIME) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2267 | ssl->session_negotiate->start = mbedtls_time(NULL); |
| Manuel Pégourié-Gonnard | 164d894 | 2013-09-23 22:01:39 +0200 | [diff] [blame] | 2268 | #endif |
| 2269 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2270 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2271 | if (ssl->handshake->new_session_ticket != 0) { |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 2272 | ssl->session_negotiate->id_len = n = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2273 | memset(ssl->session_negotiate->id, 0, 32); |
| 2274 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2275 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 2276 | { |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 2277 | ssl->session_negotiate->id_len = n = 32; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2278 | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id, |
| 2279 | n)) != 0) { |
| 2280 | return ret; |
| 2281 | } |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 2282 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2283 | } else { |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2284 | /* |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 2285 | * Resuming a session |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2286 | */ |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 2287 | n = ssl->session_negotiate->id_len; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2288 | ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; |
| Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2289 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2290 | if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { |
| 2291 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); |
| 2292 | return ret; |
| Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2293 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2294 | } |
| 2295 | |
| Manuel Pégourié-Gonnard | 3ffa3db | 2013-08-02 11:59:05 +0200 | [diff] [blame] | 2296 | /* |
| 2297 | * 38 . 38 session id length |
| 2298 | * 39 . 38+n session id |
| 2299 | * 39+n . 40+n chosen ciphersuite |
| 2300 | * 41+n . 41+n chosen compression alg. |
| 2301 | * 42+n . 43+n extensions length |
| 2302 | * 44+n . 43+n+m extensions |
| 2303 | */ |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 2304 | *p++ = (unsigned char) ssl->session_negotiate->id_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2305 | memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len); |
| Manuel Pégourié-Gonnard | 12ad798 | 2015-06-18 15:50:37 +0200 | [diff] [blame] | 2306 | p += ssl->session_negotiate->id_len; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2307 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2308 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n)); |
| 2309 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n); |
| 2310 | MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed", |
| 2311 | ssl->handshake->resume ? "a" : "no")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2312 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2313 | MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 2314 | p += 2; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2315 | *p++ = MBEDTLS_BYTE_0(MBEDTLS_SSL_COMPRESS_NULL); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2316 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2317 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s", |
| 2318 | mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite))); |
| 2319 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X", |
| 2320 | (unsigned int) MBEDTLS_SSL_COMPRESS_NULL)); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 2321 | |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 2322 | /* |
| 2323 | * First write extensions, then the total length |
| 2324 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2325 | ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen); |
| Manuel Pégourié-Gonnard | f11a6d7 | 2013-07-17 11:17:14 +0200 | [diff] [blame] | 2326 | ext_len += olen; |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 2327 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2328 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2329 | ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen); |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 2330 | ext_len += olen; |
| Paul Bakker | 05decb2 | 2013-08-15 13:33:48 +0200 | [diff] [blame] | 2331 | #endif |
| Manuel Pégourié-Gonnard | 7bb7899 | 2013-07-17 13:50:08 +0200 | [diff] [blame] | 2332 | |
| Hanno Becker | a0e20d0 | 2019-05-15 14:03:01 +0100 | [diff] [blame] | 2333 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2334 | ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen); |
| Hanno Becker | 51de2d3 | 2019-04-26 15:46:55 +0100 | [diff] [blame] | 2335 | ext_len += olen; |
| 2336 | #endif |
| 2337 | |
| Neil Armstrong | 76b7407 | 2022-04-06 13:43:54 +0200 | [diff] [blame] | 2338 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2339 | ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen); |
| Manuel Pégourié-Gonnard | 699cafa | 2014-10-27 13:57:03 +0100 | [diff] [blame] | 2340 | ext_len += olen; |
| 2341 | #endif |
| 2342 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2343 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2344 | ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen); |
| Manuel Pégourié-Gonnard | 367381f | 2014-10-20 18:40:56 +0200 | [diff] [blame] | 2345 | ext_len += olen; |
| 2346 | #endif |
| 2347 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2348 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2349 | ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen); |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 2350 | ext_len += olen; |
| Paul Bakker | a503a63 | 2013-08-14 13:48:06 +0200 | [diff] [blame] | 2351 | #endif |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 2352 | |
| Manuel Pégourié-Gonnard | f472179 | 2015-09-15 10:53:51 +0200 | [diff] [blame] | 2353 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
| Robert Cragie | ae8535d | 2015-10-06 17:11:18 +0100 | [diff] [blame] | 2354 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Leonid Rozenboim | 2875270 | 2022-04-21 18:00:52 -0700 | [diff] [blame] | 2355 | const mbedtls_ssl_ciphersuite_t *suite = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2356 | mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite); |
| 2357 | if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) { |
| 2358 | ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen); |
| Ron Eldor | 755bb6a | 2018-02-14 19:30:48 +0200 | [diff] [blame] | 2359 | ext_len += olen; |
| 2360 | } |
| Manuel Pégourié-Gonnard | 7b19c16 | 2013-08-15 18:01:11 +0200 | [diff] [blame] | 2361 | #endif |
| 2362 | |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 2363 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2364 | ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen); |
| Manuel Pégourié-Gonnard | 55c7f99 | 2015-09-16 15:35:27 +0200 | [diff] [blame] | 2365 | ext_len += olen; |
| 2366 | #endif |
| 2367 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2368 | #if defined(MBEDTLS_SSL_ALPN) |
| XiaokangQian | acb3992 | 2022-06-17 10:18:48 +0000 | [diff] [blame] | 2369 | unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2370 | if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen)) |
| 2371 | != 0) { |
| Paul Elliott | f518f81 | 2022-07-11 12:36:20 +0100 | [diff] [blame] | 2372 | return ret; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2373 | } |
| Paul Elliott | f518f81 | 2022-07-11 12:36:20 +0100 | [diff] [blame] | 2374 | |
| Manuel Pégourié-Gonnard | 89e3579 | 2014-04-07 12:10:30 +0200 | [diff] [blame] | 2375 | ext_len += olen; |
| 2376 | #endif |
| 2377 | |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2378 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2379 | ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen); |
| Johan Pascal | c3ccd98 | 2020-10-28 17:18:18 +0100 | [diff] [blame] | 2380 | ext_len += olen; |
| Johan Pascal | b62bb51 | 2015-12-03 21:56:45 +0100 | [diff] [blame] | 2381 | #endif |
| 2382 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2383 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET, |
| 2384 | ext_len)); |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 2385 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2386 | if (ext_len > 0) { |
| 2387 | MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); |
| Joe Subbiani | 94180e7 | 2021-08-20 16:20:44 +0100 | [diff] [blame] | 2388 | p += 2 + ext_len; |
| Paul Bakker | a703663 | 2014-04-30 10:15:38 +0200 | [diff] [blame] | 2389 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2390 | |
| 2391 | ssl->out_msglen = p - buf; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2392 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 2393 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2394 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2395 | ret = mbedtls_ssl_write_handshake_msg(ssl); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2396 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2397 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2398 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2399 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2400 | } |
| 2401 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2402 | #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2403 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2404 | static int ssl_write_certificate_request(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2405 | { |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 2406 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 2407 | ssl->handshake->ciphersuite_info; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2408 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2409 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request")); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2410 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2411 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
| 2412 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request")); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2413 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2414 | return 0; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2415 | } |
| 2416 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2417 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 2418 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2419 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2420 | #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2421 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2422 | static int ssl_write_certificate_request(mbedtls_ssl_context *ssl) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2423 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2424 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 2425 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 2426 | ssl->handshake->ciphersuite_info; |
| irwir | c9bc300 | 2020-04-01 13:46:36 +0300 | [diff] [blame] | 2427 | uint16_t dn_size, total_dn_size; /* excluding length bytes */ |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2428 | size_t ct_len, sa_len; /* including length bytes */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2429 | unsigned char *buf, *p; |
| Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 2430 | const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2431 | const mbedtls_x509_crt *crt; |
| Manuel Pégourié-Gonnard | cdc26ae | 2015-06-19 12:16:31 +0200 | [diff] [blame] | 2432 | int authmode; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2433 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2434 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2435 | |
| 2436 | ssl->state++; |
| 2437 | |
| Manuel Pégourié-Gonnard | cdc26ae | 2015-06-19 12:16:31 +0200 | [diff] [blame] | 2438 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2439 | if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) { |
| Manuel Pégourié-Gonnard | cdc26ae | 2015-06-19 12:16:31 +0200 | [diff] [blame] | 2440 | authmode = ssl->handshake->sni_authmode; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2441 | } else |
| Manuel Pégourié-Gonnard | cdc26ae | 2015-06-19 12:16:31 +0200 | [diff] [blame] | 2442 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2443 | authmode = ssl->conf->authmode; |
| Manuel Pégourié-Gonnard | cdc26ae | 2015-06-19 12:16:31 +0200 | [diff] [blame] | 2444 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2445 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) || |
| 2446 | authmode == MBEDTLS_SSL_VERIFY_NONE) { |
| 2447 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request")); |
| 2448 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2449 | } |
| 2450 | |
| 2451 | /* |
| 2452 | * 0 . 0 handshake type |
| 2453 | * 1 . 3 handshake length |
| 2454 | * 4 . 4 cert type count |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2455 | * 5 .. m-1 cert types |
| 2456 | * m .. m+1 sig alg length (TLS 1.2 only) |
| Paul Bakker | 9af723c | 2014-05-01 13:03:14 +0200 | [diff] [blame] | 2457 | * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2458 | * n .. n+1 length of all DNs |
| 2459 | * n+2 .. n+3 length of DN 1 |
| 2460 | * n+4 .. ... Distinguished Name #1 |
| 2461 | * ... .. ... length of DN 2, etc. |
| 2462 | */ |
| 2463 | buf = ssl->out_msg; |
| 2464 | p = buf + 4; |
| 2465 | |
| 2466 | /* |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2467 | * Supported certificate types |
| 2468 | * |
| 2469 | * ClientCertificateType certificate_types<1..2^8-1>; |
| 2470 | * enum { (255) } ClientCertificateType; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2471 | */ |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2472 | ct_len = 0; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2473 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2474 | #if defined(MBEDTLS_RSA_C) |
| 2475 | p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN; |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2476 | #endif |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2477 | #if defined(MBEDTLS_ECDSA_C) |
| 2478 | p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN; |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2479 | #endif |
| 2480 | |
| Paul Bakker | b9cfaa0 | 2013-10-11 18:58:55 +0200 | [diff] [blame] | 2481 | p[0] = (unsigned char) ct_len++; |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2482 | p += ct_len; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2483 | |
| Paul Bakker | 577e006 | 2013-08-28 11:57:20 +0200 | [diff] [blame] | 2484 | sa_len = 0; |
| Jerry Yu | e754193 | 2022-01-28 10:21:24 +0800 | [diff] [blame] | 2485 | |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2486 | /* |
| 2487 | * Add signature_algorithms for verify (TLS 1.2) |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2488 | * |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2489 | * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>; |
| 2490 | * |
| 2491 | * struct { |
| 2492 | * HashAlgorithm hash; |
| 2493 | * SignatureAlgorithm signature; |
| 2494 | * } SignatureAndHashAlgorithm; |
| 2495 | * |
| 2496 | * enum { (255) } HashAlgorithm; |
| 2497 | * enum { (255) } SignatureAlgorithm; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2498 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2499 | const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl); |
| 2500 | if (sig_alg == NULL) { |
| 2501 | return MBEDTLS_ERR_SSL_BAD_CONFIG; |
| 2502 | } |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 2503 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2504 | for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) { |
| 2505 | unsigned char hash = MBEDTLS_BYTE_1(*sig_alg); |
| Jerry Yu | 6106fdc | 2022-01-12 16:36:14 +0800 | [diff] [blame] | 2506 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2507 | if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) { |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 2508 | continue; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2509 | } |
| 2510 | if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) { |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 2511 | continue; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2512 | } |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 2513 | |
| Paul Elliott | 96a0fd9 | 2022-11-08 17:09:56 +0000 | [diff] [blame] | 2514 | /* Write elements at offsets starting from 1 (offset 0 is for the |
| 2515 | * length). Thus the offset of each element is the length of the |
| 2516 | * partial list including that element. */ |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2517 | sa_len += 2; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2518 | MBEDTLS_PUT_UINT16_BE(*sig_alg, p, sa_len); |
| Paul Elliott | 96a0fd9 | 2022-11-08 17:09:56 +0000 | [diff] [blame] | 2519 | |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2520 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2521 | |
| Paul Elliott | 96a0fd9 | 2022-11-08 17:09:56 +0000 | [diff] [blame] | 2522 | /* Fill in list length. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2523 | MBEDTLS_PUT_UINT16_BE(sa_len, p, 0); |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 2524 | sa_len += 2; |
| 2525 | p += sa_len; |
| 2526 | |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 2527 | /* |
| 2528 | * DistinguishedName certificate_authorities<0..2^16-1>; |
| 2529 | * opaque DistinguishedName<1..2^16-1>; |
| 2530 | */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2531 | p += 2; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2532 | |
| Paul Bakker | bc3d984 | 2012-11-26 16:12:02 +0100 | [diff] [blame] | 2533 | total_dn_size = 0; |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2534 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2535 | if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) { |
| Hanno Becker | 8bf74f3 | 2019-03-27 11:01:30 +0000 | [diff] [blame] | 2536 | /* NOTE: If trusted certificates are provisioned |
| 2537 | * via a CA callback (configured through |
| 2538 | * `mbedtls_ssl_conf_ca_cb()`, then the |
| 2539 | * CertificateRequest is currently left empty. */ |
| 2540 | |
| Glenn Strauss | 999ef70 | 2022-03-11 01:37:23 -0500 | [diff] [blame] | 2541 | #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
| 2542 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2543 | if (ssl->handshake->dn_hints != NULL) { |
| Glenn Strauss | 999ef70 | 2022-03-11 01:37:23 -0500 | [diff] [blame] | 2544 | crt = ssl->handshake->dn_hints; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2545 | } else |
| Glenn Strauss | 999ef70 | 2022-03-11 01:37:23 -0500 | [diff] [blame] | 2546 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2547 | if (ssl->conf->dn_hints != NULL) { |
| Glenn Strauss | 999ef70 | 2022-03-11 01:37:23 -0500 | [diff] [blame] | 2548 | crt = ssl->conf->dn_hints; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2549 | } else |
| Glenn Strauss | 999ef70 | 2022-03-11 01:37:23 -0500 | [diff] [blame] | 2550 | #endif |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2551 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2552 | if (ssl->handshake->sni_ca_chain != NULL) { |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2553 | crt = ssl->handshake->sni_ca_chain; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2554 | } else |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2555 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2556 | crt = ssl->conf->ca_chain; |
| Manuel Pégourié-Gonnard | bc1babb | 2015-10-02 11:16:47 +0200 | [diff] [blame] | 2557 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2558 | while (crt != NULL && crt->version != 0) { |
| irwir | c9bc300 | 2020-04-01 13:46:36 +0300 | [diff] [blame] | 2559 | /* It follows from RFC 5280 A.1 that this length |
| 2560 | * can be represented in at most 11 bits. */ |
| 2561 | dn_size = (uint16_t) crt->subject_raw.len; |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2562 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2563 | if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) { |
| 2564 | MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short")); |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2565 | break; |
| 2566 | } |
| 2567 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2568 | MBEDTLS_PUT_UINT16_BE(dn_size, p, 0); |
| Joe Subbiani | 1f6c3ae | 2021-08-20 11:44:44 +0100 | [diff] [blame] | 2569 | p += 2; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2570 | memcpy(p, crt->subject_raw.p, dn_size); |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2571 | p += dn_size; |
| 2572 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2573 | MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size); |
| Janos Follath | 088ce43 | 2017-04-10 12:42:31 +0100 | [diff] [blame] | 2574 | |
| 2575 | total_dn_size += 2 + dn_size; |
| 2576 | crt = crt->next; |
| Manuel Pégourié-Gonnard | bc1babb | 2015-10-02 11:16:47 +0200 | [diff] [blame] | 2577 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2578 | } |
| 2579 | |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 2580 | ssl->out_msglen = p - buf; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2581 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 2582 | ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2583 | MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2584 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2585 | ret = mbedtls_ssl_write_handshake_msg(ssl); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2586 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2587 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2588 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2589 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2590 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2591 | #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2592 | |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2593 | #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2594 | (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| 2595 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2596 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2597 | static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2598 | { |
| 2599 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 2600 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2601 | mbedtls_pk_context *pk; |
| 2602 | mbedtls_pk_type_t pk_type; |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2603 | psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2604 | #if !defined(MBEDTLS_PK_USE_PSA_EC_DATA) |
| Valerio Setti | 2b5d3de | 2023-01-09 11:04:52 +0100 | [diff] [blame] | 2605 | uint16_t tls_id = 0; |
| Przemek Stekiel | 75a5a9c | 2023-06-12 11:21:18 +0200 | [diff] [blame] | 2606 | psa_key_type_t key_type = PSA_KEY_TYPE_NONE; |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2607 | size_t key_len; |
| Valerio Setti | 9720778 | 2023-05-18 18:59:06 +0200 | [diff] [blame] | 2608 | mbedtls_ecp_group_id grp_id; |
| Valerio Setti | 3589a4c | 2023-06-22 09:02:44 +0200 | [diff] [blame] | 2609 | unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2610 | mbedtls_ecp_keypair *key; |
| 2611 | #endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */ |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2612 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2613 | pk = mbedtls_ssl_own_key(ssl); |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2614 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2615 | if (pk == NULL) { |
| 2616 | return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; |
| 2617 | } |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2618 | |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2619 | pk_type = mbedtls_pk_get_type(pk); |
| Valerio Setti | d040509 | 2023-05-24 13:16:40 +0200 | [diff] [blame] | 2620 | |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2621 | switch (pk_type) { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2622 | case MBEDTLS_PK_OPAQUE: |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2623 | #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) |
| 2624 | case MBEDTLS_PK_ECKEY: |
| 2625 | case MBEDTLS_PK_ECKEY_DH: |
| 2626 | case MBEDTLS_PK_ECDSA: |
| 2627 | #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2628 | if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) { |
| 2629 | return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
| 2630 | } |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2631 | |
| Valerio Setti | 4f387ef | 2023-05-02 14:15:59 +0200 | [diff] [blame] | 2632 | ssl->handshake->ecdh_psa_privkey = pk->priv_id; |
| Valerio Setti | b46217d | 2023-06-16 13:18:52 +0200 | [diff] [blame] | 2633 | /* Key should not be destroyed in the TLS library */ |
| 2634 | ssl->handshake->ecdh_psa_privkey_is_external = 1; |
| Neil Armstrong | e88d190 | 2022-04-04 11:25:23 +0200 | [diff] [blame] | 2635 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2636 | status = psa_get_key_attributes(ssl->handshake->ecdh_psa_privkey, |
| 2637 | &key_attributes); |
| 2638 | if (status != PSA_SUCCESS) { |
| 2639 | ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 2640 | return PSA_TO_MBEDTLS_ERR(status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2641 | } |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2642 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2643 | ssl->handshake->ecdh_psa_type = psa_get_key_type(&key_attributes); |
| 2644 | ssl->handshake->ecdh_bits = psa_get_key_bits(&key_attributes); |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2645 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2646 | psa_reset_key_attributes(&key_attributes); |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2647 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2648 | ret = 0; |
| 2649 | break; |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2650 | #if !defined(MBEDTLS_PK_USE_PSA_EC_DATA) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2651 | case MBEDTLS_PK_ECKEY: |
| 2652 | case MBEDTLS_PK_ECKEY_DH: |
| 2653 | case MBEDTLS_PK_ECDSA: |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2654 | key = mbedtls_pk_ec_rw(*pk); |
| Valerio Setti | d040509 | 2023-05-24 13:16:40 +0200 | [diff] [blame] | 2655 | grp_id = mbedtls_pk_get_group_id(pk); |
| 2656 | if (grp_id == MBEDTLS_ECP_DP_NONE) { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2657 | return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; |
| 2658 | } |
| Valerio Setti | 9720778 | 2023-05-18 18:59:06 +0200 | [diff] [blame] | 2659 | tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2660 | if (tls_id == 0) { |
| 2661 | /* This elliptic curve is not supported */ |
| 2662 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 2663 | } |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2664 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2665 | /* If the above conversion to TLS ID was fine, then also this one will |
| 2666 | be, so there is no need to check the return value here */ |
| Przemek Stekiel | da4fba6 | 2023-06-02 14:52:28 +0200 | [diff] [blame] | 2667 | mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2668 | &ssl->handshake->ecdh_bits); |
| Valerio Setti | 2b5d3de | 2023-01-09 11:04:52 +0100 | [diff] [blame] | 2669 | |
| Przemek Stekiel | da4fba6 | 2023-06-02 14:52:28 +0200 | [diff] [blame] | 2670 | ssl->handshake->ecdh_psa_type = key_type; |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2671 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2672 | key_attributes = psa_key_attributes_init(); |
| 2673 | psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); |
| 2674 | psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); |
| 2675 | psa_set_key_type(&key_attributes, |
| 2676 | PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->ecdh_psa_type)); |
| 2677 | psa_set_key_bits(&key_attributes, ssl->handshake->ecdh_bits); |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2678 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2679 | key_len = PSA_BITS_TO_BYTES(key->grp.pbits); |
| 2680 | ret = mbedtls_ecp_write_key(key, buf, key_len); |
| 2681 | if (ret != 0) { |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2682 | mbedtls_platform_zeroize(buf, sizeof(buf)); |
| 2683 | break; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2684 | } |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2685 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2686 | status = psa_import_key(&key_attributes, buf, key_len, |
| 2687 | &ssl->handshake->ecdh_psa_privkey); |
| 2688 | if (status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 2689 | ret = PSA_TO_MBEDTLS_ERR(status); |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2690 | mbedtls_platform_zeroize(buf, sizeof(buf)); |
| 2691 | break; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2692 | } |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2693 | |
| Valerio Setti | 6835b4a | 2023-06-22 09:06:31 +0200 | [diff] [blame] | 2694 | mbedtls_platform_zeroize(buf, sizeof(buf)); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2695 | ret = 0; |
| 2696 | break; |
| Valerio Setti | 0813b6f | 2023-06-16 12:18:53 +0200 | [diff] [blame] | 2697 | #endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2698 | default: |
| Neil Armstrong | 104a7c1 | 2022-03-23 10:58:03 +0100 | [diff] [blame] | 2699 | ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2700 | } |
| 2701 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2702 | return ret; |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 2703 | } |
| 2704 | #elif defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2705 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2706 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2707 | static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2708 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2709 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2710 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2711 | const mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl); |
| 2712 | if (private_key == NULL) { |
| 2713 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no server private key")); |
| 2714 | return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; |
| Leonid Rozenboim | 2875270 | 2022-04-21 18:00:52 -0700 | [diff] [blame] | 2715 | } |
| 2716 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2717 | if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_ECKEY)) { |
| 2718 | MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable")); |
| 2719 | return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2720 | } |
| 2721 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2722 | if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, |
| Valerio Setti | 77a7568 | 2023-05-15 11:18:46 +0200 | [diff] [blame] | 2723 | mbedtls_pk_ec_ro(*mbedtls_ssl_own_key(ssl)), |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2724 | MBEDTLS_ECDH_OURS)) != 0) { |
| 2725 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret); |
| 2726 | return ret; |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2727 | } |
| 2728 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2729 | return 0; |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2730 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2731 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || |
| 2732 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| Manuel Pégourié-Gonnard | 5538970 | 2013-12-12 11:14:16 +0100 | [diff] [blame] | 2733 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2734 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \ |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 2735 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2736 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2737 | static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl, |
| 2738 | size_t *signature_len) |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2739 | { |
| Gilles Peskine | 0fd90dd | 2018-04-26 07:41:09 +0200 | [diff] [blame] | 2740 | /* Append the signature to ssl->out_msg, leaving 2 bytes for the |
| 2741 | * signature length which will be added in ssl_write_server_key_exchange |
| 2742 | * after the call to ssl_prepare_server_key_exchange. |
| 2743 | * ssl_write_server_key_exchange also takes care of incrementing |
| 2744 | * ssl->out_msglen. */ |
| 2745 | unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2746 | size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN |
| 2747 | - sig_start); |
| 2748 | int ret = ssl->conf->f_async_resume(ssl, |
| 2749 | sig_start, signature_len, sig_max_len); |
| 2750 | if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { |
| Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 2751 | ssl->handshake->async_in_progress = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2752 | mbedtls_ssl_set_async_operation_data(ssl, NULL); |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 2753 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2754 | MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret); |
| 2755 | return ret; |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 2756 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2757 | #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 2758 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) */ |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 2759 | |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 2760 | /* Prepare the ServerKeyExchange message, up to and including |
| Gilles Peskine | 168dae8 | 2018-04-25 23:35:42 +0200 | [diff] [blame] | 2761 | * calculating the signature if any, but excluding formatting the |
| 2762 | * signature and sending the message. */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2763 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2764 | static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl, |
| 2765 | size_t *signature_len) |
| Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 2766 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2767 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 2768 | ssl->handshake->ciphersuite_info; |
| 2769 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2770 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED) |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 2771 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | 3ce9b90 | 2018-01-06 01:34:21 +0100 | [diff] [blame] | 2772 | unsigned char *dig_signed = NULL; |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 2773 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2774 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2775 | |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 2776 | (void) ciphersuite_info; /* unused in some configurations */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2777 | #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | 22e695f | 2018-04-26 00:22:50 +0200 | [diff] [blame] | 2778 | (void) signature_len; |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2779 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2780 | |
| Gilles Peskine | 16fe8fc | 2021-06-22 09:45:56 +0200 | [diff] [blame] | 2781 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | f00f152 | 2021-06-22 00:09:00 +0200 | [diff] [blame] | 2782 | #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2783 | size_t out_buf_len = ssl->out_buf_len - (ssl->out_msg - ssl->out_buf); |
| Gilles Peskine | f00f152 | 2021-06-22 00:09:00 +0200 | [diff] [blame] | 2784 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2785 | size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (ssl->out_msg - ssl->out_buf); |
| Gilles Peskine | f00f152 | 2021-06-22 00:09:00 +0200 | [diff] [blame] | 2786 | #endif |
| Gilles Peskine | 16fe8fc | 2021-06-22 09:45:56 +0200 | [diff] [blame] | 2787 | #endif |
| Gilles Peskine | f00f152 | 2021-06-22 00:09:00 +0200 | [diff] [blame] | 2788 | |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 2789 | ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2790 | |
| Hanno Becker | cf7ae7e | 2017-05-11 14:07:25 +0100 | [diff] [blame] | 2791 | /* |
| 2792 | * |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 2793 | * Part 1: Provide key exchange parameters for chosen ciphersuite. |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 2794 | * |
| 2795 | */ |
| 2796 | |
| 2797 | /* |
| 2798 | * - ECJPAKE key exchanges |
| 2799 | */ |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 2800 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2801 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2802 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2803 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 2804 | unsigned char *out_p = ssl->out_msg + ssl->out_msglen; |
| 2805 | unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - |
| 2806 | ssl->out_msglen; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2807 | size_t output_offset = 0; |
| Valerio Setti | 02c25b5 | 2022-11-15 14:08:42 +0100 | [diff] [blame] | 2808 | size_t output_len = 0; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2809 | |
| Valerio Setti | 6f1b574 | 2022-11-16 10:00:32 +0100 | [diff] [blame] | 2810 | /* |
| 2811 | * The first 3 bytes are: |
| 2812 | * [0] MBEDTLS_ECP_TLS_NAMED_CURVE |
| 2813 | * [1, 2] elliptic curve's TLS ID |
| 2814 | * |
| 2815 | * However since we only support secp256r1 for now, we hardcode its |
| 2816 | * TLS ID here |
| 2817 | */ |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 2818 | uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2819 | MBEDTLS_ECP_DP_SECP256R1); |
| 2820 | if (tls_id == 0) { |
| 2821 | return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Valerio Setti | 6f1b574 | 2022-11-16 10:00:32 +0100 | [diff] [blame] | 2822 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2823 | *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2824 | MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1); |
| Valerio Setti | 819de86 | 2022-11-17 18:05:19 +0100 | [diff] [blame] | 2825 | output_offset += 3; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2826 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2827 | ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, |
| 2828 | out_p + output_offset, |
| 2829 | end_p - out_p - output_offset, &output_len, |
| 2830 | MBEDTLS_ECJPAKE_ROUND_TWO); |
| 2831 | if (ret != 0) { |
| 2832 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 2833 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| 2834 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret); |
| 2835 | return ret; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2836 | } |
| 2837 | |
| Valerio Setti | 02c25b5 | 2022-11-15 14:08:42 +0100 | [diff] [blame] | 2838 | output_offset += output_len; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2839 | ssl->out_msglen += output_offset; |
| 2840 | #else |
| Simon Butcher | 600c5e6 | 2018-06-14 08:58:59 +0100 | [diff] [blame] | 2841 | size_t len = 0; |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 2842 | |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 2843 | ret = mbedtls_ecjpake_write_round_two( |
| 2844 | &ssl->handshake->ecjpake_ctx, |
| 2845 | ssl->out_msg + ssl->out_msglen, |
| Angus Gratton | d8213d0 | 2016-05-25 20:56:48 +1000 | [diff] [blame] | 2846 | MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2847 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 2848 | if (ret != 0) { |
| 2849 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret); |
| 2850 | return ret; |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 2851 | } |
| 2852 | |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 2853 | ssl->out_msglen += len; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 2854 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 2855 | } |
| 2856 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 2857 | |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 2858 | /* |
| 2859 | * For (EC)DHE key exchanges with PSK, parameters are prefixed by support |
| 2860 | * identity hint (RFC 4279, Sec. 3). Until someone needs this feature, |
| 2861 | * we use empty support identity hints here. |
| 2862 | **/ |
| 2863 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2864 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2865 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || |
| 2866 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 2867 | ssl->out_msg[ssl->out_msglen++] = 0x00; |
| 2868 | ssl->out_msg[ssl->out_msglen++] = 0x00; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2869 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 2870 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || |
| 2871 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2872 | |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 2873 | /* |
| Hanno Becker | cf7ae7e | 2017-05-11 14:07:25 +0100 | [diff] [blame] | 2874 | * - DHE key exchanges |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 2875 | */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2876 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2877 | if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2878 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Simon Butcher | 600c5e6 | 2018-06-14 08:58:59 +0100 | [diff] [blame] | 2879 | size_t len = 0; |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 2880 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2881 | if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) { |
| 2882 | MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set")); |
| 2883 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| Manuel Pégourié-Gonnard | 1028b74 | 2015-05-06 17:33:07 +0100 | [diff] [blame] | 2884 | } |
| 2885 | |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2886 | /* |
| 2887 | * Ephemeral DH parameters: |
| 2888 | * |
| 2889 | * struct { |
| 2890 | * opaque dh_p<1..2^16-1>; |
| 2891 | * opaque dh_g<1..2^16-1>; |
| 2892 | * opaque dh_Ys<1..2^16-1>; |
| 2893 | * } ServerDHParams; |
| 2894 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2895 | if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx, |
| 2896 | &ssl->conf->dhm_P, |
| 2897 | &ssl->conf->dhm_G)) != 0) { |
| 2898 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret); |
| 2899 | return ret; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2900 | } |
| Paul Bakker | 48916f9 | 2012-09-16 19:57:18 +0000 | [diff] [blame] | 2901 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2902 | if ((ret = mbedtls_dhm_make_params( |
| 2903 | &ssl->handshake->dhm_ctx, |
| 2904 | (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx), |
| 2905 | ssl->out_msg + ssl->out_msglen, &len, |
| 2906 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 2907 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret); |
| 2908 | return ret; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2909 | } |
| 2910 | |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 2911 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 2912 | dig_signed = ssl->out_msg + ssl->out_msglen; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 2913 | #endif |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2914 | |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 2915 | ssl->out_msglen += len; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 2916 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2917 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X); |
| 2918 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P); |
| 2919 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G); |
| 2920 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX); |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2921 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2922 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2923 | |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 2924 | /* |
| Hanno Becker | cf7ae7e | 2017-05-11 14:07:25 +0100 | [diff] [blame] | 2925 | * - ECDHE key exchanges |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 2926 | */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 2927 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2928 | if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) { |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 2929 | /* |
| 2930 | * Ephemeral ECDH parameters: |
| 2931 | * |
| 2932 | * struct { |
| 2933 | * ECParameters curve_params; |
| 2934 | * ECPoint public; |
| 2935 | * } ServerECDHParams; |
| 2936 | */ |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 2937 | uint16_t *curr_tls_id = ssl->handshake->curves_tls_id; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2938 | const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 2939 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Simon Butcher | 600c5e6 | 2018-06-14 08:58:59 +0100 | [diff] [blame] | 2940 | size_t len = 0; |
| Gergely Budai | 987bfb5 | 2014-01-19 21:48:42 +0100 | [diff] [blame] | 2941 | |
| Manuel Pégourié-Gonnard | c3f6b62c | 2014-02-06 10:13:09 +0100 | [diff] [blame] | 2942 | /* Match our preference list against the offered curves */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2943 | if ((group_list == NULL) || (curr_tls_id == NULL)) { |
| 2944 | return MBEDTLS_ERR_SSL_BAD_CONFIG; |
| 2945 | } |
| 2946 | for (; *group_list != 0; group_list++) { |
| 2947 | for (curr_tls_id = ssl->handshake->curves_tls_id; |
| 2948 | *curr_tls_id != 0; curr_tls_id++) { |
| 2949 | if (*curr_tls_id == *group_list) { |
| Manuel Pégourié-Gonnard | c3f6b62c | 2014-02-06 10:13:09 +0100 | [diff] [blame] | 2950 | goto curve_matching_done; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2951 | } |
| 2952 | } |
| Gergely Budai | 987bfb5 | 2014-01-19 21:48:42 +0100 | [diff] [blame] | 2953 | } |
| Manuel Pégourié-Gonnard | de05390 | 2014-02-04 13:58:39 +0100 | [diff] [blame] | 2954 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2955 | curve_matching_done: |
| 2956 | if (*curr_tls_id == 0) { |
| 2957 | MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE")); |
| 2958 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 2959 | } |
| 2960 | |
| 2961 | MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s", |
| 2962 | mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id))); |
| Gergely Budai | 987bfb5 | 2014-01-19 21:48:42 +0100 | [diff] [blame] | 2963 | |
| Przemek Stekiel | b6ce0b6 | 2022-03-09 15:38:24 +0100 | [diff] [blame] | 2964 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 2965 | psa_status_t status = PSA_ERROR_GENERIC_ERROR; |
| 2966 | psa_key_attributes_t key_attributes; |
| 2967 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 2968 | uint8_t *p = ssl->out_msg + ssl->out_msglen; |
| 2969 | const size_t header_size = 4; // curve_type(1), namedcurve(2), |
| 2970 | // data length(1) |
| 2971 | const size_t data_length_size = 1; |
| Przemek Stekiel | 75a5a9c | 2023-06-12 11:21:18 +0200 | [diff] [blame] | 2972 | psa_key_type_t key_type = PSA_KEY_TYPE_NONE; |
| Valerio Setti | 40d9ca9 | 2023-01-04 16:08:04 +0100 | [diff] [blame] | 2973 | size_t ec_bits = 0; |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 2974 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2975 | MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation.")); |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 2976 | |
| Valerio Setti | 40d9ca9 | 2023-01-04 16:08:04 +0100 | [diff] [blame] | 2977 | /* Convert EC's TLS ID to PSA key type. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2978 | if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id, |
| Przemek Stekiel | da4fba6 | 2023-06-02 14:52:28 +0200 | [diff] [blame] | 2979 | &key_type, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2980 | &ec_bits) == PSA_ERROR_NOT_SUPPORTED) { |
| 2981 | MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse.")); |
| 2982 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Przemek Stekiel | b6ce0b6 | 2022-03-09 15:38:24 +0100 | [diff] [blame] | 2983 | } |
| Przemek Stekiel | da4fba6 | 2023-06-02 14:52:28 +0200 | [diff] [blame] | 2984 | handshake->ecdh_psa_type = key_type; |
| Valerio Setti | 40d9ca9 | 2023-01-04 16:08:04 +0100 | [diff] [blame] | 2985 | handshake->ecdh_bits = ec_bits; |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 2986 | |
| 2987 | key_attributes = psa_key_attributes_init(); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2988 | psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); |
| 2989 | psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); |
| 2990 | psa_set_key_type(&key_attributes, handshake->ecdh_psa_type); |
| 2991 | psa_set_key_bits(&key_attributes, handshake->ecdh_bits); |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 2992 | |
| 2993 | /* |
| 2994 | * ECParameters curve_params |
| 2995 | * |
| 2996 | * First byte is curve_type, always named_curve |
| 2997 | */ |
| 2998 | *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE; |
| 2999 | |
| 3000 | /* |
| 3001 | * Next two bytes are the namedcurve value |
| 3002 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3003 | MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0); |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3004 | p += 2; |
| 3005 | |
| 3006 | /* Generate ECDH private key. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3007 | status = psa_generate_key(&key_attributes, |
| 3008 | &handshake->ecdh_psa_privkey); |
| 3009 | if (status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 3010 | ret = PSA_TO_MBEDTLS_ERR(status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3011 | MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret); |
| 3012 | return ret; |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3013 | } |
| 3014 | |
| 3015 | /* |
| 3016 | * ECPoint public |
| 3017 | * |
| 3018 | * First byte is data length. |
| 3019 | * It will be filled later. p holds now the data length location. |
| 3020 | */ |
| 3021 | |
| 3022 | /* Export the public part of the ECDH private key from PSA. |
| 3023 | * Make one byte space for the length. |
| 3024 | */ |
| 3025 | unsigned char *own_pubkey = p + data_length_size; |
| 3026 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3027 | size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN |
| 3028 | - (own_pubkey - ssl->out_msg)); |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3029 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3030 | status = psa_export_public_key(handshake->ecdh_psa_privkey, |
| 3031 | own_pubkey, own_pubkey_max_len, |
| 3032 | &len); |
| 3033 | if (status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 3034 | ret = PSA_TO_MBEDTLS_ERR(status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3035 | MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret); |
| 3036 | (void) psa_destroy_key(handshake->ecdh_psa_privkey); |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3037 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3038 | return ret; |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3039 | } |
| 3040 | |
| 3041 | /* Store the length of the exported public key. */ |
| 3042 | *p = (uint8_t) len; |
| 3043 | |
| 3044 | /* Determine full message length. */ |
| 3045 | len += header_size; |
| 3046 | #else |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 3047 | mbedtls_ecp_group_id curr_grp_id = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3048 | mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id); |
| Valerio Setti | 18c9fed | 2022-12-30 17:44:24 +0100 | [diff] [blame] | 3049 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3050 | if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx, |
| 3051 | curr_grp_id)) != 0) { |
| 3052 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret); |
| 3053 | return ret; |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3054 | } |
| 3055 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3056 | if ((ret = mbedtls_ecdh_make_params( |
| 3057 | &ssl->handshake->ecdh_ctx, &len, |
| 3058 | ssl->out_msg + ssl->out_msglen, |
| 3059 | MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, |
| 3060 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 3061 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret); |
| 3062 | return ret; |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3063 | } |
| 3064 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3065 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 3066 | MBEDTLS_DEBUG_ECDH_Q); |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3067 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 3068 | |
| Jerry Yu | c5aef88 | 2021-12-23 20:15:02 +0800 | [diff] [blame] | 3069 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 3070 | dig_signed = ssl->out_msg + ssl->out_msglen; |
| Hanno Becker | cf7ae7e | 2017-05-11 14:07:25 +0100 | [diff] [blame] | 3071 | #endif |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3072 | |
| Gilles Peskine | f9f15ae | 2018-01-08 17:13:01 +0100 | [diff] [blame] | 3073 | ssl->out_msglen += len; |
| Paul Bakker | 41c83d3 | 2013-03-20 14:39:14 +0100 | [diff] [blame] | 3074 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3075 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3076 | |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 3077 | /* |
| Hanno Becker | cf7ae7e | 2017-05-11 14:07:25 +0100 | [diff] [blame] | 3078 | * |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3079 | * Part 2: For key exchanges involving the server signing the |
| Hanno Becker | cf7ae7e | 2017-05-11 14:07:25 +0100 | [diff] [blame] | 3080 | * exchange parameters, compute and add the signature here. |
| 3081 | * |
| Hanno Becker | 1aa267c | 2017-04-28 17:08:27 +0100 | [diff] [blame] | 3082 | */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3083 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3084 | if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) { |
| 3085 | if (dig_signed == NULL) { |
| 3086 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 3087 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Elliott | 1142038 | 2022-05-13 17:43:47 +0100 | [diff] [blame] | 3088 | } |
| 3089 | |
| Gilles Peskine | 1004c19 | 2018-01-08 16:59:14 +0100 | [diff] [blame] | 3090 | size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed; |
| Gilles Peskine | ca1d742 | 2018-04-24 11:53:22 +0200 | [diff] [blame] | 3091 | size_t hashlen = 0; |
| Manuel Pégourié-Gonnard | 8857984 | 2023-03-28 11:20:23 +0200 | [diff] [blame] | 3092 | unsigned char hash[MBEDTLS_MD_MAX_SIZE]; |
| Przemek Stekiel | 5166954 | 2022-09-13 12:57:05 +0200 | [diff] [blame] | 3093 | |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3094 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 3095 | |
| Manuel Pégourié-Gonnard | abae74c | 2013-08-20 13:53:44 +0200 | [diff] [blame] | 3096 | /* |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3097 | * 2.1: Choose hash algorithm: |
| TRodziewicz | 4ca18aa | 2021-05-20 14:46:20 +0200 | [diff] [blame] | 3098 | * For TLS 1.2, obey signature-hash-algorithm extension |
| 3099 | * to choose appropriate hash. |
| Manuel Pégourié-Gonnard | 4bd1284 | 2013-08-27 13:31:28 +0200 | [diff] [blame] | 3100 | */ |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 3101 | |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 3102 | mbedtls_pk_type_t sig_alg = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3103 | mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info); |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 3104 | |
| Gabor Mezei | a3d016c | 2022-05-10 12:44:09 +0200 | [diff] [blame] | 3105 | unsigned int sig_hash = |
| 3106 | mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3107 | ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg)); |
| Gabor Mezei | a3d016c | 2022-05-10 12:44:09 +0200 | [diff] [blame] | 3108 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3109 | mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash); |
| Gabor Mezei | a3d016c | 2022-05-10 12:44:09 +0200 | [diff] [blame] | 3110 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 3111 | /* For TLS 1.2, obey signature-hash-algorithm extension |
| 3112 | * (RFC 5246, Sec. 7.4.1.4.1). */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3113 | if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) { |
| 3114 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 3115 | /* (... because we choose a cipher suite |
| 3116 | * only if there is a matching hash.) */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3117 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Manuel Pégourié-Gonnard | 4bd1284 | 2013-08-27 13:31:28 +0200 | [diff] [blame] | 3118 | } |
| 3119 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3120 | MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg)); |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 3121 | |
| Manuel Pégourié-Gonnard | 4bd1284 | 2013-08-27 13:31:28 +0200 | [diff] [blame] | 3122 | /* |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3123 | * 2.2: Compute the hash to be signed |
| Manuel Pégourié-Gonnard | abae74c | 2013-08-20 13:53:44 +0200 | [diff] [blame] | 3124 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3125 | if (md_alg != MBEDTLS_MD_NONE) { |
| 3126 | ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen, |
| 3127 | dig_signed, |
| 3128 | dig_signed_len, |
| 3129 | md_alg); |
| 3130 | if (ret != 0) { |
| 3131 | return ret; |
| 3132 | } |
| 3133 | } else { |
| 3134 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 3135 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | 577e006 | 2013-08-28 11:57:20 +0200 | [diff] [blame] | 3136 | } |
| Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3137 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3138 | MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3139 | |
| Manuel Pégourié-Gonnard | abae74c | 2013-08-20 13:53:44 +0200 | [diff] [blame] | 3140 | /* |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3141 | * 2.3: Compute and add the signature |
| Manuel Pégourié-Gonnard | abae74c | 2013-08-20 13:53:44 +0200 | [diff] [blame] | 3142 | */ |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 3143 | /* |
| 3144 | * We need to specify signature and hash algorithm explicitly through |
| 3145 | * a prefix to the signature. |
| 3146 | * |
| 3147 | * struct { |
| 3148 | * HashAlgorithm hash; |
| 3149 | * SignatureAlgorithm signature; |
| 3150 | * } SignatureAndHashAlgorithm; |
| 3151 | * |
| 3152 | * struct { |
| 3153 | * SignatureAndHashAlgorithm algorithm; |
| 3154 | * opaque signature<0..2^16-1>; |
| 3155 | * } DigitallySigned; |
| 3156 | * |
| 3157 | */ |
| Hanno Becker | 7e5437a | 2017-04-28 17:15:26 +0100 | [diff] [blame] | 3158 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3159 | ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg); |
| 3160 | ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3161 | |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3162 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3163 | if (ssl->conf->f_async_sign_start != NULL) { |
| 3164 | ret = ssl->conf->f_async_sign_start(ssl, |
| 3165 | mbedtls_ssl_own_cert(ssl), |
| 3166 | md_alg, hash, hashlen); |
| 3167 | switch (ret) { |
| 3168 | case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: |
| 3169 | /* act as if f_async_sign was null */ |
| 3170 | break; |
| 3171 | case 0: |
| 3172 | ssl->handshake->async_in_progress = 1; |
| 3173 | return ssl_resume_server_key_exchange(ssl, signature_len); |
| 3174 | case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: |
| 3175 | ssl->handshake->async_in_progress = 1; |
| 3176 | return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; |
| 3177 | default: |
| 3178 | MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret); |
| 3179 | return ret; |
| Gilles Peskine | 4bf9a28 | 2018-01-05 21:20:50 +0100 | [diff] [blame] | 3180 | } |
| 3181 | } |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3182 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| Gilles Peskine | 4bf9a28 | 2018-01-05 21:20:50 +0100 | [diff] [blame] | 3183 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3184 | if (mbedtls_ssl_own_key(ssl) == NULL) { |
| 3185 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key")); |
| 3186 | return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; |
| Gilles Peskine | 4bf9a28 | 2018-01-05 21:20:50 +0100 | [diff] [blame] | 3187 | } |
| 3188 | |
| Gilles Peskine | 0fd90dd | 2018-04-26 07:41:09 +0200 | [diff] [blame] | 3189 | /* Append the signature to ssl->out_msg, leaving 2 bytes for the |
| 3190 | * signature length which will be added in ssl_write_server_key_exchange |
| 3191 | * after the call to ssl_prepare_server_key_exchange. |
| 3192 | * ssl_write_server_key_exchange also takes care of incrementing |
| 3193 | * ssl->out_msglen. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3194 | if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl), |
| 3195 | md_alg, hash, hashlen, |
| 3196 | ssl->out_msg + ssl->out_msglen + 2, |
| 3197 | out_buf_len - ssl->out_msglen - 2, |
| 3198 | signature_len, |
| 3199 | ssl->conf->f_rng, |
| 3200 | ssl->conf->p_rng)) != 0) { |
| 3201 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret); |
| 3202 | return ret; |
| Paul Bakker | 23f3680 | 2012-09-28 14:15:14 +0000 | [diff] [blame] | 3203 | } |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 3204 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3205 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 3206 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3207 | return 0; |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3208 | } |
| Paul Bakker | 1ef83d6 | 2012-04-11 12:09:53 +0000 | [diff] [blame] | 3209 | |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 3210 | /* Prepare the ServerKeyExchange message and send it. For ciphersuites |
| Gilles Peskine | 168dae8 | 2018-04-25 23:35:42 +0200 | [diff] [blame] | 3211 | * that do not include a ServerKeyExchange message, do nothing. Either |
| 3212 | * way, if successful, move on to the next step in the SSL state |
| 3213 | * machine. */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3214 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3215 | static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl) |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3216 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3217 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Gilles Peskine | 7ab013a | 2018-01-08 17:04:16 +0100 | [diff] [blame] | 3218 | size_t signature_len = 0; |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3219 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED) |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3220 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3221 | ssl->handshake->ciphersuite_info; |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3222 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */ |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3223 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3224 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange")); |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 3225 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3226 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED) |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 3227 | /* Extract static ECDH parameters and abort if ServerKeyExchange |
| 3228 | * is not needed. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3229 | if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) { |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3230 | /* For suites involving ECDH, extract DH parameters |
| 3231 | * from certificate at this point. */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3232 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3233 | if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) { |
| 3234 | ret = ssl_get_ecdh_params_from_cert(ssl); |
| 3235 | if (ret != 0) { |
| 3236 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret); |
| 3237 | return ret; |
| Manuel Pégourié-Gonnard | b64fb62 | 2022-06-10 09:34:20 +0200 | [diff] [blame] | 3238 | } |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3239 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3240 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */ |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3241 | |
| 3242 | /* Key exchanges not involving ephemeral keys don't use |
| 3243 | * ServerKeyExchange, so end here. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3244 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange")); |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3245 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3246 | return 0; |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3247 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3248 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */ |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3249 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3250 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \ |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3251 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 3252 | /* If we have already prepared the message and there is an ongoing |
| Gilles Peskine | 168dae8 | 2018-04-25 23:35:42 +0200 | [diff] [blame] | 3253 | * signature operation, resume signing. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3254 | if (ssl->handshake->async_in_progress != 0) { |
| 3255 | MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation")); |
| 3256 | ret = ssl_resume_server_key_exchange(ssl, &signature_len); |
| 3257 | } else |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3258 | #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3259 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) */ |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 3260 | { |
| 3261 | /* ServerKeyExchange is needed. Prepare the message. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3262 | ret = ssl_prepare_server_key_exchange(ssl, &signature_len); |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 3263 | } |
| 3264 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3265 | if (ret != 0) { |
| Gilles Peskine | ad28bf0 | 2018-04-26 00:19:16 +0200 | [diff] [blame] | 3266 | /* If we're starting to write a new message, set ssl->out_msglen |
| 3267 | * to 0. But if we're resuming after an asynchronous message, |
| 3268 | * out_msglen is the amount of data written so far and mst be |
| 3269 | * preserved. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3270 | if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { |
| 3271 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)")); |
| 3272 | } else { |
| Gilles Peskine | d3eb061 | 2018-01-08 17:07:44 +0100 | [diff] [blame] | 3273 | ssl->out_msglen = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3274 | } |
| 3275 | return ret; |
| Gilles Peskine | ebd30ae | 2018-01-06 03:34:20 +0100 | [diff] [blame] | 3276 | } |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3277 | |
| Gilles Peskine | 7ab013a | 2018-01-08 17:04:16 +0100 | [diff] [blame] | 3278 | /* If there is a signature, write its length. |
| Gilles Peskine | 168dae8 | 2018-04-25 23:35:42 +0200 | [diff] [blame] | 3279 | * ssl_prepare_server_key_exchange already wrote the signature |
| 3280 | * itself at its proper place in the output buffer. */ |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3281 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3282 | if (signature_len != 0) { |
| 3283 | ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len); |
| 3284 | ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len); |
| Gilles Peskine | 7ab013a | 2018-01-08 17:04:16 +0100 | [diff] [blame] | 3285 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3286 | MBEDTLS_SSL_DEBUG_BUF(3, "my signature", |
| 3287 | ssl->out_msg + ssl->out_msglen, |
| 3288 | signature_len); |
| Gilles Peskine | 7ab013a | 2018-01-08 17:04:16 +0100 | [diff] [blame] | 3289 | |
| 3290 | /* Skip over the already-written signature */ |
| 3291 | ssl->out_msglen += signature_len; |
| 3292 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3293 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
| Gilles Peskine | 7ab013a | 2018-01-08 17:04:16 +0100 | [diff] [blame] | 3294 | |
| Gilles Peskine | 184a3fa | 2018-01-06 01:46:17 +0100 | [diff] [blame] | 3295 | /* Add header and send. */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3296 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 3297 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3298 | |
| 3299 | ssl->state++; |
| 3300 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3301 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
| 3302 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
| 3303 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3304 | } |
| 3305 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3306 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange")); |
| 3307 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3308 | } |
| 3309 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3310 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3311 | static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3312 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3313 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3314 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3315 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3316 | |
| 3317 | ssl->out_msglen = 4; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3318 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 3319 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3320 | |
| 3321 | ssl->state++; |
| 3322 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3323 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3324 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| 3325 | mbedtls_ssl_send_flight_completed(ssl); |
| 3326 | } |
| Manuel Pégourié-Gonnard | 7de3c9e | 2014-09-29 15:29:48 +0200 | [diff] [blame] | 3327 | #endif |
| 3328 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3329 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
| 3330 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
| 3331 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3332 | } |
| 3333 | |
| Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 3334 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3335 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 3336 | (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { |
| 3337 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret); |
| 3338 | return ret; |
| Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 3339 | } |
| Hanno Becker | bc2498a | 2018-08-28 10:13:29 +0100 | [diff] [blame] | 3340 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| Manuel Pégourié-Gonnard | 87a346f | 2017-09-13 12:45:21 +0200 | [diff] [blame] | 3341 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3342 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3343 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3344 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3345 | } |
| 3346 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3347 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
| 3348 | defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3349 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3350 | static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p, |
| 3351 | const unsigned char *end) |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3352 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3353 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3354 | size_t n; |
| 3355 | |
| 3356 | /* |
| 3357 | * Receive G^Y mod P, premaster = (G^Y)^X mod P |
| 3358 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3359 | if (*p + 2 > end) { |
| 3360 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3361 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3362 | } |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3363 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3364 | n = ((*p)[0] << 8) | (*p)[1]; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3365 | *p += 2; |
| 3366 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3367 | if (*p + n > end) { |
| 3368 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3369 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3370 | } |
| 3371 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3372 | if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) { |
| 3373 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret); |
| 3374 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3375 | } |
| 3376 | |
| Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 3377 | *p += n; |
| 3378 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3379 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY); |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3380 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3381 | return ret; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3382 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3383 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || |
| 3384 | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3385 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3386 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ |
| 3387 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3388 | |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3389 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3390 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3391 | static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl, |
| 3392 | unsigned char *peer_pms, |
| 3393 | size_t *peer_pmslen, |
| 3394 | size_t peer_pmssize) |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3395 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3396 | int ret = ssl->conf->f_async_resume(ssl, |
| 3397 | peer_pms, peer_pmslen, peer_pmssize); |
| 3398 | if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { |
| Gilles Peskine | df13d5c | 2018-04-25 20:39:48 +0200 | [diff] [blame] | 3399 | ssl->handshake->async_in_progress = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3400 | mbedtls_ssl_set_async_operation_data(ssl, NULL); |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3401 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3402 | MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret); |
| 3403 | return ret; |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3404 | } |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3405 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3406 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3407 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3408 | static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl, |
| 3409 | const unsigned char *p, |
| 3410 | const unsigned char *end, |
| 3411 | unsigned char *peer_pms, |
| 3412 | size_t *peer_pmslen, |
| 3413 | size_t peer_pmssize) |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3414 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3415 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Leonid Rozenboim | 70dfd4c | 2022-08-08 15:43:44 -0700 | [diff] [blame] | 3416 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3417 | mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl); |
| 3418 | if (own_cert == NULL) { |
| 3419 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate")); |
| 3420 | return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE; |
| Leonid Rozenboim | 70dfd4c | 2022-08-08 15:43:44 -0700 | [diff] [blame] | 3421 | } |
| 3422 | mbedtls_pk_context *public_key = &own_cert->pk; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3423 | mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl); |
| 3424 | size_t len = mbedtls_pk_get_len(public_key); |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3425 | |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3426 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3427 | /* If we have already started decoding the message and there is an ongoing |
| Gilles Peskine | 168dae8 | 2018-04-25 23:35:42 +0200 | [diff] [blame] | 3428 | * decryption operation, resume signing. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3429 | if (ssl->handshake->async_in_progress != 0) { |
| 3430 | MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation")); |
| 3431 | return ssl_resume_decrypt_pms(ssl, |
| 3432 | peer_pms, peer_pmslen, peer_pmssize); |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3433 | } |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3434 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3435 | |
| 3436 | /* |
| Gilles Peskine | 422ccab | 2018-01-11 18:29:01 +0100 | [diff] [blame] | 3437 | * Prepare to decrypt the premaster using own private RSA key |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3438 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3439 | if (p + 2 > end) { |
| 3440 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3441 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Mateusz Starzyk | 06b07fb | 2021-02-18 13:55:21 +0100 | [diff] [blame] | 3442 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3443 | if (*p++ != MBEDTLS_BYTE_1(len) || |
| 3444 | *p++ != MBEDTLS_BYTE_0(len)) { |
| 3445 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3446 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3447 | } |
| 3448 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3449 | if (p + len != end) { |
| 3450 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3451 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3452 | } |
| 3453 | |
| Gilles Peskine | 422ccab | 2018-01-11 18:29:01 +0100 | [diff] [blame] | 3454 | /* |
| 3455 | * Decrypt the premaster secret |
| 3456 | */ |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3457 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3458 | if (ssl->conf->f_async_decrypt_start != NULL) { |
| 3459 | ret = ssl->conf->f_async_decrypt_start(ssl, |
| 3460 | mbedtls_ssl_own_cert(ssl), |
| 3461 | p, len); |
| 3462 | switch (ret) { |
| 3463 | case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: |
| 3464 | /* act as if f_async_decrypt_start was null */ |
| 3465 | break; |
| 3466 | case 0: |
| 3467 | ssl->handshake->async_in_progress = 1; |
| 3468 | return ssl_resume_decrypt_pms(ssl, |
| 3469 | peer_pms, |
| 3470 | peer_pmslen, |
| 3471 | peer_pmssize); |
| 3472 | case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: |
| 3473 | ssl->handshake->async_in_progress = 1; |
| 3474 | return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; |
| 3475 | default: |
| 3476 | MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret); |
| 3477 | return ret; |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3478 | } |
| 3479 | } |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3480 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3481 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3482 | if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) { |
| 3483 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key")); |
| 3484 | return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; |
| Gilles Peskine | 422ccab | 2018-01-11 18:29:01 +0100 | [diff] [blame] | 3485 | } |
| 3486 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3487 | ret = mbedtls_pk_decrypt(private_key, p, len, |
| 3488 | peer_pms, peer_pmslen, peer_pmssize, |
| 3489 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 3490 | return ret; |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3491 | } |
| 3492 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3493 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3494 | static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl, |
| 3495 | const unsigned char *p, |
| 3496 | const unsigned char *end, |
| 3497 | size_t pms_offset) |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3498 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3499 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3500 | unsigned char *pms = ssl->handshake->premaster + pms_offset; |
| 3501 | unsigned char ver[2]; |
| 3502 | unsigned char fake_pms[48], peer_pms[48]; |
| 3503 | unsigned char mask; |
| 3504 | size_t i, peer_pmslen; |
| 3505 | unsigned int diff; |
| 3506 | |
| Gilles Peskine | 0a8352b | 2018-06-13 18:16:41 +0200 | [diff] [blame] | 3507 | /* In case of a failure in decryption, the decryption may write less than |
| 3508 | * 2 bytes of output, but we always read the first two bytes. It doesn't |
| 3509 | * matter in the end because diff will be nonzero in that case due to |
| André Maroneze | 7953329 | 2020-11-12 09:37:42 +0100 | [diff] [blame] | 3510 | * ret being nonzero, and we only care whether diff is 0. |
| 3511 | * But do initialize peer_pms and peer_pmslen for robustness anyway. This |
| 3512 | * also makes memory analyzers happy (don't access uninitialized memory, |
| 3513 | * even if it's an unsigned char). */ |
| Gilles Peskine | 0a8352b | 2018-06-13 18:16:41 +0200 | [diff] [blame] | 3514 | peer_pms[0] = peer_pms[1] = ~0; |
| André Maroneze | 7953329 | 2020-11-12 09:37:42 +0100 | [diff] [blame] | 3515 | peer_pmslen = 0; |
| Gilles Peskine | 0a8352b | 2018-06-13 18:16:41 +0200 | [diff] [blame] | 3516 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3517 | ret = ssl_decrypt_encrypted_pms(ssl, p, end, |
| 3518 | peer_pms, |
| 3519 | &peer_pmslen, |
| 3520 | sizeof(peer_pms)); |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3521 | |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3522 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3523 | if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { |
| 3524 | return ret; |
| 3525 | } |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3526 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3527 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3528 | mbedtls_ssl_write_version(ver, ssl->conf->transport, |
| 3529 | ssl->session_negotiate->tls_version); |
| Gilles Peskine | 2e33337 | 2018-04-24 13:22:10 +0200 | [diff] [blame] | 3530 | |
| 3531 | /* Avoid data-dependent branches while checking for invalid |
| 3532 | * padding, to protect against timing-based Bleichenbacher-type |
| 3533 | * attacks. */ |
| 3534 | diff = (unsigned int) ret; |
| 3535 | diff |= peer_pmslen ^ 48; |
| 3536 | diff |= peer_pms[0] ^ ver[0]; |
| 3537 | diff |= peer_pms[1] ^ ver[1]; |
| 3538 | |
| 3539 | /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3540 | mask = mbedtls_ct_uint_mask(diff); |
| Manuel Pégourié-Gonnard | b9c93d0 | 2015-06-23 13:53:15 +0200 | [diff] [blame] | 3541 | |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3542 | /* |
| 3543 | * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding |
| 3544 | * must not cause the connection to end immediately; instead, send a |
| 3545 | * bad_record_mac later in the handshake. |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3546 | * To protect against timing-based variants of the attack, we must |
| 3547 | * not have any branch that depends on whether the decryption was |
| 3548 | * successful. In particular, always generate the fake premaster secret, |
| 3549 | * regardless of whether it will ultimately influence the output or not. |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3550 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3551 | ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms)); |
| 3552 | if (ret != 0) { |
| Gilles Peskine | e141638 | 2018-04-26 10:23:21 +0200 | [diff] [blame] | 3553 | /* It's ok to abort on an RNG failure, since this does not reveal |
| 3554 | * anything about the RSA decryption. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3555 | return ret; |
| Gilles Peskine | bcd98a5 | 2018-01-11 21:30:40 +0100 | [diff] [blame] | 3556 | } |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3557 | |
| Manuel Pégourié-Gonnard | 331ba57 | 2015-04-20 12:33:57 +0100 | [diff] [blame] | 3558 | #if defined(MBEDTLS_SSL_DEBUG_ALL) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3559 | if (diff != 0) { |
| 3560 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3561 | } |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3562 | #endif |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3563 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3564 | if (sizeof(ssl->handshake->premaster) < pms_offset || |
| 3565 | sizeof(ssl->handshake->premaster) - pms_offset < 48) { |
| 3566 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 3567 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3568 | } |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3569 | ssl->handshake->pmslen = 48; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3570 | |
| Gilles Peskine | 422ccab | 2018-01-11 18:29:01 +0100 | [diff] [blame] | 3571 | /* Set pms to either the true or the fake PMS, without |
| 3572 | * data-dependent branches. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3573 | for (i = 0; i < ssl->handshake->pmslen; i++) { |
| 3574 | pms[i] = (mask & fake_pms[i]) | ((~mask) & peer_pms[i]); |
| 3575 | } |
| Manuel Pégourié-Gonnard | 6674cce | 2015-02-06 10:30:58 +0000 | [diff] [blame] | 3576 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3577 | return 0; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3578 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3579 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || |
| 3580 | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3581 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3582 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3583 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3584 | static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p, |
| 3585 | const unsigned char *end) |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3586 | { |
| Paul Bakker | 6db455e | 2013-09-18 17:29:31 +0200 | [diff] [blame] | 3587 | int ret = 0; |
| irwir | 6527bd6 | 2019-09-21 18:51:25 +0300 | [diff] [blame] | 3588 | uint16_t n; |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3589 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3590 | if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) { |
| 3591 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key")); |
| 3592 | return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3593 | } |
| 3594 | |
| 3595 | /* |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3596 | * Receive client pre-shared key identity name |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3597 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3598 | if (end - *p < 2) { |
| 3599 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3600 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3601 | } |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3602 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3603 | n = ((*p)[0] << 8) | (*p)[1]; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3604 | *p += 2; |
| 3605 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3606 | if (n == 0 || n > end - *p) { |
| 3607 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3608 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3609 | } |
| 3610 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3611 | if (ssl->conf->f_psk != NULL) { |
| 3612 | if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3613 | ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3614 | } |
| 3615 | } else { |
| Manuel Pégourié-Gonnard | 31ff1d2 | 2013-10-28 13:46:11 +0100 | [diff] [blame] | 3616 | /* Identity is not a big secret since clients send it in the clear, |
| 3617 | * but treat it carefully anyway, just in case */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3618 | if (n != ssl->conf->psk_identity_len || |
| 3619 | mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3620 | ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; |
| Paul Bakker | 6db455e | 2013-09-18 17:29:31 +0200 | [diff] [blame] | 3621 | } |
| 3622 | } |
| 3623 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3624 | if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) { |
| 3625 | MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n); |
| 3626 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 3627 | MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY); |
| 3628 | return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3629 | } |
| 3630 | |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3631 | *p += n; |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3632 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3633 | return 0; |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3634 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 3635 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3636 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 3637 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3638 | static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3639 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 3640 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3641 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
| Manuel Pégourié-Gonnard | 2114d72 | 2014-09-10 13:59:41 +0000 | [diff] [blame] | 3642 | unsigned char *p, *end; |
| Paul Bakker | 70df2fb | 2013-04-17 17:19:09 +0200 | [diff] [blame] | 3643 | |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 3644 | ciphersuite_info = ssl->handshake->ciphersuite_info; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3645 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3646 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3647 | |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3648 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3649 | (defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ |
| 3650 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)) |
| 3651 | if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || |
| 3652 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) && |
| 3653 | (ssl->handshake->async_in_progress != 0)) { |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3654 | /* We've already read a record and there is an asynchronous |
| 3655 | * operation in progress to decrypt it. So skip reading the |
| Gilles Peskine | 168dae8 | 2018-04-25 23:35:42 +0200 | [diff] [blame] | 3656 | * record. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3657 | MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record")); |
| 3658 | } else |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3659 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3660 | if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { |
| 3661 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
| 3662 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3663 | } |
| 3664 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3665 | p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); |
| Manuel Pégourié-Gonnard | 2114d72 | 2014-09-10 13:59:41 +0000 | [diff] [blame] | 3666 | end = ssl->in_msg + ssl->in_hslen; |
| Manuel Pégourié-Gonnard | f899583 | 2014-09-10 08:25:12 +0000 | [diff] [blame] | 3667 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3668 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
| 3669 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3670 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3671 | } |
| 3672 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3673 | if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) { |
| 3674 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3675 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3676 | } |
| 3677 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3678 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3679 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) { |
| 3680 | if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) { |
| 3681 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret); |
| 3682 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3683 | } |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3684 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3685 | if (p != end) { |
| 3686 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange")); |
| 3687 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 3688 | } |
| 3689 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3690 | if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, |
| 3691 | ssl->handshake->premaster, |
| 3692 | MBEDTLS_PREMASTER_SIZE, |
| 3693 | &ssl->handshake->pmslen, |
| 3694 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 3695 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); |
| 3696 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3697 | } |
| 3698 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3699 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); |
| 3700 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3701 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3702 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| 3703 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
| 3704 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| 3705 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3706 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
| Neil Armstrong | 1f4b396 | 2022-03-09 14:54:29 +0100 | [diff] [blame] | 3707 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || |
| 3708 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3709 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { |
| Neil Armstrong | 913b364 | 2022-04-13 14:59:48 +0200 | [diff] [blame] | 3710 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3711 | size_t data_len = (size_t) (*p++); |
| 3712 | size_t buf_len = (size_t) (end - p); |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3713 | psa_status_t status = PSA_ERROR_GENERIC_ERROR; |
| 3714 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| 3715 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3716 | MBEDTLS_SSL_DEBUG_MSG(1, ("Read the peer's public key.")); |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3717 | |
| 3718 | /* |
| Przemek Stekiel | 338b61d | 2022-03-15 08:03:43 +0100 | [diff] [blame] | 3719 | * We must have at least two bytes (1 for length, at least 1 for data) |
| 3720 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3721 | if (buf_len < 2) { |
| 3722 | MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length")); |
| 3723 | return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3724 | } |
| 3725 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3726 | if (data_len < 1 || data_len > buf_len) { |
| 3727 | MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length")); |
| 3728 | return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3729 | } |
| 3730 | |
| 3731 | /* Store peer's ECDH public key. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3732 | memcpy(handshake->ecdh_psa_peerkey, p, data_len); |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3733 | handshake->ecdh_psa_peerkey_len = data_len; |
| 3734 | |
| 3735 | /* Compute ECDH shared secret. */ |
| 3736 | status = psa_raw_key_agreement( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3737 | PSA_ALG_ECDH, handshake->ecdh_psa_privkey, |
| 3738 | handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len, |
| 3739 | handshake->premaster, sizeof(handshake->premaster), |
| 3740 | &handshake->pmslen); |
| 3741 | if (status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 3742 | ret = PSA_TO_MBEDTLS_ERR(status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3743 | MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret); |
| 3744 | if (handshake->ecdh_psa_privkey_is_external == 0) { |
| 3745 | (void) psa_destroy_key(handshake->ecdh_psa_privkey); |
| 3746 | } |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3747 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3748 | return ret; |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3749 | } |
| 3750 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3751 | if (handshake->ecdh_psa_privkey_is_external == 0) { |
| 3752 | status = psa_destroy_key(handshake->ecdh_psa_privkey); |
| Neil Armstrong | 8113d25 | 2022-03-23 10:57:04 +0100 | [diff] [blame] | 3753 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3754 | if (status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 3755 | ret = PSA_TO_MBEDTLS_ERR(status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3756 | MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret); |
| 3757 | return ret; |
| Neil Armstrong | 8113d25 | 2022-03-23 10:57:04 +0100 | [diff] [blame] | 3758 | } |
| Przemek Stekiel | ce1d792 | 2022-03-14 16:16:25 +0100 | [diff] [blame] | 3759 | } |
| 3760 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3761 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3762 | if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx, |
| 3763 | p, end - p)) != 0) { |
| 3764 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret); |
| 3765 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | b59d699 | 2013-10-14 12:00:45 +0200 | [diff] [blame] | 3766 | } |
| 3767 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3768 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 3769 | MBEDTLS_DEBUG_ECDH_QP); |
| Manuel Pégourié-Gonnard | b59d699 | 2013-10-14 12:00:45 +0200 | [diff] [blame] | 3770 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3771 | if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, |
| 3772 | &ssl->handshake->pmslen, |
| 3773 | ssl->handshake->premaster, |
| 3774 | MBEDTLS_MPI_MAX_SIZE, |
| 3775 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 3776 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret); |
| 3777 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3778 | } |
| 3779 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3780 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 3781 | MBEDTLS_DEBUG_ECDH_Z); |
| Neil Armstrong | 913b364 | 2022-04-13 14:59:48 +0200 | [diff] [blame] | 3782 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3783 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3784 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
| 3785 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || |
| 3786 | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
| 3787 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| 3788 | #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3789 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) { |
| 3790 | if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { |
| 3791 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); |
| 3792 | return ret; |
| Paul Bakker | fbb1780 | 2013-04-17 19:10:21 +0200 | [diff] [blame] | 3793 | } |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3794 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3795 | if (p != end) { |
| 3796 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange")); |
| 3797 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 3798 | } |
| 3799 | |
| Neil Armstrong | cd05f0b | 2022-05-03 10:28:37 +0200 | [diff] [blame] | 3800 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3801 | if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, |
| Agathiyan Bragadeesh | 8b52b88 | 2023-07-13 13:12:40 +0100 | [diff] [blame^] | 3802 | (mbedtls_key_exchange_type_t) ciphersuite_info-> |
| 3803 | key_exchange)) != 0) { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3804 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); |
| 3805 | return ret; |
| Manuel Pégourié-Gonnard | bd1ae24 | 2013-10-14 13:09:25 +0200 | [diff] [blame] | 3806 | } |
| Neil Armstrong | cd05f0b | 2022-05-03 10:28:37 +0200 | [diff] [blame] | 3807 | #endif /* !MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3808 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3809 | #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ |
| 3810 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3811 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3812 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3813 | if (ssl->handshake->async_in_progress != 0) { |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3814 | /* There is an asynchronous operation in progress to |
| 3815 | * decrypt the encrypted premaster secret, so skip |
| 3816 | * directly to resuming this operation. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3817 | MBEDTLS_SSL_DEBUG_MSG(3, ("PSK identity already parsed")); |
| Gilles Peskine | 2c6078e | 2018-01-12 13:46:43 +0100 | [diff] [blame] | 3818 | /* Update p to skip the PSK identity. ssl_parse_encrypted_pms |
| 3819 | * won't actually use it, but maintain p anyway for robustness. */ |
| 3820 | p += ssl->conf->psk_identity_len + 2; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3821 | } else |
| Gilles Peskine | b74a1c7 | 2018-04-24 13:09:22 +0200 | [diff] [blame] | 3822 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3823 | if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { |
| 3824 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); |
| 3825 | return ret; |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 3826 | } |
| 3827 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3828 | if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) { |
| 3829 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_encrypted_pms"), ret); |
| 3830 | return ret; |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 3831 | } |
| 3832 | |
| Neil Armstrong | cd05f0b | 2022-05-03 10:28:37 +0200 | [diff] [blame] | 3833 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3834 | if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, |
| Agathiyan Bragadeesh | 8b52b88 | 2023-07-13 13:12:40 +0100 | [diff] [blame^] | 3835 | (mbedtls_key_exchange_type_t) ciphersuite_info-> |
| 3836 | key_exchange)) != 0) { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3837 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); |
| 3838 | return ret; |
| Manuel Pégourié-Gonnard | 0fae60b | 2013-10-14 17:39:48 +0200 | [diff] [blame] | 3839 | } |
| Neil Armstrong | cd05f0b | 2022-05-03 10:28:37 +0200 | [diff] [blame] | 3840 | #endif /* !MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3841 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3842 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
| 3843 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3844 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { |
| 3845 | if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { |
| 3846 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); |
| 3847 | return ret; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3848 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3849 | if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) { |
| 3850 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret); |
| 3851 | return ret; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3852 | } |
| 3853 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3854 | if (p != end) { |
| 3855 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange")); |
| 3856 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 969ccc6 | 2014-03-26 19:53:25 +0100 | [diff] [blame] | 3857 | } |
| 3858 | |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3859 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 3860 | unsigned char *pms = ssl->handshake->premaster; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3861 | unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster); |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3862 | size_t pms_len; |
| 3863 | |
| 3864 | /* Write length only when we know the actual value */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3865 | if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, |
| 3866 | pms + 2, pms_end - (pms + 2), &pms_len, |
| 3867 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 3868 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); |
| 3869 | return ret; |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3870 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3871 | MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0); |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3872 | pms += 2 + pms_len; |
| 3873 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3874 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3875 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3876 | if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, |
| Agathiyan Bragadeesh | 8b52b88 | 2023-07-13 13:12:40 +0100 | [diff] [blame^] | 3877 | (mbedtls_key_exchange_type_t) ciphersuite_info-> |
| 3878 | key_exchange)) != 0) { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3879 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); |
| 3880 | return ret; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 3881 | } |
| Neil Armstrong | 80f6f32 | 2022-05-03 17:56:38 +0200 | [diff] [blame] | 3882 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3883 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3884 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| Neil Armstrong | d91526c | 2022-04-12 14:38:52 +0200 | [diff] [blame] | 3885 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3886 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { |
| Neil Armstrong | 913b364 | 2022-04-13 14:59:48 +0200 | [diff] [blame] | 3887 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3888 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| 3889 | psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; |
| 3890 | uint8_t ecpoint_len; |
| 3891 | |
| 3892 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| 3893 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3894 | if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { |
| 3895 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); |
| 3896 | psa_destroy_key(handshake->ecdh_psa_privkey); |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3897 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3898 | return ret; |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3899 | } |
| 3900 | |
| 3901 | /* Keep a copy of the peer's public key */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3902 | if (p >= end) { |
| 3903 | psa_destroy_key(handshake->ecdh_psa_privkey); |
| Neil Armstrong | 3cae167 | 2022-04-05 10:01:15 +0200 | [diff] [blame] | 3904 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3905 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Neil Armstrong | 3cae167 | 2022-04-05 10:01:15 +0200 | [diff] [blame] | 3906 | } |
| 3907 | |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3908 | ecpoint_len = *(p++); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3909 | if ((size_t) (end - p) < ecpoint_len) { |
| 3910 | psa_destroy_key(handshake->ecdh_psa_privkey); |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3911 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3912 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3913 | } |
| 3914 | |
| Przemek Stekiel | 24e50d3 | 2023-05-19 10:21:38 +0200 | [diff] [blame] | 3915 | #if !defined(PSA_WANT_ALG_FFDH) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3916 | if (ecpoint_len > sizeof(handshake->ecdh_psa_peerkey)) { |
| 3917 | psa_destroy_key(handshake->ecdh_psa_privkey); |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3918 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3919 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3920 | } |
| Przemek Stekiel | 24e50d3 | 2023-05-19 10:21:38 +0200 | [diff] [blame] | 3921 | #endif |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3922 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3923 | memcpy(handshake->ecdh_psa_peerkey, p, ecpoint_len); |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3924 | handshake->ecdh_psa_peerkey_len = ecpoint_len; |
| 3925 | p += ecpoint_len; |
| 3926 | |
| Neil Armstrong | 3bcef08 | 2022-03-23 18:16:54 +0100 | [diff] [blame] | 3927 | /* As RFC 5489 section 2, the premaster secret is formed as follows: |
| Neil Armstrong | fdf20cb | 2022-03-24 09:43:02 +0100 | [diff] [blame] | 3928 | * - a uint16 containing the length (in octets) of the ECDH computation |
| 3929 | * - the octet string produced by the ECDH computation |
| 3930 | * - a uint16 containing the length (in octets) of the PSK |
| 3931 | * - the PSK itself |
| 3932 | */ |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3933 | unsigned char *psm = ssl->handshake->premaster; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3934 | const unsigned char * const psm_end = |
| 3935 | psm + sizeof(ssl->handshake->premaster); |
| Neil Armstrong | 2d63da9 | 2022-03-23 18:17:31 +0100 | [diff] [blame] | 3936 | /* uint16 to store length (in octets) of the ECDH computation */ |
| 3937 | const size_t zlen_size = 2; |
| Neil Armstrong | 549a3e4 | 2022-03-23 18:16:24 +0100 | [diff] [blame] | 3938 | size_t zlen = 0; |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3939 | |
| 3940 | /* Compute ECDH shared secret. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3941 | status = psa_raw_key_agreement(PSA_ALG_ECDH, |
| 3942 | handshake->ecdh_psa_privkey, |
| 3943 | handshake->ecdh_psa_peerkey, |
| 3944 | handshake->ecdh_psa_peerkey_len, |
| 3945 | psm + zlen_size, |
| 3946 | psm_end - (psm + zlen_size), |
| 3947 | &zlen); |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3948 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3949 | destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey); |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3950 | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 3951 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3952 | if (status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 3953 | return PSA_TO_MBEDTLS_ERR(status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3954 | } else if (destruction_status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 3955 | return PSA_TO_MBEDTLS_ERR(destruction_status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3956 | } |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3957 | |
| Neil Armstrong | 3bcef08 | 2022-03-23 18:16:54 +0100 | [diff] [blame] | 3958 | /* Write the ECDH computation length before the ECDH computation */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3959 | MBEDTLS_PUT_UINT16_BE(zlen, psm, 0); |
| Neil Armstrong | 2d63da9 | 2022-03-23 18:17:31 +0100 | [diff] [blame] | 3960 | psm += zlen_size + zlen; |
| Neil Armstrong | 039db29 | 2022-03-09 11:38:34 +0100 | [diff] [blame] | 3961 | |
| Przemek Stekiel | 14d11b0 | 2022-04-14 08:33:29 +0200 | [diff] [blame] | 3962 | #else /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3963 | if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { |
| 3964 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); |
| 3965 | return ret; |
| Manuel Pégourié-Gonnard | 3ce3bbd | 2013-10-11 16:53:50 +0200 | [diff] [blame] | 3966 | } |
| Manuel Pégourié-Gonnard | b59d699 | 2013-10-14 12:00:45 +0200 | [diff] [blame] | 3967 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3968 | if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx, |
| 3969 | p, end - p)) != 0) { |
| 3970 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret); |
| 3971 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 3ce3bbd | 2013-10-11 16:53:50 +0200 | [diff] [blame] | 3972 | } |
| 3973 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3974 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 3975 | MBEDTLS_DEBUG_ECDH_QP); |
| Manuel Pégourié-Gonnard | b59d699 | 2013-10-14 12:00:45 +0200 | [diff] [blame] | 3976 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3977 | if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, |
| Agathiyan Bragadeesh | 8b52b88 | 2023-07-13 13:12:40 +0100 | [diff] [blame^] | 3978 | (mbedtls_key_exchange_type_t) ciphersuite_info-> |
| 3979 | key_exchange)) != 0) { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3980 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); |
| 3981 | return ret; |
| Manuel Pégourié-Gonnard | 3ce3bbd | 2013-10-11 16:53:50 +0200 | [diff] [blame] | 3982 | } |
| Neil Armstrong | 913b364 | 2022-04-13 14:59:48 +0200 | [diff] [blame] | 3983 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3984 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3985 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
| 3986 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3987 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) { |
| 3988 | if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) { |
| 3989 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret); |
| 3990 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3991 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3992 | } else |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 3993 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 3994 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3995 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 3996 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3997 | if ((ret = mbedtls_psa_ecjpake_read_round( |
| 3998 | &ssl->handshake->psa_pake_ctx, p, end - p, |
| 3999 | MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) { |
| 4000 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 4001 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 4002 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4003 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret); |
| 4004 | return ret; |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 4005 | } |
| 4006 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4007 | ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx, |
| 4008 | p, end - p); |
| 4009 | if (ret != 0) { |
| 4010 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret); |
| 4011 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 4012 | } |
| 4013 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4014 | ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx, |
| 4015 | ssl->handshake->premaster, 32, &ssl->handshake->pmslen, |
| 4016 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 4017 | if (ret != 0) { |
| 4018 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret); |
| 4019 | return ret; |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 4020 | } |
| Neil Armstrong | ca7d506 | 2022-05-31 14:43:23 +0200 | [diff] [blame] | 4021 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4022 | } else |
| Manuel Pégourié-Gonnard | 0f1660a | 2015-09-16 22:41:06 +0200 | [diff] [blame] | 4023 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4024 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4025 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 4026 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4027 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4028 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4029 | if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { |
| 4030 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); |
| 4031 | return ret; |
| Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 4032 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4033 | |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4034 | ssl->state++; |
| 4035 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4036 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4037 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4038 | return 0; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4039 | } |
| 4040 | |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 4041 | #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 4042 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4043 | static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4044 | { |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 4045 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 4046 | ssl->handshake->ciphersuite_info; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4047 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4048 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4049 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4050 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
| 4051 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); |
| Paul Bakker | ed27a04 | 2013-04-18 22:46:23 +0200 | [diff] [blame] | 4052 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4053 | return 0; |
| Paul Bakker | ed27a04 | 2013-04-18 22:46:23 +0200 | [diff] [blame] | 4054 | } |
| 4055 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4056 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 4057 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4058 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 4059 | #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 4060 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4061 | static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4062 | { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4063 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| Manuel Pégourié-Gonnard | 4528f3f | 2014-09-10 14:17:23 +0000 | [diff] [blame] | 4064 | size_t i, sig_len; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4065 | unsigned char hash[48]; |
| Manuel Pégourié-Gonnard | 4bd1284 | 2013-08-27 13:31:28 +0200 | [diff] [blame] | 4066 | unsigned char *hash_start = hash; |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 4067 | size_t hashlen; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4068 | mbedtls_pk_type_t pk_alg; |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4069 | mbedtls_md_type_t md_alg; |
| Hanno Becker | 0d0cd4b | 2017-05-11 14:06:43 +0100 | [diff] [blame] | 4070 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| Hanno Becker | e694c3e | 2017-12-27 21:34:08 +0000 | [diff] [blame] | 4071 | ssl->handshake->ciphersuite_info; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4072 | mbedtls_pk_context *peer_pk; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4073 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4074 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify")); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4075 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4076 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
| 4077 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4078 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4079 | return 0; |
| Paul Bakker | 48f7a5d | 2013-04-19 14:30:58 +0200 | [diff] [blame] | 4080 | } |
| 4081 | |
| Hanno Becker | 2a831a4 | 2019-02-07 13:17:25 +0000 | [diff] [blame] | 4082 | #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4083 | if (ssl->session_negotiate->peer_cert == NULL) { |
| 4084 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); |
| Hanno Becker | 2a831a4 | 2019-02-07 13:17:25 +0000 | [diff] [blame] | 4085 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4086 | return 0; |
| Hanno Becker | 2a831a4 | 2019-02-07 13:17:25 +0000 | [diff] [blame] | 4087 | } |
| 4088 | #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4089 | if (ssl->session_negotiate->peer_cert_digest == NULL) { |
| 4090 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); |
| Hanno Becker | 2a831a4 | 2019-02-07 13:17:25 +0000 | [diff] [blame] | 4091 | ssl->state++; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4092 | return 0; |
| Hanno Becker | 2a831a4 | 2019-02-07 13:17:25 +0000 | [diff] [blame] | 4093 | } |
| 4094 | #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 4095 | |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4096 | /* Read the message without adding it to the checksum */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4097 | ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */); |
| 4098 | if (0 != ret) { |
| 4099 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret); |
| 4100 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4101 | } |
| 4102 | |
| 4103 | ssl->state++; |
| 4104 | |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4105 | /* Process the message contents */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4106 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || |
| 4107 | ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) { |
| 4108 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); |
| 4109 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4110 | } |
| 4111 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4112 | i = mbedtls_ssl_hs_hdr_len(ssl); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4113 | |
| Hanno Becker | a1ab9be | 2019-02-06 18:31:04 +0000 | [diff] [blame] | 4114 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 4115 | peer_pk = &ssl->handshake->peer_pubkey; |
| 4116 | #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4117 | if (ssl->session_negotiate->peer_cert == NULL) { |
| Hanno Becker | a1ab9be | 2019-02-06 18:31:04 +0000 | [diff] [blame] | 4118 | /* Should never happen */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4119 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Hanno Becker | a1ab9be | 2019-02-06 18:31:04 +0000 | [diff] [blame] | 4120 | } |
| 4121 | peer_pk = &ssl->session_negotiate->peer_cert->pk; |
| 4122 | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 4123 | |
| Manuel Pégourié-Gonnard | 4528f3f | 2014-09-10 14:17:23 +0000 | [diff] [blame] | 4124 | /* |
| 4125 | * struct { |
| 4126 | * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only |
| 4127 | * opaque signature<0..2^16-1>; |
| 4128 | * } DigitallySigned; |
| 4129 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4130 | if (i + 2 > ssl->in_hslen) { |
| 4131 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); |
| 4132 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4133 | } |
| Manuel Pégourié-Gonnard | 5ee9654 | 2014-09-10 14:27:21 +0000 | [diff] [blame] | 4134 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4135 | /* |
| 4136 | * Hash |
| 4137 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4138 | md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]); |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4139 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4140 | if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) { |
| 4141 | MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg" |
| 4142 | " for verify message")); |
| 4143 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4144 | } |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4145 | |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4146 | #if !defined(MBEDTLS_MD_SHA1) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4147 | if (MBEDTLS_MD_SHA1 == md_alg) { |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4148 | hash_start += 16; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4149 | } |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4150 | #endif |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 4151 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4152 | /* Info from md_alg will be used instead */ |
| 4153 | hashlen = 0; |
| Manuel Pégourié-Gonnard | 0b03200 | 2013-08-17 13:01:41 +0200 | [diff] [blame] | 4154 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4155 | i++; |
| Manuel Pégourié-Gonnard | 4528f3f | 2014-09-10 14:17:23 +0000 | [diff] [blame] | 4156 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4157 | /* |
| 4158 | * Signature |
| 4159 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4160 | if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i])) |
| 4161 | == MBEDTLS_PK_NONE) { |
| 4162 | MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg" |
| 4163 | " for verify message")); |
| 4164 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Manuel Pégourié-Gonnard | b3d9187 | 2013-08-14 15:56:19 +0200 | [diff] [blame] | 4165 | } |
| Manuel Pégourié-Gonnard | ff56da3 | 2013-07-11 10:46:21 +0200 | [diff] [blame] | 4166 | |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4167 | /* |
| 4168 | * Check the certificate's key type matches the signature alg |
| 4169 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4170 | if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { |
| 4171 | MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key")); |
| 4172 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Ronald Cron | 8457c12 | 2022-03-07 11:32:54 +0100 | [diff] [blame] | 4173 | } |
| 4174 | |
| 4175 | i++; |
| 4176 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4177 | if (i + 2 > ssl->in_hslen) { |
| 4178 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); |
| 4179 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Manuel Pégourié-Gonnard | 5ee9654 | 2014-09-10 14:27:21 +0000 | [diff] [blame] | 4180 | } |
| 4181 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4182 | sig_len = (ssl->in_msg[i] << 8) | ssl->in_msg[i+1]; |
| Manuel Pégourié-Gonnard | 4528f3f | 2014-09-10 14:17:23 +0000 | [diff] [blame] | 4183 | i += 2; |
| Paul Bakker | 926af75 | 2012-11-23 13:38:07 +0100 | [diff] [blame] | 4184 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4185 | if (i + sig_len != ssl->in_hslen) { |
| 4186 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); |
| 4187 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4188 | } |
| 4189 | |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4190 | /* Calculate hash and verify signature */ |
| Manuel Pégourié-Gonnard | de718b9 | 2019-05-03 11:43:28 +0200 | [diff] [blame] | 4191 | { |
| 4192 | size_t dummy_hlen; |
| Manuel Pégourié-Gonnard | b8b07aa | 2023-02-06 00:34:21 +0100 | [diff] [blame] | 4193 | ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen); |
| 4194 | if (0 != ret) { |
| 4195 | MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret); |
| 4196 | return ret; |
| 4197 | } |
| Manuel Pégourié-Gonnard | de718b9 | 2019-05-03 11:43:28 +0200 | [diff] [blame] | 4198 | } |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4199 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4200 | if ((ret = mbedtls_pk_verify(peer_pk, |
| 4201 | md_alg, hash_start, hashlen, |
| 4202 | ssl->in_msg + i, sig_len)) != 0) { |
| 4203 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret); |
| 4204 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4205 | } |
| 4206 | |
| Manuel Pégourié-Gonnard | b8b07aa | 2023-02-06 00:34:21 +0100 | [diff] [blame] | 4207 | ret = mbedtls_ssl_update_handshake_status(ssl); |
| 4208 | if (0 != ret) { |
| 4209 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret); |
| 4210 | return ret; |
| 4211 | } |
| Simon Butcher | 9900014 | 2016-10-13 17:21:01 +0100 | [diff] [blame] | 4212 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4213 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify")); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4214 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4215 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4216 | } |
| Gilles Peskine | eccd888 | 2020-03-10 12:19:08 +0100 | [diff] [blame] | 4217 | #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4218 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4219 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 4220 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4221 | static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl) |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4222 | { |
| Janos Follath | 865b3eb | 2019-12-16 11:46:15 +0000 | [diff] [blame] | 4223 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 4224 | size_t tlen; |
| Manuel Pégourié-Gonnard | b0394be | 2015-05-19 11:40:30 +0200 | [diff] [blame] | 4225 | uint32_t lifetime; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4226 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4227 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket")); |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4228 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4229 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 4230 | ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4231 | |
| 4232 | /* |
| 4233 | * struct { |
| 4234 | * uint32 ticket_lifetime_hint; |
| 4235 | * opaque ticket<0..2^16-1>; |
| 4236 | * } NewSessionTicket; |
| 4237 | * |
| 4238 | * 4 . 7 ticket_lifetime_hint (0 = unspecified) |
| 4239 | * 8 . 9 ticket_len (n) |
| 4240 | * 10 . 9+n ticket content |
| 4241 | */ |
| Manuel Pégourié-Gonnard | 164d894 | 2013-09-23 22:01:39 +0200 | [diff] [blame] | 4242 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4243 | if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket, |
| 4244 | ssl->session_negotiate, |
| 4245 | ssl->out_msg + 10, |
| 4246 | ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN, |
| 4247 | &tlen, &lifetime)) != 0) { |
| 4248 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret); |
| Manuel Pégourié-Gonnard | 990c51a | 2013-08-03 15:37:58 +0200 | [diff] [blame] | 4249 | tlen = 0; |
| 4250 | } |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4251 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4252 | MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4); |
| 4253 | MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8); |
| Manuel Pégourié-Gonnard | 609bc81 | 2013-08-01 15:08:40 +0200 | [diff] [blame] | 4254 | ssl->out_msglen = 10 + tlen; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4255 | |
| Manuel Pégourié-Gonnard | 145dfcb | 2014-02-26 14:23:33 +0100 | [diff] [blame] | 4256 | /* |
| 4257 | * Morally equivalent to updating ssl->state, but NewSessionTicket and |
| 4258 | * ChangeCipherSpec share the same state. |
| 4259 | */ |
| 4260 | ssl->handshake->new_session_ticket = 0; |
| 4261 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4262 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
| 4263 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
| 4264 | return ret; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4265 | } |
| 4266 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4267 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket")); |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4268 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4269 | return 0; |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4270 | } |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4271 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4272 | |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4273 | /* |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4274 | * SSL handshake -- server side -- single step |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4275 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4276 | int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl) |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4277 | { |
| 4278 | int ret = 0; |
| 4279 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4280 | MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state)); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4281 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4282 | switch (ssl->state) { |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4283 | case MBEDTLS_SSL_HELLO_REQUEST: |
| 4284 | ssl->state = MBEDTLS_SSL_CLIENT_HELLO; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4285 | break; |
| 4286 | |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4287 | /* |
| 4288 | * <== ClientHello |
| 4289 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4290 | case MBEDTLS_SSL_CLIENT_HELLO: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4291 | ret = ssl_parse_client_hello(ssl); |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4292 | break; |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4293 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4294 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 4295 | case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4296 | return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED; |
| Manuel Pégourié-Gonnard | 579950c | 2014-09-29 17:47:33 +0200 | [diff] [blame] | 4297 | #endif |
| 4298 | |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4299 | /* |
| 4300 | * ==> ServerHello |
| 4301 | * Certificate |
| 4302 | * ( ServerKeyExchange ) |
| 4303 | * ( CertificateRequest ) |
| 4304 | * ServerHelloDone |
| 4305 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4306 | case MBEDTLS_SSL_SERVER_HELLO: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4307 | ret = ssl_write_server_hello(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4308 | break; |
| 4309 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4310 | case MBEDTLS_SSL_SERVER_CERTIFICATE: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4311 | ret = mbedtls_ssl_write_certificate(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4312 | break; |
| 4313 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4314 | case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4315 | ret = ssl_write_server_key_exchange(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4316 | break; |
| 4317 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4318 | case MBEDTLS_SSL_CERTIFICATE_REQUEST: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4319 | ret = ssl_write_certificate_request(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4320 | break; |
| 4321 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4322 | case MBEDTLS_SSL_SERVER_HELLO_DONE: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4323 | ret = ssl_write_server_hello_done(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4324 | break; |
| 4325 | |
| 4326 | /* |
| 4327 | * <== ( Certificate/Alert ) |
| 4328 | * ClientKeyExchange |
| 4329 | * ( CertificateVerify ) |
| 4330 | * ChangeCipherSpec |
| 4331 | * Finished |
| 4332 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4333 | case MBEDTLS_SSL_CLIENT_CERTIFICATE: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4334 | ret = mbedtls_ssl_parse_certificate(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4335 | break; |
| 4336 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4337 | case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4338 | ret = ssl_parse_client_key_exchange(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4339 | break; |
| 4340 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4341 | case MBEDTLS_SSL_CERTIFICATE_VERIFY: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4342 | ret = ssl_parse_certificate_verify(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4343 | break; |
| 4344 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4345 | case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4346 | ret = mbedtls_ssl_parse_change_cipher_spec(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4347 | break; |
| 4348 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4349 | case MBEDTLS_SSL_CLIENT_FINISHED: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4350 | ret = mbedtls_ssl_parse_finished(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4351 | break; |
| 4352 | |
| 4353 | /* |
| Manuel Pégourié-Gonnard | 7a358b8 | 2013-08-01 11:47:56 +0200 | [diff] [blame] | 4354 | * ==> ( NewSessionTicket ) |
| 4355 | * ChangeCipherSpec |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4356 | * Finished |
| 4357 | */ |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4358 | case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: |
| 4359 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4360 | if (ssl->handshake->new_session_ticket != 0) { |
| 4361 | ret = ssl_write_new_session_ticket(ssl); |
| 4362 | } else |
| Paul Bakker | a503a63 | 2013-08-14 13:48:06 +0200 | [diff] [blame] | 4363 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4364 | ret = mbedtls_ssl_write_change_cipher_spec(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4365 | break; |
| 4366 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4367 | case MBEDTLS_SSL_SERVER_FINISHED: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4368 | ret = mbedtls_ssl_write_finished(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4369 | break; |
| 4370 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4371 | case MBEDTLS_SSL_FLUSH_BUFFERS: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4372 | MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done")); |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4373 | ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4374 | break; |
| 4375 | |
| Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 4376 | case MBEDTLS_SSL_HANDSHAKE_WRAPUP: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4377 | mbedtls_ssl_handshake_wrapup(ssl); |
| Paul Bakker | 1961b70 | 2013-01-25 14:49:24 +0100 | [diff] [blame] | 4378 | break; |
| 4379 | |
| 4380 | default: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4381 | MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state)); |
| 4382 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4383 | } |
| 4384 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4385 | return ret; |
| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 4386 | } |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 4387 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 4388 | void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order) |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 4389 | { |
| TRodziewicz | 3946f79 | 2021-06-14 12:11:18 +0200 | [diff] [blame] | 4390 | conf->respect_cli_pref = order; |
| TRodziewicz | 8476f2f | 2021-06-02 14:34:47 +0200 | [diff] [blame] | 4391 | } |
| 4392 | |
| Jerry Yu | fb4b647 | 2022-01-27 15:03:26 +0800 | [diff] [blame] | 4393 | #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */ |