blob: e3aefc66e1837c7e0c458e216edb29420a167a2e [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
2 * SSLv3/TLSv1 client-side functions
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +02004 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +02005 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +000018 */
19
Gilles Peskinedb09ef62020-06-03 01:43:33 +020020#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000021
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020022#if defined(MBEDTLS_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000023
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000024#include "mbedtls/platform.h"
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +020025
SimonBd5800b72016-04-26 07:43:27 +010026#include "mbedtls/ssl.h"
27#include "mbedtls/ssl_internal.h"
Janos Follath73c616b2019-12-18 15:07:04 +000028#include "mbedtls/debug.h"
29#include "mbedtls/error.h"
Gabor Mezeie24dea82021-10-19 12:22:25 +020030#include "mbedtls/constant_time.h"
SimonBd5800b72016-04-26 07:43:27 +010031
Hanno Beckerbb89e272019-01-08 12:54:37 +000032#if defined(MBEDTLS_USE_PSA_CRYPTO)
33#include "mbedtls/psa_util.h"
Ronald Cron3a95d2b2021-10-18 09:47:58 +020034#include "psa/crypto.h"
Hanno Beckerbb89e272019-01-08 12:54:37 +000035#endif /* MBEDTLS_USE_PSA_CRYPTO */
36
SimonBd5800b72016-04-26 07:43:27 +010037#include <string.h>
38
Manuel Pégourié-Gonnard93866642015-06-22 19:21:23 +020039#include <stdint.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +020040
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020041#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +010042#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +020043#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000044
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020045#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -050046#include "mbedtls/platform_util.h"
Paul Bakker34617722014-06-13 17:20:13 +020047#endif
48
Gilles Peskineeccd8882020-03-10 12:19:08 +010049#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +020050MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker520224e2018-10-26 11:38:07 +010051static int ssl_conf_has_static_psk( mbedtls_ssl_config const *conf )
Hanno Becker2e4f6162018-10-23 11:54:44 +010052{
53 if( conf->psk_identity == NULL ||
54 conf->psk_identity_len == 0 )
55 {
56 return( 0 );
57 }
58
59 if( conf->psk != NULL && conf->psk_len != 0 )
60 return( 1 );
61
62#if defined(MBEDTLS_USE_PSA_CRYPTO)
Ronald Croncf56a0a2020-08-04 09:51:30 +020063 if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
Hanno Becker2e4f6162018-10-23 11:54:44 +010064 return( 1 );
65#endif /* MBEDTLS_USE_PSA_CRYPTO */
66
67 return( 0 );
68}
Hanno Beckerdfab8e22018-10-23 11:59:34 +010069
70#if defined(MBEDTLS_USE_PSA_CRYPTO)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +020071MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker520224e2018-10-26 11:38:07 +010072static int ssl_conf_has_static_raw_psk( mbedtls_ssl_config const *conf )
Hanno Beckerdfab8e22018-10-23 11:59:34 +010073{
74 if( conf->psk_identity == NULL ||
75 conf->psk_identity_len == 0 )
76 {
77 return( 0 );
78 }
79
80 if( conf->psk != NULL && conf->psk_len != 0 )
81 return( 1 );
82
83 return( 0 );
84}
85#endif /* MBEDTLS_USE_PSA_CRYPTO */
86
Gilles Peskineeccd8882020-03-10 12:19:08 +010087#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Hanno Becker2e4f6162018-10-23 11:54:44 +010088
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020089#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +020090MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker261602c2017-04-12 14:54:42 +010091static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
92 unsigned char *buf,
93 const unsigned char *end,
94 size_t *olen )
Paul Bakkerd3edc862013-03-20 16:07:17 +010095{
96 unsigned char *p = buf;
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +010097 size_t hostname_len;
Paul Bakkerd3edc862013-03-20 16:07:17 +010098
99 *olen = 0;
100
Paul Bakker66d5d072014-06-17 16:39:18 +0200101 if( ssl->hostname == NULL )
Hanno Becker261602c2017-04-12 14:54:42 +0100102 return( 0 );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100103
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100104 MBEDTLS_SSL_DEBUG_MSG( 3,
105 ( "client hello, adding server name extension: %s",
106 ssl->hostname ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100107
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100108 hostname_len = strlen( ssl->hostname );
109
Hanno Becker261602c2017-04-12 14:54:42 +0100110 MBEDTLS_SSL_CHK_BUF_PTR( p, end, hostname_len + 9 );
Simon Butchered997662015-09-28 02:14:30 +0100111
Paul Bakkerd3edc862013-03-20 16:07:17 +0100112 /*
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100113 * Sect. 3, RFC 6066 (TLS Extensions Definitions)
114 *
115 * In order to provide any of the server names, clients MAY include an
116 * extension of type "server_name" in the (extended) client hello. The
117 * "extension_data" field of this extension SHALL contain
118 * "ServerNameList" where:
119 *
Paul Bakkerd3edc862013-03-20 16:07:17 +0100120 * struct {
121 * NameType name_type;
122 * select (name_type) {
123 * case host_name: HostName;
124 * } name;
125 * } ServerName;
126 *
127 * enum {
128 * host_name(0), (255)
129 * } NameType;
130 *
131 * opaque HostName<1..2^16-1>;
132 *
133 * struct {
134 * ServerName server_name_list<1..2^16-1>
135 * } ServerNameList;
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100136 *
Paul Bakkerd3edc862013-03-20 16:07:17 +0100137 */
Joe Subbiani2f98d792021-08-20 11:44:44 +0100138 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SERVERNAME, p, 0 );
139 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100140
Joe Subbiani2f98d792021-08-20 11:44:44 +0100141 MBEDTLS_PUT_UINT16_BE( hostname_len + 5, p, 0 );
142 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100143
Joe Subbiani2f98d792021-08-20 11:44:44 +0100144 MBEDTLS_PUT_UINT16_BE( hostname_len + 3, p, 0 );
145 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100146
Joe Subbianic045dc12021-07-14 12:31:31 +0100147 *p++ = MBEDTLS_BYTE_0( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME );
Joe Subbiani2f98d792021-08-20 11:44:44 +0100148
149 MBEDTLS_PUT_UINT16_BE( hostname_len, p, 0 );
150 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100151
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100152 memcpy( p, ssl->hostname, hostname_len );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100153
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100154 *olen = hostname_len + 9;
Hanno Becker261602c2017-04-12 14:54:42 +0100155
156 return( 0 );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100157}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200158#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100159
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200160#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200161MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker261602c2017-04-12 14:54:42 +0100162static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
163 unsigned char *buf,
164 const unsigned char *end,
165 size_t *olen )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100166{
167 unsigned char *p = buf;
168
169 *olen = 0;
170
Tom Cosgrove5205c972022-07-28 06:12:08 +0100171 /* We're always including a TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
Hanno Becker40f8b512017-10-12 14:58:55 +0100172 * initial ClientHello, in which case also adding the renegotiation
173 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200174 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Hanno Becker261602c2017-04-12 14:54:42 +0100175 return( 0 );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100176
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100177 MBEDTLS_SSL_DEBUG_MSG( 3,
178 ( "client hello, adding renegotiation extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100179
Hanno Becker261602c2017-04-12 14:54:42 +0100180 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 + ssl->verify_data_len );
Simon Butchered997662015-09-28 02:14:30 +0100181
Paul Bakkerd3edc862013-03-20 16:07:17 +0100182 /*
183 * Secure renegotiation
184 */
Joe Subbiani2f98d792021-08-20 11:44:44 +0100185 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0 );
186 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100187
188 *p++ = 0x00;
Joe Subbianic045dc12021-07-14 12:31:31 +0100189 *p++ = MBEDTLS_BYTE_0( ssl->verify_data_len + 1 );
190 *p++ = MBEDTLS_BYTE_0( ssl->verify_data_len );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100191
192 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
193
194 *olen = 5 + ssl->verify_data_len;
Hanno Becker261602c2017-04-12 14:54:42 +0100195
196 return( 0 );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100197}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200198#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100199
Manuel Pégourié-Gonnardd9423232014-12-02 11:57:29 +0100200/*
201 * Only if we handle at least one key exchange that needs signatures.
202 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200203#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +0100204 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200205MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker261602c2017-04-12 14:54:42 +0100206static int ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
207 unsigned char *buf,
208 const unsigned char *end,
209 size_t *olen )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100210{
211 unsigned char *p = buf;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100212 size_t sig_alg_len = 0;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200213 const int *md;
Hanno Becker261602c2017-04-12 14:54:42 +0100214
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200215#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5bfd9682014-06-24 15:18:11 +0200216 unsigned char *sig_alg_list = buf + 6;
217#endif
Paul Bakkerd3edc862013-03-20 16:07:17 +0100218
219 *olen = 0;
220
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200221 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Hanno Becker261602c2017-04-12 14:54:42 +0100222 return( 0 );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100223
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100224 MBEDTLS_SSL_DEBUG_MSG( 3,
225 ( "client hello, adding signature_algorithms extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100226
Hanno Beckere131bfe2017-04-12 14:54:42 +0100227 if( ssl->conf->sig_hashes == NULL )
228 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
229
Simon Butchered997662015-09-28 02:14:30 +0100230 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
231 {
232#if defined(MBEDTLS_ECDSA_C)
233 sig_alg_len += 2;
234#endif
235#if defined(MBEDTLS_RSA_C)
236 sig_alg_len += 2;
237#endif
Hanno Beckere131bfe2017-04-12 14:54:42 +0100238 if( sig_alg_len > MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN )
239 {
240 MBEDTLS_SSL_DEBUG_MSG( 3,
241 ( "length in bytes of sig-hash-alg extension too big" ) );
242 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
243 }
Simon Butchered997662015-09-28 02:14:30 +0100244 }
245
Hanno Beckere131bfe2017-04-12 14:54:42 +0100246 /* Empty signature algorithms list, this is a configuration error. */
247 if( sig_alg_len == 0 )
248 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
249
Hanno Becker261602c2017-04-12 14:54:42 +0100250 MBEDTLS_SSL_CHK_BUF_PTR( p, end, sig_alg_len + 6 );
Simon Butchered997662015-09-28 02:14:30 +0100251
Paul Bakkerd3edc862013-03-20 16:07:17 +0100252 /*
253 * Prepare signature_algorithms extension (TLS 1.2)
254 */
Simon Butchered997662015-09-28 02:14:30 +0100255 sig_alg_len = 0;
256
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200257 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
258 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200259#if defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200260 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
261 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200262#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200263#if defined(MBEDTLS_RSA_C)
264 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
265 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200266#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200267 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100268
269 /*
270 * enum {
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200271 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
272 * sha512(6), (255)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100273 * } HashAlgorithm;
274 *
275 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
276 * SignatureAlgorithm;
277 *
278 * struct {
279 * HashAlgorithm hash;
280 * SignatureAlgorithm signature;
281 * } SignatureAndHashAlgorithm;
282 *
283 * SignatureAndHashAlgorithm
284 * supported_signature_algorithms<2..2^16-2>;
285 */
Joe Subbiani2f98d792021-08-20 11:44:44 +0100286 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SIG_ALG, p, 0 );
287 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100288
Joe Subbiani2f98d792021-08-20 11:44:44 +0100289 MBEDTLS_PUT_UINT16_BE( sig_alg_len + 2, p, 0 );
290 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100291
Joe Subbiani2f98d792021-08-20 11:44:44 +0100292 MBEDTLS_PUT_UINT16_BE( sig_alg_len, p, 0 );
293 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100294
Paul Bakkerd3edc862013-03-20 16:07:17 +0100295 *olen = 6 + sig_alg_len;
Hanno Becker261602c2017-04-12 14:54:42 +0100296
297 return( 0 );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100298}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200299#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
Gilles Peskineeccd8882020-03-10 12:19:08 +0100300 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100301
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200302#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100303 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200304MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker261602c2017-04-12 14:54:42 +0100305static int ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
306 unsigned char *buf,
307 const unsigned char *end,
308 size_t *olen )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100309{
310 unsigned char *p = buf;
Manuel Pégourié-Gonnard8e205fc2014-01-23 17:27:10 +0100311 unsigned char *elliptic_curve_list = p + 6;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100312 size_t elliptic_curve_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200313 const mbedtls_ecp_curve_info *info;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200314 const mbedtls_ecp_group_id *grp_id;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100315
316 *olen = 0;
317
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100318 MBEDTLS_SSL_DEBUG_MSG( 3,
319 ( "client hello, adding supported_elliptic_curves extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100320
Hanno Beckere131bfe2017-04-12 14:54:42 +0100321 if( ssl->conf->curve_list == NULL )
322 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
323
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100324 for( grp_id = ssl->conf->curve_list;
325 *grp_id != MBEDTLS_ECP_DP_NONE;
326 grp_id++ )
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100327 {
Gilles Peskinef9828522017-05-03 12:28:43 +0200328 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Janos Follath8a317052016-04-21 23:37:09 +0100329 if( info == NULL )
330 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100331 MBEDTLS_SSL_DEBUG_MSG( 1,
332 ( "invalid curve in ssl configuration" ) );
Hanno Beckere131bfe2017-04-12 14:54:42 +0100333 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
Janos Follath8a317052016-04-21 23:37:09 +0100334 }
Simon Butchered997662015-09-28 02:14:30 +0100335 elliptic_curve_len += 2;
Hanno Beckere131bfe2017-04-12 14:54:42 +0100336
337 if( elliptic_curve_len > MBEDTLS_SSL_MAX_CURVE_LIST_LEN )
338 {
339 MBEDTLS_SSL_DEBUG_MSG( 3,
340 ( "malformed supported_elliptic_curves extension in config" ) );
341 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
342 }
Simon Butchered997662015-09-28 02:14:30 +0100343 }
344
Hanno Beckere131bfe2017-04-12 14:54:42 +0100345 /* Empty elliptic curve list, this is a configuration error. */
Hanno Becker261602c2017-04-12 14:54:42 +0100346 if( elliptic_curve_len == 0 )
Hanno Beckere131bfe2017-04-12 14:54:42 +0100347 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
Hanno Becker261602c2017-04-12 14:54:42 +0100348
349 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + elliptic_curve_len );
Simon Butchered997662015-09-28 02:14:30 +0100350
351 elliptic_curve_len = 0;
352
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100353 for( grp_id = ssl->conf->curve_list;
354 *grp_id != MBEDTLS_ECP_DP_NONE;
355 grp_id++ )
Simon Butchered997662015-09-28 02:14:30 +0100356 {
Gilles Peskinef9828522017-05-03 12:28:43 +0200357 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Joe Subbianiad1115a2021-07-16 14:27:50 +0100358 elliptic_curve_list[elliptic_curve_len++] = MBEDTLS_BYTE_1( info->tls_id );
359 elliptic_curve_list[elliptic_curve_len++] = MBEDTLS_BYTE_0( info->tls_id );
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200360 }
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200361
Joe Subbiani2f98d792021-08-20 11:44:44 +0100362 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES, p, 0 );
363 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100364
Joe Subbiani2f98d792021-08-20 11:44:44 +0100365 MBEDTLS_PUT_UINT16_BE( elliptic_curve_len + 2, p, 0 );
366 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100367
Joe Subbiani2f98d792021-08-20 11:44:44 +0100368 MBEDTLS_PUT_UINT16_BE( elliptic_curve_len, p, 0 );
369 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100370
Paul Bakkerd3edc862013-03-20 16:07:17 +0100371 *olen = 6 + elliptic_curve_len;
Hanno Becker261602c2017-04-12 14:54:42 +0100372
373 return( 0 );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100374}
375
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200376MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker261602c2017-04-12 14:54:42 +0100377static int ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
378 unsigned char *buf,
379 const unsigned char *end,
380 size_t *olen )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100381{
382 unsigned char *p = buf;
Hanno Becker261602c2017-04-12 14:54:42 +0100383 (void) ssl; /* ssl used for debugging only */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100384
385 *olen = 0;
386
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100387 MBEDTLS_SSL_DEBUG_MSG( 3,
388 ( "client hello, adding supported_point_formats extension" ) );
Hanno Becker261602c2017-04-12 14:54:42 +0100389 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
Simon Butchered997662015-09-28 02:14:30 +0100390
Joe Subbiani2f98d792021-08-20 11:44:44 +0100391 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0 );
392 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100393
394 *p++ = 0x00;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100395 *p++ = 2;
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200396
397 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200398 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100399
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200400 *olen = 6;
Hanno Becker261602c2017-04-12 14:54:42 +0100401
402 return( 0 );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100403}
Darryl Green11999bb2018-03-13 15:22:58 +0000404#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100405 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100406
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200407#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200408MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker261602c2017-04-12 14:54:42 +0100409static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
410 unsigned char *buf,
411 const unsigned char *end,
412 size_t *olen )
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200413{
Janos Follath865b3eb2019-12-16 11:46:15 +0000414 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200415 unsigned char *p = buf;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200416 size_t kkpp_len;
417
418 *olen = 0;
419
420 /* Skip costly extension if we can't use EC J-PAKE anyway */
421 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
Hanno Becker261602c2017-04-12 14:54:42 +0100422 return( 0 );
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200423
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100424 MBEDTLS_SSL_DEBUG_MSG( 3,
425 ( "client hello, adding ecjpake_kkpp extension" ) );
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200426
Hanno Becker261602c2017-04-12 14:54:42 +0100427 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200428
Joe Subbiani2f98d792021-08-20 11:44:44 +0100429 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0 );
430 p += 2;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200431
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200432 /*
433 * We may need to send ClientHello multiple times for Hello verification.
434 * We don't want to compute fresh values every time (both for performance
435 * and consistency reasons), so cache the extension content.
436 */
437 if( ssl->handshake->ecjpake_cache == NULL ||
438 ssl->handshake->ecjpake_cache_len == 0 )
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200439 {
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200440 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
441
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +0200442 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
Hanno Becker261602c2017-04-12 14:54:42 +0100443 p + 2, end - p - 2, &kkpp_len,
444 ssl->conf->f_rng, ssl->conf->p_rng );
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +0200445 if( ret != 0 )
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200446 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100447 MBEDTLS_SSL_DEBUG_RET( 1 ,
448 "mbedtls_ecjpake_write_round_one", ret );
Hanno Becker261602c2017-04-12 14:54:42 +0100449 return( ret );
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200450 }
451
452 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
453 if( ssl->handshake->ecjpake_cache == NULL )
454 {
455 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
Hanno Becker261602c2017-04-12 14:54:42 +0100456 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200457 }
458
459 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
460 ssl->handshake->ecjpake_cache_len = kkpp_len;
461 }
462 else
463 {
464 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
465
466 kkpp_len = ssl->handshake->ecjpake_cache_len;
Hanno Becker261602c2017-04-12 14:54:42 +0100467 MBEDTLS_SSL_CHK_BUF_PTR( p + 2, end, kkpp_len );
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200468
469 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200470 }
471
Joe Subbiani2f98d792021-08-20 11:44:44 +0100472 MBEDTLS_PUT_UINT16_BE( kkpp_len, p, 0 );
473 p += 2;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200474
475 *olen = kkpp_len + 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100476
477 return( 0 );
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200478}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200479#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000480
Hanno Beckera0e20d02019-05-15 14:03:01 +0100481#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200482MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker261602c2017-04-12 14:54:42 +0100483static int ssl_write_cid_ext( mbedtls_ssl_context *ssl,
484 unsigned char *buf,
485 const unsigned char *end,
486 size_t *olen )
Hanno Becker49770ff2019-04-25 16:55:15 +0100487{
488 unsigned char *p = buf;
489 size_t ext_len;
Hanno Becker49770ff2019-04-25 16:55:15 +0100490
491 /*
Hanno Beckerebcc9132019-05-15 10:26:32 +0100492 * Quoting draft-ietf-tls-dtls-connection-id-05
493 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
Hanno Becker49770ff2019-04-25 16:55:15 +0100494 *
495 * struct {
496 * opaque cid<0..2^8-1>;
497 * } ConnectionId;
498 */
499
500 *olen = 0;
501 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
502 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
503 {
Hanno Becker261602c2017-04-12 14:54:42 +0100504 return( 0 );
Hanno Becker49770ff2019-04-25 16:55:15 +0100505 }
506 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding CID extension" ) );
507
508 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
509 * which is at most 255, so the increment cannot overflow. */
Hanno Becker261602c2017-04-12 14:54:42 +0100510 MBEDTLS_SSL_CHK_BUF_PTR( p, end, (unsigned)( ssl->own_cid_len + 5 ) );
Hanno Becker49770ff2019-04-25 16:55:15 +0100511
512 /* Add extension ID + size */
Joe Subbiani2f98d792021-08-20 11:44:44 +0100513 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_CID, p, 0 );
514 p += 2;
Hanno Becker49770ff2019-04-25 16:55:15 +0100515 ext_len = (size_t) ssl->own_cid_len + 1;
Joe Subbiani2f98d792021-08-20 11:44:44 +0100516 MBEDTLS_PUT_UINT16_BE( ext_len, p, 0 );
517 p += 2;
Hanno Becker49770ff2019-04-25 16:55:15 +0100518
519 *p++ = (uint8_t) ssl->own_cid_len;
520 memcpy( p, ssl->own_cid, ssl->own_cid_len );
521
522 *olen = ssl->own_cid_len + 5;
Hanno Becker261602c2017-04-12 14:54:42 +0100523
524 return( 0 );
Hanno Becker49770ff2019-04-25 16:55:15 +0100525}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100526#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker49770ff2019-04-25 16:55:15 +0100527
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200528#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200529MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker261602c2017-04-12 14:54:42 +0100530static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
531 unsigned char *buf,
532 const unsigned char *end,
533 size_t *olen )
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200534{
535 unsigned char *p = buf;
536
Simon Butcher0fc94e92015-09-28 20:52:04 +0100537 *olen = 0;
538
Hanno Becker261602c2017-04-12 14:54:42 +0100539 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
540 return( 0 );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200541
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100542 MBEDTLS_SSL_DEBUG_MSG( 3,
543 ( "client hello, adding max_fragment_length extension" ) );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200544
Hanno Becker261602c2017-04-12 14:54:42 +0100545 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 );
Simon Butchered997662015-09-28 02:14:30 +0100546
Joe Subbiani2f98d792021-08-20 11:44:44 +0100547 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0 );
548 p += 2;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200549
550 *p++ = 0x00;
551 *p++ = 1;
552
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200553 *p++ = ssl->conf->mfl_code;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200554
555 *olen = 5;
Hanno Becker261602c2017-04-12 14:54:42 +0100556
557 return( 0 );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200558}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200559#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200560
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200561#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200562MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker261602c2017-04-12 14:54:42 +0100563static int ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
564 unsigned char *buf,
565 const unsigned char *end,
566 size_t *olen )
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200567{
568 unsigned char *p = buf;
569
Simon Butcher0fc94e92015-09-28 20:52:04 +0100570 *olen = 0;
571
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200572 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
Hanno Becker261602c2017-04-12 14:54:42 +0100573 return( 0 );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200574
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100575 MBEDTLS_SSL_DEBUG_MSG( 3,
576 ( "client hello, adding truncated_hmac extension" ) );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200577
Hanno Becker261602c2017-04-12 14:54:42 +0100578 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
Simon Butchered997662015-09-28 02:14:30 +0100579
Joe Subbiani2f98d792021-08-20 11:44:44 +0100580 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_TRUNCATED_HMAC, p, 0 );
581 p += 2;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200582
583 *p++ = 0x00;
584 *p++ = 0x00;
585
586 *olen = 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100587
588 return( 0 );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200589}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200590#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200591
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200592#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200593MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker261602c2017-04-12 14:54:42 +0100594static int ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
595 unsigned char *buf,
596 const unsigned char *end,
597 size_t *olen )
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100598{
599 unsigned char *p = buf;
600
Simon Butcher0fc94e92015-09-28 20:52:04 +0100601 *olen = 0;
602
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200603 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
604 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Hanno Becker261602c2017-04-12 14:54:42 +0100605 return( 0 );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100606
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100607 MBEDTLS_SSL_DEBUG_MSG( 3,
608 ( "client hello, adding encrypt_then_mac extension" ) );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100609
Hanno Becker261602c2017-04-12 14:54:42 +0100610 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
Simon Butchered997662015-09-28 02:14:30 +0100611
Joe Subbiani2f98d792021-08-20 11:44:44 +0100612 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0 );
613 p += 2;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100614
615 *p++ = 0x00;
616 *p++ = 0x00;
617
618 *olen = 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100619
620 return( 0 );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100621}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200622#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100623
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200624#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200625MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker261602c2017-04-12 14:54:42 +0100626static int ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
627 unsigned char *buf,
628 const unsigned char *end,
629 size_t *olen )
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200630{
631 unsigned char *p = buf;
632
Simon Butcher0fc94e92015-09-28 20:52:04 +0100633 *olen = 0;
634
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200635 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
636 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Hanno Becker261602c2017-04-12 14:54:42 +0100637 return( 0 );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200638
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100639 MBEDTLS_SSL_DEBUG_MSG( 3,
640 ( "client hello, adding extended_master_secret extension" ) );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200641
Hanno Becker261602c2017-04-12 14:54:42 +0100642 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
Simon Butchered997662015-09-28 02:14:30 +0100643
Joe Subbiani2f98d792021-08-20 11:44:44 +0100644 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0 );
645 p += 2;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200646
647 *p++ = 0x00;
648 *p++ = 0x00;
649
650 *olen = 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100651
652 return( 0 );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200653}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200654#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200655
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200656#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200657MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker261602c2017-04-12 14:54:42 +0100658static int ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
659 unsigned char *buf,
660 const unsigned char *end,
661 size_t *olen )
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200662{
663 unsigned char *p = buf;
664 size_t tlen = ssl->session_negotiate->ticket_len;
665
Simon Butcher0fc94e92015-09-28 20:52:04 +0100666 *olen = 0;
667
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200668 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
Hanno Becker261602c2017-04-12 14:54:42 +0100669 return( 0 );
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200670
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100671 MBEDTLS_SSL_DEBUG_MSG( 3,
672 ( "client hello, adding session ticket extension" ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200673
Hanno Becker261602c2017-04-12 14:54:42 +0100674 /* The addition is safe here since the ticket length is 16 bit. */
675 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + tlen );
Simon Butchered997662015-09-28 02:14:30 +0100676
Joe Subbiani2f98d792021-08-20 11:44:44 +0100677 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0 );
678 p += 2;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200679
Joe Subbiani2f98d792021-08-20 11:44:44 +0100680 MBEDTLS_PUT_UINT16_BE( tlen, p, 0 );
681 p += 2;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200682
683 *olen = 4;
684
Simon Butchered997662015-09-28 02:14:30 +0100685 if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
Hanno Becker261602c2017-04-12 14:54:42 +0100686 return( 0 );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200687
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100688 MBEDTLS_SSL_DEBUG_MSG( 3,
Paul Elliottd48d5c62021-01-07 14:47:05 +0000689 ( "sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200690
691 memcpy( p, ssl->session_negotiate->ticket, tlen );
692
693 *olen += tlen;
Hanno Becker261602c2017-04-12 14:54:42 +0100694
695 return( 0 );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200696}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200697#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200698
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200699#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200700MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Becker261602c2017-04-12 14:54:42 +0100701static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
702 unsigned char *buf,
703 const unsigned char *end,
704 size_t *olen )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200705{
706 unsigned char *p = buf;
Simon Butchered997662015-09-28 02:14:30 +0100707 size_t alpnlen = 0;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200708 const char **cur;
709
Simon Butcher0fc94e92015-09-28 20:52:04 +0100710 *olen = 0;
711
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200712 if( ssl->conf->alpn_list == NULL )
Hanno Becker261602c2017-04-12 14:54:42 +0100713 return( 0 );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200714
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200715 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200716
Simon Butchered997662015-09-28 02:14:30 +0100717 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Hanno Beckere131bfe2017-04-12 14:54:42 +0100718 alpnlen += strlen( *cur ) + 1;
Simon Butchered997662015-09-28 02:14:30 +0100719
Hanno Becker261602c2017-04-12 14:54:42 +0100720 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + alpnlen );
Simon Butchered997662015-09-28 02:14:30 +0100721
Joe Subbiani2f98d792021-08-20 11:44:44 +0100722 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ALPN, p, 0 );
723 p += 2;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200724
725 /*
726 * opaque ProtocolName<1..2^8-1>;
727 *
728 * struct {
729 * ProtocolName protocol_name_list<2..2^16-1>
730 * } ProtocolNameList;
731 */
732
733 /* Skip writing extension and list length for now */
734 p += 4;
735
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200736 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200737 {
Hanno Beckere131bfe2017-04-12 14:54:42 +0100738 /*
739 * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of
740 * protocol names is less than 255.
741 */
742 *p = (unsigned char)strlen( *cur );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200743 memcpy( p + 1, *cur, *p );
744 p += 1 + *p;
745 }
746
747 *olen = p - buf;
748
749 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
Joe Subbianic54e9082021-07-19 11:56:54 +0100750 MBEDTLS_PUT_UINT16_BE( *olen - 6, buf, 4 );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200751
752 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
Joe Subbianic54e9082021-07-19 11:56:54 +0100753 MBEDTLS_PUT_UINT16_BE( *olen - 4, buf, 2 );
Hanno Becker261602c2017-04-12 14:54:42 +0100754
755 return( 0 );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200756}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200757#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200758
Ron Eldora9788042018-12-05 11:04:31 +0200759#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200760MBEDTLS_CHECK_RETURN_CRITICAL
Johan Pascal77696ee2020-09-22 21:49:40 +0200761static int ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
Johan Pascald387aa02020-09-23 18:47:56 +0200762 unsigned char *buf,
763 const unsigned char *end,
764 size_t *olen )
Johan Pascalb62bb512015-12-03 21:56:45 +0100765{
766 unsigned char *p = buf;
Johan Pascalf6417ec2020-09-22 15:15:19 +0200767 size_t protection_profiles_index = 0, ext_len = 0;
768 uint16_t mki_len = 0, profile_value = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100769
770 *olen = 0;
771
Johan Pascalc3ccd982020-10-28 17:18:18 +0100772 if( ( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ||
773 ( ssl->conf->dtls_srtp_profile_list == NULL ) ||
774 ( ssl->conf->dtls_srtp_profile_list_len == 0 ) )
Johan Pascalb62bb512015-12-03 21:56:45 +0100775 {
Johan Pascal77696ee2020-09-22 21:49:40 +0200776 return( 0 );
Johan Pascalb62bb512015-12-03 21:56:45 +0100777 }
778
Ron Eldora9788042018-12-05 11:04:31 +0200779 /* RFC 5764 section 4.1.1
Johan Pascalb62bb512015-12-03 21:56:45 +0100780 * uint8 SRTPProtectionProfile[2];
781 *
782 * struct {
783 * SRTPProtectionProfiles SRTPProtectionProfiles;
784 * opaque srtp_mki<0..255>;
785 * } UseSRTPData;
Johan Pascalb62bb512015-12-03 21:56:45 +0100786 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
Johan Pascalb62bb512015-12-03 21:56:45 +0100787 */
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200788 if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED )
Ron Eldor591f1622018-01-22 12:30:04 +0200789 {
790 mki_len = ssl->dtls_srtp_info.mki_len;
791 }
Ron Eldoref72faf2018-07-12 11:54:20 +0300792 /* Extension length = 2 bytes for profiles length,
793 * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ),
794 * 1 byte for srtp_mki vector length and the mki_len value
795 */
Ron Eldor089c9fe2018-12-06 17:12:49 +0200796 ext_len = 2 + 2 * ( ssl->conf->dtls_srtp_profile_list_len ) + 1 + mki_len;
797
Johan Pascal77696ee2020-09-22 21:49:40 +0200798 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding use_srtp extension" ) );
799
800 /* Check there is room in the buffer for the extension + 4 bytes
801 * - the extension tag (2 bytes)
802 * - the extension length (2 bytes)
803 */
804 MBEDTLS_SSL_CHK_BUF_PTR( p, end, ext_len + 4 );
805
Joe Subbiani2f98d792021-08-20 11:44:44 +0100806 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_USE_SRTP, p, 0 );
807 p += 2;
Johan Pascal77696ee2020-09-22 21:49:40 +0200808
Joe Subbiani2f98d792021-08-20 11:44:44 +0100809 MBEDTLS_PUT_UINT16_BE( ext_len, p, 0 );
810 p += 2;
Johan Pascalb62bb512015-12-03 21:56:45 +0100811
Ron Eldor3adb9922017-12-21 10:15:08 +0200812 /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */
Johan Pascalaae4d222020-09-22 21:21:39 +0200813 /* micro-optimization:
814 * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH
815 * which is lower than 127, so the upper byte of the length is always 0
816 * For the documentation, the more generic code is left in comments
817 * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len )
818 * >> 8 ) & 0xFF );
819 */
820 *p++ = 0;
Joe Subbianic045dc12021-07-14 12:31:31 +0100821 *p++ = MBEDTLS_BYTE_0( 2 * ssl->conf->dtls_srtp_profile_list_len );
Johan Pascalb62bb512015-12-03 21:56:45 +0100822
Ron Eldoref72faf2018-07-12 11:54:20 +0300823 for( protection_profiles_index=0;
824 protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len;
825 protection_profiles_index++ )
Johan Pascalb62bb512015-12-03 21:56:45 +0100826 {
Johan Pascal43f94902020-09-22 12:25:52 +0200827 profile_value = mbedtls_ssl_check_srtp_profile_value
Ron Eldor089c9fe2018-12-06 17:12:49 +0200828 ( ssl->conf->dtls_srtp_profile_list[protection_profiles_index] );
Johan Pascal43f94902020-09-22 12:25:52 +0200829 if( profile_value != MBEDTLS_TLS_SRTP_UNSET )
Ron Eldor089c9fe2018-12-06 17:12:49 +0200830 {
831 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_write_use_srtp_ext, add profile: %04x",
832 profile_value ) );
Joe Subbiani2f98d792021-08-20 11:44:44 +0100833 MBEDTLS_PUT_UINT16_BE( profile_value, p, 0 );
834 p += 2;
Ron Eldor089c9fe2018-12-06 17:12:49 +0200835 }
836 else
837 {
838 /*
839 * Note: we shall never arrive here as protection profiles
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200840 * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function
Ron Eldor089c9fe2018-12-06 17:12:49 +0200841 */
Johan Pascale79c1e82020-09-22 15:51:27 +0200842 MBEDTLS_SSL_DEBUG_MSG( 3,
843 ( "client hello, "
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200844 "illegal DTLS-SRTP protection profile %d",
Johan Pascale79c1e82020-09-22 15:51:27 +0200845 ssl->conf->dtls_srtp_profile_list[protection_profiles_index]
846 ) );
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200847 return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED );
Johan Pascalb62bb512015-12-03 21:56:45 +0100848 }
849 }
850
Ron Eldor591f1622018-01-22 12:30:04 +0200851 *p++ = mki_len & 0xFF;
852
853 if( mki_len != 0 )
854 {
Ron Eldor75870ec2018-12-06 17:31:55 +0200855 memcpy( p, ssl->dtls_srtp_info.mki_value, mki_len );
Ron Eldor313d7b52018-12-10 14:56:21 +0200856 /*
857 * Increment p to point to the current position.
858 */
859 p += mki_len;
Ron Eldoref72faf2018-07-12 11:54:20 +0300860 MBEDTLS_SSL_DEBUG_BUF( 3, "sending mki", ssl->dtls_srtp_info.mki_value,
861 ssl->dtls_srtp_info.mki_len );
Ron Eldor591f1622018-01-22 12:30:04 +0200862 }
863
Ron Eldoref72faf2018-07-12 11:54:20 +0300864 /*
865 * total extension length: extension type (2 bytes)
866 * + extension length (2 bytes)
867 * + protection profile length (2 bytes)
868 * + 2 * number of protection profiles
869 * + srtp_mki vector length(1 byte)
Ron Eldor313d7b52018-12-10 14:56:21 +0200870 * + mki value
Ron Eldoref72faf2018-07-12 11:54:20 +0300871 */
Ron Eldor313d7b52018-12-10 14:56:21 +0200872 *olen = p - buf;
Johan Pascal77696ee2020-09-22 21:49:40 +0200873
874 return( 0 );
Johan Pascalb62bb512015-12-03 21:56:45 +0100875}
876#endif /* MBEDTLS_SSL_DTLS_SRTP */
877
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200878/*
879 * Generate random bytes for ClientHello
880 */
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200881MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200882static int ssl_generate_random( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200883{
Janos Follath865b3eb2019-12-16 11:46:15 +0000884 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200885 unsigned char *p = ssl->handshake->randbytes;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200886#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100887 mbedtls_time_t t;
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200888#endif
889
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200890 /*
891 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
892 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200893#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200894 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200895 ssl->handshake->verify_cookie != NULL )
896 {
897 return( 0 );
898 }
899#endif
900
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200901#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100902 t = mbedtls_time( NULL );
Joe Subbiani2f98d792021-08-20 11:44:44 +0100903 MBEDTLS_PUT_UINT32_BE( t, p, 0 );
904 p += 4;
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200905
Paul Elliottd48d5c62021-01-07 14:47:05 +0000906 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
907 (long long) t ) );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200908#else
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100909 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200910 return( ret );
911
912 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200913#endif /* MBEDTLS_HAVE_TIME */
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200914
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100915 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200916 return( ret );
917
918 return( 0 );
919}
920
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100921/**
922 * \brief Validate cipher suite against config in SSL context.
923 *
924 * \param suite_info cipher suite to validate
925 * \param ssl SSL context
Andrzej Kurek03bac442018-04-25 05:06:07 -0400926 * \param min_minor_ver Minimal minor version to accept a cipher suite
927 * \param max_minor_ver Maximal minor version to accept a cipher suite
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100928 *
929 * \return 0 if valid, else 1
930 */
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200931MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100932static int ssl_validate_ciphersuite(
933 const mbedtls_ssl_ciphersuite_t * suite_info,
934 const mbedtls_ssl_context * ssl,
935 int min_minor_ver, int max_minor_ver )
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100936{
Andrzej Kurek03bac442018-04-25 05:06:07 -0400937 (void) ssl;
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100938 if( suite_info == NULL )
939 return( 1 );
940
Andrzej Kurek03bac442018-04-25 05:06:07 -0400941 if( suite_info->min_minor_ver > max_minor_ver ||
942 suite_info->max_minor_ver < min_minor_ver )
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100943 return( 1 );
944
945#if defined(MBEDTLS_SSL_PROTO_DTLS)
946 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
947 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
948 return( 1 );
949#endif
950
951#if defined(MBEDTLS_ARC4_C)
952 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
953 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
954 return( 1 );
955#endif
956
957#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
958 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
959 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
960 return( 1 );
961#endif
962
Hanno Becker2e4f6162018-10-23 11:54:44 +0100963 /* Don't suggest PSK-based ciphersuite if no PSK is available. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100964#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Hanno Becker2e4f6162018-10-23 11:54:44 +0100965 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
Hanno Becker520224e2018-10-26 11:38:07 +0100966 ssl_conf_has_static_psk( ssl->conf ) == 0 )
Hanno Becker2e4f6162018-10-23 11:54:44 +0100967 {
968 return( 1 );
969 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100970#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Hanno Becker2e4f6162018-10-23 11:54:44 +0100971
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100972 return( 0 );
973}
974
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +0200975MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200976static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000977{
Janos Follath865b3eb2019-12-16 11:46:15 +0000978 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100979 size_t i, n, olen, ext_len = 0;
Hanno Becker261602c2017-04-12 14:54:42 +0100980
Paul Bakker5121ce52009-01-03 21:22:43 +0000981 unsigned char *buf;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200982 unsigned char *p, *q;
Hanno Becker261602c2017-04-12 14:54:42 +0100983 const unsigned char *end;
984
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200985 unsigned char offer_compress;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200986 const int *ciphersuites;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200987 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Ron Eldor755bb6a2018-02-14 19:30:48 +0200988#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
989 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
990 int uses_ec = 0;
991#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000992
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200993 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000994
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100995 if( ssl->conf->f_rng == NULL )
Paul Bakkera9a028e2013-11-21 17:31:06 +0100996 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200997 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
998 return( MBEDTLS_ERR_SSL_NO_RNG );
Paul Bakkera9a028e2013-11-21 17:31:06 +0100999 }
1000
David Horstmannee0a0e72022-10-25 17:20:00 +01001001 int renegotiating = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001002#if defined(MBEDTLS_SSL_RENEGOTIATION)
David Horstmannee0a0e72022-10-25 17:20:00 +01001003 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
1004 renegotiating = 1;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001005#endif
David Horstmannee0a0e72022-10-25 17:20:00 +01001006 if( !renegotiating )
Paul Bakker48916f92012-09-16 19:57:18 +00001007 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001008 ssl->major_ver = ssl->conf->min_major_ver;
1009 ssl->minor_ver = ssl->conf->min_minor_ver;
Paul Bakker48916f92012-09-16 19:57:18 +00001010 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001011
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +02001012 if( ssl->conf->max_major_ver == 0 )
Paul Bakker490ecc82011-10-06 13:04:09 +00001013 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01001014 MBEDTLS_SSL_DEBUG_MSG( 1,
1015 ( "configured max major version is invalid, consider using mbedtls_ssl_config_defaults()" ) );
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +02001016 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker490ecc82011-10-06 13:04:09 +00001017 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001018
Hanno Becker261602c2017-04-12 14:54:42 +01001019 buf = ssl->out_msg;
1020 end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN;
1021
Paul Bakker5121ce52009-01-03 21:22:43 +00001022 /*
Hanno Becker261602c2017-04-12 14:54:42 +01001023 * Check if there's enough space for the first part of the ClientHello
1024 * consisting of the 38 bytes described below, the session identifier (at
1025 * most 32 bytes) and its length (1 byte).
1026 *
1027 * Use static upper bounds instead of the actual values
1028 * to allow the compiler to optimize this away.
1029 */
1030 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );
1031
1032 /*
1033 * The 38 first bytes of the ClientHello:
1034 * 0 . 0 handshake type (written later)
1035 * 1 . 3 handshake length (written later)
Paul Bakker5121ce52009-01-03 21:22:43 +00001036 * 4 . 5 highest version supported
1037 * 6 . 9 current UNIX time
1038 * 10 . 37 random bytes
Hanno Becker261602c2017-04-12 14:54:42 +01001039 *
1040 * The current UNIX time (4 bytes) and following 28 random bytes are written
1041 * by ssl_generate_random() into ssl->handshake->randbytes buffer and then
1042 * copied from there into the output buffer.
Paul Bakker5121ce52009-01-03 21:22:43 +00001043 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001044
Hanno Becker261602c2017-04-12 14:54:42 +01001045 p = buf + 4;
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01001046 mbedtls_ssl_write_version( ssl->conf->max_major_ver,
1047 ssl->conf->max_minor_ver,
1048 ssl->conf->transport, p );
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +01001049 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +00001050
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001051 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
Paul Bakker5121ce52009-01-03 21:22:43 +00001052 buf[4], buf[5] ) );
1053
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +02001054 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
1055 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001056 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
Paul Bakkerfa9b1002013-07-03 15:31:03 +02001057 return( ret );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +02001058 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +02001059
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +02001060 memcpy( p, ssl->handshake->randbytes, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001061 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +02001062 p += 32;
Paul Bakker5121ce52009-01-03 21:22:43 +00001063
1064 /*
1065 * 38 . 38 session id length
1066 * 39 . 39+n session id
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +01001067 * 39+n . 39+n DTLS only: cookie length (1 byte)
Hanno Becker261602c2017-04-12 14:54:42 +01001068 * 40+n . .. DTLS only: cookie
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +01001069 * .. . .. ciphersuitelist length (2 bytes)
1070 * .. . .. ciphersuitelist
1071 * .. . .. compression methods length (1 byte)
Paul Bakkerc3f177a2012-04-11 16:11:49 +00001072 * .. . .. compression methods
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +01001073 * .. . .. extensions length (2 bytes)
Paul Bakkerc3f177a2012-04-11 16:11:49 +00001074 * .. . .. extensions
Paul Bakker5121ce52009-01-03 21:22:43 +00001075 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +02001076 n = ssl->session_negotiate->id_len;
Paul Bakker5121ce52009-01-03 21:22:43 +00001077
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001078 if( n < 16 || n > 32 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001079#if defined(MBEDTLS_SSL_RENEGOTIATION)
1080 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001081#endif
Paul Bakker0a597072012-09-25 21:55:46 +00001082 ssl->handshake->resume == 0 )
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +02001083 {
Paul Bakker5121ce52009-01-03 21:22:43 +00001084 n = 0;
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +02001085 }
1086
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001087#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +02001088 /*
1089 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
1090 * generate and include a Session ID in the TLS ClientHello."
1091 */
David Horstmannee0a0e72022-10-25 17:20:00 +01001092 if( !renegotiating )
Manuel Pégourié-Gonnardd2b35ec2015-03-10 11:40:43 +00001093 {
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +00001094 if( ssl->session_negotiate->ticket != NULL &&
1095 ssl->session_negotiate->ticket_len != 0 )
1096 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01001097 ret = ssl->conf->f_rng( ssl->conf->p_rng,
1098 ssl->session_negotiate->id, 32 );
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +02001099
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +00001100 if( ret != 0 )
1101 return( ret );
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +02001102
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +02001103 ssl->session_negotiate->id_len = n = 32;
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +00001104 }
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +02001105 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001106#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Paul Bakker5121ce52009-01-03 21:22:43 +00001107
Hanno Becker261602c2017-04-12 14:54:42 +01001108 /*
1109 * The first check of the output buffer size above (
1110 * MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );)
1111 * has checked that there is enough space in the output buffer for the
1112 * session identifier length byte and the session identifier (n <= 32).
1113 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001114 *p++ = (unsigned char) n;
1115
1116 for( i = 0; i < n; i++ )
Paul Bakker48916f92012-09-16 19:57:18 +00001117 *p++ = ssl->session_negotiate->id[i];
Paul Bakker5121ce52009-01-03 21:22:43 +00001118
Paul Elliottd48d5c62021-01-07 14:47:05 +00001119 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001120 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
Paul Bakker5121ce52009-01-03 21:22:43 +00001121
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +01001122 /*
Hanno Becker261602c2017-04-12 14:54:42 +01001123 * With 'n' being the length of the session identifier
1124 *
1125 * 39+n . 39+n DTLS only: cookie length (1 byte)
1126 * 40+n . .. DTLS only: cookie
1127 * .. . .. ciphersuitelist length (2 bytes)
1128 * .. . .. ciphersuitelist
1129 * .. . .. compression methods length (1 byte)
1130 * .. . .. compression methods
1131 * .. . .. extensions length (2 bytes)
1132 * .. . .. extensions
1133 */
1134
1135 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +01001136 * DTLS cookie
1137 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001138#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001139 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +01001140 {
Hanno Becker261602c2017-04-12 14:54:42 +01001141 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 );
1142
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001143 if( ssl->handshake->verify_cookie == NULL )
1144 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001145 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001146 *p++ = 0;
1147 }
1148 else
1149 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001150 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001151 ssl->handshake->verify_cookie,
1152 ssl->handshake->verify_cookie_len );
1153
1154 *p++ = ssl->handshake->verify_cookie_len;
Hanno Becker261602c2017-04-12 14:54:42 +01001155
1156 MBEDTLS_SSL_CHK_BUF_PTR( p, end,
1157 ssl->handshake->verify_cookie_len );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001158 memcpy( p, ssl->handshake->verify_cookie,
1159 ssl->handshake->verify_cookie_len );
1160 p += ssl->handshake->verify_cookie_len;
1161 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +01001162 }
1163#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001164
Paul Bakker48916f92012-09-16 19:57:18 +00001165 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +01001166 * Ciphersuite list
Paul Bakker48916f92012-09-16 19:57:18 +00001167 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001168 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +01001169
1170 /* Skip writing ciphersuite length for now */
1171 n = 0;
1172 q = p;
Hanno Becker261602c2017-04-12 14:54:42 +01001173
1174 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +01001175 p += 2;
1176
Paul Bakker2fbefde2013-06-29 16:01:15 +02001177 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +00001178 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001179 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
Paul Bakker2fbefde2013-06-29 16:01:15 +02001180
Andrzej Kurek03bac442018-04-25 05:06:07 -04001181 if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
1182 ssl->conf->min_minor_ver,
1183 ssl->conf->max_minor_ver ) != 0 )
Paul Bakker2fbefde2013-06-29 16:01:15 +02001184 continue;
1185
Hanno Becker3c88c652019-01-02 11:17:25 +00001186 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %#04x (%s)",
Paul Elliott9f352112020-12-09 14:55:45 +00001187 (unsigned int)ciphersuites[i], ciphersuite_info->name ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001188
Ron Eldor755bb6a2018-02-14 19:30:48 +02001189#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1190 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1191 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
1192#endif
1193
Hanno Becker261602c2017-04-12 14:54:42 +01001194 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1195
Paul Bakker2fbefde2013-06-29 16:01:15 +02001196 n++;
Joe Subbiani2f98d792021-08-20 11:44:44 +01001197 MBEDTLS_PUT_UINT16_BE( ciphersuites[i], p, 0 );
1198 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +00001199 }
1200
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01001201 MBEDTLS_SSL_DEBUG_MSG( 3,
Paul Elliottd48d5c62021-01-07 14:47:05 +00001202 ( "client hello, got %" MBEDTLS_PRINTF_SIZET " ciphersuites (excluding SCSVs)", n ) );
Ron Eldor714785d2017-08-28 13:55:55 +03001203
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +00001204 /*
1205 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1206 */
David Horstmannee0a0e72022-10-25 17:20:00 +01001207 if( !renegotiating )
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +00001208 {
Ron Eldor4a2fb4c2017-09-10 17:03:50 +03001209 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
Hanno Becker261602c2017-04-12 14:54:42 +01001210 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
Joe Subbiani2f98d792021-08-20 11:44:44 +01001211 MBEDTLS_PUT_UINT16_BE( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO, p, 0 );
1212 p += 2;
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +00001213 n++;
1214 }
1215
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +02001216 /* Some versions of OpenSSL don't handle it correctly if not at end */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001217#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
Manuel Pégourié-Gonnard684b0592015-05-06 09:27:31 +01001218 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +02001219 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001220 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
Hanno Becker261602c2017-04-12 14:54:42 +01001221
1222 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
Joe Subbiani2f98d792021-08-20 11:44:44 +01001223 MBEDTLS_PUT_UINT16_BE( MBEDTLS_SSL_FALLBACK_SCSV_VALUE, p, 0 );
1224 p += 2;
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +02001225 n++;
1226 }
1227#endif
1228
Paul Bakker2fbefde2013-06-29 16:01:15 +02001229 *q++ = (unsigned char)( n >> 7 );
1230 *q++ = (unsigned char)( n << 1 );
1231
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001232#if defined(MBEDTLS_ZLIB_SUPPORT)
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001233 offer_compress = 1;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001234#else
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001235 offer_compress = 0;
1236#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001237
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001238 /*
Johannes H4e5d23f2018-01-06 09:46:57 +01001239 * We don't support compression with DTLS right now: if many records come
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001240 * in the same datagram, uncompressing one could overwrite the next one.
1241 * We don't want to add complexity for handling that case unless there is
1242 * an actual need for it.
1243 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001244#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001245 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001246 offer_compress = 0;
1247#endif
1248
1249 if( offer_compress )
1250 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001251 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
1252 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01001253 MBEDTLS_SSL_COMPRESS_DEFLATE,
1254 MBEDTLS_SSL_COMPRESS_NULL ) );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001255
Hanno Becker261602c2017-04-12 14:54:42 +01001256 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001257 *p++ = 2;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001258 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
1259 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001260 }
1261 else
1262 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001263 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
1264 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
1265 MBEDTLS_SSL_COMPRESS_NULL ) );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001266
Hanno Becker261602c2017-04-12 14:54:42 +01001267 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001268 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001269 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001270 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001271
Hanno Becker261602c2017-04-12 14:54:42 +01001272 /* First write extensions, then the total length */
1273
1274 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1275
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001276#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Hanno Becker261602c2017-04-12 14:54:42 +01001277 if( ( ret = ssl_write_hostname_ext( ssl, p + 2 + ext_len,
1278 end, &olen ) ) != 0 )
1279 {
1280 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_hostname_ext", ret );
1281 return( ret );
1282 }
Paul Bakkerd3edc862013-03-20 16:07:17 +01001283 ext_len += olen;
Paul Bakker0be444a2013-08-27 21:55:01 +02001284#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001285
Hanno Becker40f8b512017-10-12 14:58:55 +01001286 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
1287 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001288#if defined(MBEDTLS_SSL_RENEGOTIATION)
Hanno Becker261602c2017-04-12 14:54:42 +01001289 if( ( ret = ssl_write_renegotiation_ext( ssl, p + 2 + ext_len,
1290 end, &olen ) ) != 0 )
1291 {
1292 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_renegotiation_ext", ret );
1293 return( ret );
1294 }
Paul Bakkerd3edc862013-03-20 16:07:17 +01001295 ext_len += olen;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001296#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +00001297
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001298#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +01001299 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker261602c2017-04-12 14:54:42 +01001300 if( ( ret = ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len,
1301 end, &olen ) ) != 0 )
1302 {
1303 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_signature_algorithms_ext", ret );
1304 return( ret );
1305 }
Paul Bakkerd3edc862013-03-20 16:07:17 +01001306 ext_len += olen;
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001307#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +00001308
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +02001309#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +01001310 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Ron Eldor755bb6a2018-02-14 19:30:48 +02001311 if( uses_ec )
1312 {
Hanno Becker261602c2017-04-12 14:54:42 +01001313 if( ( ret = ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len,
1314 end, &olen ) ) != 0 )
1315 {
1316 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_elliptic_curves_ext", ret );
1317 return( ret );
1318 }
Ron Eldor755bb6a2018-02-14 19:30:48 +02001319 ext_len += olen;
Paul Bakker41c83d32013-03-20 14:39:14 +01001320
Hanno Becker261602c2017-04-12 14:54:42 +01001321 if( ( ret = ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len,
1322 end, &olen ) ) != 0 )
1323 {
1324 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_point_formats_ext", ret );
1325 return( ret );
1326 }
Ron Eldor755bb6a2018-02-14 19:30:48 +02001327 ext_len += olen;
1328 }
Paul Bakker41c83d32013-03-20 14:39:14 +01001329#endif
1330
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +02001331#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Hanno Becker261602c2017-04-12 14:54:42 +01001332 if( ( ret = ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len,
1333 end, &olen ) ) != 0 )
1334 {
1335 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_ecjpake_kkpp_ext", ret );
1336 return( ret );
1337 }
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +02001338 ext_len += olen;
1339#endif
1340
Hanno Beckera0e20d02019-05-15 14:03:01 +01001341#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker261602c2017-04-12 14:54:42 +01001342 if( ( ret = ssl_write_cid_ext( ssl, p + 2 + ext_len, end, &olen ) ) != 0 )
1343 {
1344 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_cid_ext", ret );
1345 return( ret );
1346 }
Hanno Becker49770ff2019-04-25 16:55:15 +01001347 ext_len += olen;
Hanno Beckera0e20d02019-05-15 14:03:01 +01001348#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker49770ff2019-04-25 16:55:15 +01001349
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001350#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Hanno Becker261602c2017-04-12 14:54:42 +01001351 if( ( ret = ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len,
1352 end, &olen ) ) != 0 )
1353 {
1354 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_max_fragment_length_ext", ret );
1355 return( ret );
1356 }
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +02001357 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +02001358#endif
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +02001359
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001360#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Hanno Becker261602c2017-04-12 14:54:42 +01001361 if( ( ret = ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len,
1362 end, &olen ) ) != 0 )
1363 {
1364 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_truncated_hmac_ext", ret );
1365 return( ret );
1366 }
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001367 ext_len += olen;
Paul Bakker1f2bc622013-08-15 13:45:55 +02001368#endif
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001369
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001370#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Hanno Becker261602c2017-04-12 14:54:42 +01001371 if( ( ret = ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len,
1372 end, &olen ) ) != 0 )
1373 {
1374 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_encrypt_then_mac_ext", ret );
1375 return( ret );
1376 }
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001377 ext_len += olen;
1378#endif
1379
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001380#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Hanno Becker261602c2017-04-12 14:54:42 +01001381 if( ( ret = ssl_write_extended_ms_ext( ssl, p + 2 + ext_len,
1382 end, &olen ) ) != 0 )
1383 {
1384 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_extended_ms_ext", ret );
1385 return( ret );
1386 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001387 ext_len += olen;
1388#endif
1389
Simon Butcher5624ec82015-09-29 01:06:06 +01001390#if defined(MBEDTLS_SSL_ALPN)
Hanno Becker261602c2017-04-12 14:54:42 +01001391 if( ( ret = ssl_write_alpn_ext( ssl, p + 2 + ext_len,
1392 end, &olen ) ) != 0 )
1393 {
1394 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_alpn_ext", ret );
1395 return( ret );
1396 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +02001397 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +02001398#endif
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +02001399
Johan Pascalb62bb512015-12-03 21:56:45 +01001400#if defined(MBEDTLS_SSL_DTLS_SRTP)
Johan Pascalc3ccd982020-10-28 17:18:18 +01001401 if( ( ret = ssl_write_use_srtp_ext( ssl, p + 2 + ext_len,
1402 end, &olen ) ) != 0 )
Ron Eldor3adb9922017-12-21 10:15:08 +02001403 {
Johan Pascalc3ccd982020-10-28 17:18:18 +01001404 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_use_srtp_ext", ret );
1405 return( ret );
Ron Eldor3adb9922017-12-21 10:15:08 +02001406 }
Johan Pascalc3ccd982020-10-28 17:18:18 +01001407 ext_len += olen;
Johan Pascalb62bb512015-12-03 21:56:45 +01001408#endif
1409
Simon Butcher5624ec82015-09-29 01:06:06 +01001410#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Hanno Becker261602c2017-04-12 14:54:42 +01001411 if( ( ret = ssl_write_session_ticket_ext( ssl, p + 2 + ext_len,
1412 end, &olen ) ) != 0 )
1413 {
1414 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_session_ticket_ext", ret );
1415 return( ret );
1416 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001417 ext_len += olen;
1418#endif
1419
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +01001420 /* olen unused if all extensions are disabled */
1421 ((void) olen);
1422
Paul Elliottd48d5c62021-01-07 14:47:05 +00001423 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
Hanno Becker261602c2017-04-12 14:54:42 +01001424 ext_len ) );
Paul Bakkerc3f177a2012-04-11 16:11:49 +00001425
Paul Bakkera7036632014-04-30 10:15:38 +02001426 if( ext_len > 0 )
1427 {
Hanno Becker261602c2017-04-12 14:54:42 +01001428 /* No need to check for space here, because the extension
1429 * writing functions already took care of that. */
Joe Subbiani2f98d792021-08-20 11:44:44 +01001430 MBEDTLS_PUT_UINT16_BE( ext_len, p, 0 );
Joe Subbiani24647c52021-08-20 15:56:22 +01001431 p += 2 + ext_len;
Paul Bakkera7036632014-04-30 10:15:38 +02001432 }
Paul Bakker41c83d32013-03-20 14:39:14 +01001433
Paul Bakker5121ce52009-01-03 21:22:43 +00001434 ssl->out_msglen = p - buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001435 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1436 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +00001437
1438 ssl->state++;
1439
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001440#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001441 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001442 mbedtls_ssl_send_flight_completed( ssl );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +02001443#endif
1444
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02001445 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001446 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02001447 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00001448 return( ret );
1449 }
1450
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02001451#if defined(MBEDTLS_SSL_PROTO_DTLS)
1452 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
1453 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
1454 {
1455 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
1456 return( ret );
1457 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +01001458#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02001459
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001460 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001461
1462 return( 0 );
1463}
1464
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02001465MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001466static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +02001467 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +00001468 size_t len )
1469{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001470#if defined(MBEDTLS_SSL_RENEGOTIATION)
1471 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +00001472 {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +01001473 /* Check verify-data in constant-time. The length OTOH is no secret */
Paul Bakker48916f92012-09-16 19:57:18 +00001474 if( len != 1 + ssl->verify_data_len * 2 ||
1475 buf[0] != ssl->verify_data_len * 2 ||
Gabor Mezei18a44942021-10-20 11:59:27 +02001476 mbedtls_ct_memcmp( buf + 1,
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +01001477 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
Gabor Mezei18a44942021-10-20 11:59:27 +02001478 mbedtls_ct_memcmp( buf + 1 + ssl->verify_data_len,
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +01001479 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +00001480 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001481 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01001482 mbedtls_ssl_send_alert_message(
1483 ssl,
1484 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1485 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001486 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +00001487 }
1488 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001489 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001490#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001491 {
1492 if( len != 1 || buf[0] != 0x00 )
1493 {
Ronald Cron5ee57072020-06-11 09:34:06 +02001494 MBEDTLS_SSL_DEBUG_MSG( 1,
1495 ( "non-zero length renegotiation info" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01001496 mbedtls_ssl_send_alert_message(
1497 ssl,
1498 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1499 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001500 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001501 }
1502
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001503 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001504 }
Paul Bakker48916f92012-09-16 19:57:18 +00001505
1506 return( 0 );
1507}
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001508
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001509#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02001510MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001511static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +02001512 const unsigned char *buf,
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +02001513 size_t len )
1514{
1515 /*
1516 * server should use the extension only if we did,
1517 * and if so the server's value should match ours (and len is always 1)
1518 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001519 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +02001520 len != 1 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001521 buf[0] != ssl->conf->mfl_code )
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +02001522 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01001523 MBEDTLS_SSL_DEBUG_MSG( 1,
1524 ( "non-matching max fragment length extension" ) );
1525 mbedtls_ssl_send_alert_message(
1526 ssl,
1527 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgmandd5f6242021-06-28 21:58:56 +01001528 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001529 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +02001530 }
1531
1532 return( 0 );
1533}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001534#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Paul Bakker48916f92012-09-16 19:57:18 +00001535
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001536#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02001537MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001538static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001539 const unsigned char *buf,
1540 size_t len )
1541{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001542 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001543 len != 0 )
1544 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01001545 MBEDTLS_SSL_DEBUG_MSG( 1,
1546 ( "non-matching truncated HMAC extension" ) );
1547 mbedtls_ssl_send_alert_message(
1548 ssl,
1549 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1550 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001551 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001552 }
1553
1554 ((void) buf);
1555
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001556 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001557
1558 return( 0 );
1559}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001560#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001561
Hanno Beckera0e20d02019-05-15 14:03:01 +01001562#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02001563MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Beckera8373a12019-04-26 15:37:26 +01001564static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
1565 const unsigned char *buf,
1566 size_t len )
1567{
1568 size_t peer_cid_len;
1569
1570 if( /* CID extension only makes sense in DTLS */
1571 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
1572 /* The server must only send the CID extension if we have offered it. */
Hanno Becker22626482019-05-03 12:46:59 +01001573 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
Hanno Beckera8373a12019-04-26 15:37:26 +01001574 {
Hanno Becker22626482019-05-03 12:46:59 +01001575 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension unexpected" ) );
Hanno Beckera8373a12019-04-26 15:37:26 +01001576 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgman0dfb7db2021-06-29 15:09:58 +01001577 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
Hanno Becker22626482019-05-03 12:46:59 +01001578 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1579 }
1580
1581 if( len == 0 )
1582 {
1583 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
1584 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1585 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Hanno Beckera8373a12019-04-26 15:37:26 +01001586 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1587 }
1588
1589 peer_cid_len = *buf++;
1590 len--;
1591
1592 if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX )
1593 {
Hanno Becker22626482019-05-03 12:46:59 +01001594 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
Hanno Beckera8373a12019-04-26 15:37:26 +01001595 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Becker22626482019-05-03 12:46:59 +01001596 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Hanno Beckera8373a12019-04-26 15:37:26 +01001597 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1598 }
1599
1600 if( len != peer_cid_len )
1601 {
Hanno Becker22626482019-05-03 12:46:59 +01001602 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
Hanno Beckera8373a12019-04-26 15:37:26 +01001603 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Becker22626482019-05-03 12:46:59 +01001604 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Hanno Beckera8373a12019-04-26 15:37:26 +01001605 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1606 }
1607
Hanno Becker5a299902019-05-03 12:47:49 +01001608 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Beckera8373a12019-04-26 15:37:26 +01001609 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
1610 memcpy( ssl->handshake->peer_cid, buf, peer_cid_len );
1611
1612 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) );
1613 MBEDTLS_SSL_DEBUG_BUF( 3, "Server CID", buf, peer_cid_len );
1614
Hanno Beckera8373a12019-04-26 15:37:26 +01001615 return( 0 );
1616}
Hanno Beckera0e20d02019-05-15 14:03:01 +01001617#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckera8373a12019-04-26 15:37:26 +01001618
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001619#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02001620MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001621static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001622 const unsigned char *buf,
1623 size_t len )
1624{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001625 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001626 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001627 len != 0 )
1628 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01001629 MBEDTLS_SSL_DEBUG_MSG( 1,
1630 ( "non-matching encrypt-then-MAC extension" ) );
1631 mbedtls_ssl_send_alert_message(
1632 ssl,
1633 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgman0dfb7db2021-06-29 15:09:58 +01001634 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001635 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001636 }
1637
1638 ((void) buf);
1639
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001640 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001641
1642 return( 0 );
1643}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001644#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001645
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001646#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02001647MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001648static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001649 const unsigned char *buf,
1650 size_t len )
1651{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001652 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001653 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001654 len != 0 )
1655 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01001656 MBEDTLS_SSL_DEBUG_MSG( 1,
1657 ( "non-matching extended master secret extension" ) );
1658 mbedtls_ssl_send_alert_message(
1659 ssl,
1660 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgman0dfb7db2021-06-29 15:09:58 +01001661 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001662 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001663 }
1664
1665 ((void) buf);
1666
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001667 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001668
1669 return( 0 );
1670}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001671#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001672
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001673#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02001674MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001675static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +02001676 const unsigned char *buf,
1677 size_t len )
1678{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001679 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02001680 len != 0 )
1681 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01001682 MBEDTLS_SSL_DEBUG_MSG( 1,
1683 ( "non-matching session ticket extension" ) );
1684 mbedtls_ssl_send_alert_message(
1685 ssl,
1686 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgman0dfb7db2021-06-29 15:09:58 +01001687 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001688 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02001689 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +02001690
1691 ((void) buf);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02001692
1693 ssl->handshake->new_session_ticket = 1;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +02001694
1695 return( 0 );
1696}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001697#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +02001698
Robert Cragie136884c2015-10-02 13:34:31 +01001699#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +01001700 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02001701MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001702static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001703 const unsigned char *buf,
1704 size_t len )
1705{
1706 size_t list_size;
1707 const unsigned char *p;
1708
Philippe Antoine747fd532018-05-30 09:13:21 +02001709 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001710 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001711 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001712 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1713 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001714 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001715 }
Philippe Antoine747fd532018-05-30 09:13:21 +02001716 list_size = buf[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001717
Manuel Pégourié-Gonnardfd35af12014-06-23 14:10:13 +02001718 p = buf + 1;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001719 while( list_size > 0 )
1720 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001721 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1722 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001723 {
Robert Cragie136884c2015-10-02 13:34:31 +01001724#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +02001725 ssl->handshake->ecdh_ctx.point_format = p[0];
Gilles Peskine064a85c2017-05-10 10:46:40 +02001726#endif
Robert Cragieae8535d2015-10-06 17:11:18 +01001727#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Robert Cragie136884c2015-10-02 13:34:31 +01001728 ssl->handshake->ecjpake_ctx.point_format = p[0];
1729#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001730 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001731 return( 0 );
1732 }
1733
1734 list_size--;
1735 p++;
1736 }
1737
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001738 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +02001739 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1740 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001741 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001742}
Darryl Green11999bb2018-03-13 15:22:58 +00001743#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +01001744 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001745
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +02001746#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02001747MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +02001748static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
1749 const unsigned char *buf,
1750 size_t len )
1751{
Janos Follath865b3eb2019-12-16 11:46:15 +00001752 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +02001753
Hanno Beckere694c3e2017-12-27 21:34:08 +00001754 if( ssl->handshake->ciphersuite_info->key_exchange !=
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +02001755 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
1756 {
1757 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
1758 return( 0 );
1759 }
1760
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +02001761 /* If we got here, we no longer need our cached extension */
1762 mbedtls_free( ssl->handshake->ecjpake_cache );
1763 ssl->handshake->ecjpake_cache = NULL;
1764 ssl->handshake->ecjpake_cache_len = 0;
1765
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +02001766 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
1767 buf, len ) ) != 0 )
1768 {
1769 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01001770 mbedtls_ssl_send_alert_message(
1771 ssl,
1772 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1773 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +02001774 return( ret );
1775 }
1776
1777 return( 0 );
1778}
1779#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00001780
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001781#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02001782MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001783static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001784 const unsigned char *buf, size_t len )
1785{
1786 size_t list_len, name_len;
1787 const char **p;
1788
1789 /* If we didn't send it, the server shouldn't send it */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001790 if( ssl->conf->alpn_list == NULL )
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001791 {
1792 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01001793 mbedtls_ssl_send_alert_message(
1794 ssl,
1795 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Dave Rodgman0dfb7db2021-06-29 15:09:58 +01001796 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001797 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001798 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001799
1800 /*
1801 * opaque ProtocolName<1..2^8-1>;
1802 *
1803 * struct {
1804 * ProtocolName protocol_name_list<2..2^16-1>
1805 * } ProtocolNameList;
1806 *
1807 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1808 */
1809
1810 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1811 if( len < 4 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001812 {
1813 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1814 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001815 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001816 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001817
1818 list_len = ( buf[0] << 8 ) | buf[1];
1819 if( list_len != len - 2 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001820 {
1821 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1822 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001823 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001824 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001825
1826 name_len = buf[2];
1827 if( name_len != list_len - 1 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001828 {
1829 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1830 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001831 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001832 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001833
1834 /* Check that the server chosen protocol was in our list and save it */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001835 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001836 {
1837 if( name_len == strlen( *p ) &&
1838 memcmp( buf + 3, *p, name_len ) == 0 )
1839 {
1840 ssl->alpn_chosen = *p;
1841 return( 0 );
1842 }
1843 }
1844
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001845 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +02001846 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1847 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001848 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001849}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001850#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001851
Johan Pascalb62bb512015-12-03 21:56:45 +01001852#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02001853MBEDTLS_CHECK_RETURN_CRITICAL
Johan Pascalb62bb512015-12-03 21:56:45 +01001854static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
Ron Eldoref72faf2018-07-12 11:54:20 +03001855 const unsigned char *buf,
1856 size_t len )
Johan Pascalb62bb512015-12-03 21:56:45 +01001857{
Johan Pascal43f94902020-09-22 12:25:52 +02001858 mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +02001859 size_t i, mki_len = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +01001860 uint16_t server_protection_profile_value = 0;
1861
1862 /* If use_srtp is not configured, just ignore the extension */
Johan Pascalc3ccd982020-10-28 17:18:18 +01001863 if( ( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ||
1864 ( ssl->conf->dtls_srtp_profile_list == NULL ) ||
1865 ( ssl->conf->dtls_srtp_profile_list_len == 0 ) )
Johan Pascalb62bb512015-12-03 21:56:45 +01001866 return( 0 );
1867
Ron Eldora9788042018-12-05 11:04:31 +02001868 /* RFC 5764 section 4.1.1
Johan Pascalb62bb512015-12-03 21:56:45 +01001869 * uint8 SRTPProtectionProfile[2];
1870 *
1871 * struct {
1872 * SRTPProtectionProfiles SRTPProtectionProfiles;
1873 * opaque srtp_mki<0..255>;
1874 * } UseSRTPData;
1875
1876 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
1877 *
Johan Pascalb62bb512015-12-03 21:56:45 +01001878 */
Johan Pascalf6417ec2020-09-22 15:15:19 +02001879 if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED )
Ron Eldor591f1622018-01-22 12:30:04 +02001880 {
1881 mki_len = ssl->dtls_srtp_info.mki_len;
1882 }
Johan Pascalb62bb512015-12-03 21:56:45 +01001883
Ron Eldoref72faf2018-07-12 11:54:20 +03001884 /*
Johan Pascal76fdf1d2020-10-22 23:31:00 +02001885 * Length is 5 + optional mki_value : one protection profile length (2 bytes)
1886 * + protection profile (2 bytes)
1887 * + mki_len(1 byte)
Ron Eldor313d7b52018-12-10 14:56:21 +02001888 * and optional srtp_mki
Ron Eldoref72faf2018-07-12 11:54:20 +03001889 */
Johan Pascaladbd9442020-10-26 21:24:25 +01001890 if( ( len < 5 ) || ( len != ( buf[4] + 5u ) ) )
Johan Pascalb62bb512015-12-03 21:56:45 +01001891 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1892
1893 /*
1894 * get the server protection profile
1895 */
Ron Eldoref72faf2018-07-12 11:54:20 +03001896
1897 /*
1898 * protection profile length must be 0x0002 as we must have only
1899 * one protection profile in server Hello
1900 */
Ron Eldor089c9fe2018-12-06 17:12:49 +02001901 if( ( buf[0] != 0 ) || ( buf[1] != 2 ) )
Johan Pascalb62bb512015-12-03 21:56:45 +01001902 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Ron Eldor089c9fe2018-12-06 17:12:49 +02001903
1904 server_protection_profile_value = ( buf[2] << 8 ) | buf[3];
Johan Pascal43f94902020-09-22 12:25:52 +02001905 server_protection = mbedtls_ssl_check_srtp_profile_value(
1906 server_protection_profile_value );
1907 if( server_protection != MBEDTLS_TLS_SRTP_UNSET )
Ron Eldoref72faf2018-07-12 11:54:20 +03001908 {
Johan Pascal43f94902020-09-22 12:25:52 +02001909 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found srtp profile: %s",
1910 mbedtls_ssl_get_srtp_profile_as_string(
1911 server_protection ) ) );
Johan Pascalb62bb512015-12-03 21:56:45 +01001912 }
1913
Johan Pascal43f94902020-09-22 12:25:52 +02001914 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +02001915
Johan Pascalb62bb512015-12-03 21:56:45 +01001916 /*
1917 * Check we have the server profile in our list
1918 */
Ron Eldor3adb9922017-12-21 10:15:08 +02001919 for( i=0; i < ssl->conf->dtls_srtp_profile_list_len; i++)
Johan Pascalb62bb512015-12-03 21:56:45 +01001920 {
Johan Pascal5ef72d22020-10-28 17:05:47 +01001921 if( server_protection == ssl->conf->dtls_srtp_profile_list[i] )
1922 {
Ron Eldor3adb9922017-12-21 10:15:08 +02001923 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
Johan Pascal43f94902020-09-22 12:25:52 +02001924 MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected srtp profile: %s",
1925 mbedtls_ssl_get_srtp_profile_as_string(
1926 server_protection ) ) );
Ron Eldor591f1622018-01-22 12:30:04 +02001927 break;
Johan Pascalb62bb512015-12-03 21:56:45 +01001928 }
1929 }
1930
Ron Eldor591f1622018-01-22 12:30:04 +02001931 /* If no match was found : server problem, it shall never answer with incompatible profile */
Johan Pascal43f94902020-09-22 12:25:52 +02001932 if( ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET )
Ron Eldor591f1622018-01-22 12:30:04 +02001933 {
1934 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Ron Eldoref72faf2018-07-12 11:54:20 +03001935 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Ron Eldor591f1622018-01-22 12:30:04 +02001936 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1937 }
Johan Pascal20c7db32020-10-26 22:45:58 +01001938
1939 /* If server does not use mki in its reply, make sure the client won't keep
1940 * one as negotiated */
1941 if( len == 5 )
1942 {
1943 ssl->dtls_srtp_info.mki_len = 0;
1944 }
1945
Ron Eldoref72faf2018-07-12 11:54:20 +03001946 /*
1947 * RFC5764:
Ron Eldor591f1622018-01-22 12:30:04 +02001948 * If the client detects a nonzero-length MKI in the server's response
1949 * that is different than the one the client offered, then the client
1950 * MUST abort the handshake and SHOULD send an invalid_parameter alert.
1951 */
Ron Eldor313d7b52018-12-10 14:56:21 +02001952 if( len > 5 && ( buf[4] != mki_len ||
1953 ( memcmp( ssl->dtls_srtp_info.mki_value, &buf[5], mki_len ) ) ) )
Ron Eldor591f1622018-01-22 12:30:04 +02001954 {
1955 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1956 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1957 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1958 }
Ron Eldorb4655392018-07-05 18:25:39 +03001959#if defined (MBEDTLS_DEBUG_C)
Ron Eldoref72faf2018-07-12 11:54:20 +03001960 if( len > 5 )
Ron Eldorb4655392018-07-05 18:25:39 +03001961 {
Ron Eldora9788042018-12-05 11:04:31 +02001962 MBEDTLS_SSL_DEBUG_BUF( 3, "received mki", ssl->dtls_srtp_info.mki_value,
1963 ssl->dtls_srtp_info.mki_len );
Ron Eldorb4655392018-07-05 18:25:39 +03001964 }
1965#endif
Ron Eldora9788042018-12-05 11:04:31 +02001966 return( 0 );
Johan Pascalb62bb512015-12-03 21:56:45 +01001967}
1968#endif /* MBEDTLS_SSL_DTLS_SRTP */
1969
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001970/*
1971 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1972 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001973#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02001974MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001975static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001976{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001977 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001978 int major_ver, minor_ver;
1979 unsigned char cookie_len;
1980
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001981 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001982
Gilles Peskineb64bf062019-09-27 14:02:44 +02001983 /* Check that there is enough room for:
1984 * - 2 bytes of version
1985 * - 1 byte of cookie_len
1986 */
1987 if( mbedtls_ssl_hs_hdr_len( ssl ) + 3 > ssl->in_msglen )
1988 {
1989 MBEDTLS_SSL_DEBUG_MSG( 1,
1990 ( "incoming HelloVerifyRequest message is too short" ) );
1991 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1992 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1993 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1994 }
1995
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001996 /*
1997 * struct {
1998 * ProtocolVersion server_version;
1999 * opaque cookie<0..2^8-1>;
2000 * } HelloVerifyRequest;
2001 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002002 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002003 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02002004 p += 2;
2005
Manuel Pégourié-Gonnardb35fe562014-08-09 17:00:46 +02002006 /*
2007 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
2008 * even is lower than our min version.
2009 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002010 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
2011 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002012 major_ver > ssl->conf->max_major_ver ||
2013 minor_ver > ssl->conf->max_minor_ver )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02002014 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002015 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02002016
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002017 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2018 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02002019
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002020 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02002021 }
2022
2023 cookie_len = *p++;
Andres AG5a87c932016-09-26 14:53:05 +01002024 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
2025 {
2026 MBEDTLS_SSL_DEBUG_MSG( 1,
2027 ( "cookie length does not match incoming message size" ) );
2028 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2029 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2030 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
2031 }
Gilles Peskineb51130d2019-09-27 14:00:36 +02002032 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
Andres AG5a87c932016-09-26 14:53:05 +01002033
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002034 mbedtls_free( ssl->handshake->verify_cookie );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02002035
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02002036 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02002037 if( ssl->handshake->verify_cookie == NULL )
2038 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +02002039 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02002040 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02002041 }
2042
2043 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
2044 ssl->handshake->verify_cookie_len = cookie_len;
2045
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02002046 /* Start over at ClientHello */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002047 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
2048 mbedtls_ssl_reset_checksum( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02002049
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002050 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02002051
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002052 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02002053
2054 return( 0 );
2055}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002056#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02002057
David Horstmannb4105662022-11-07 16:33:57 +00002058static int is_compression_bad( mbedtls_ssl_context *ssl, unsigned char comp )
David Horstmann0955f822022-11-07 14:24:21 +00002059{
David Horstmannb4105662022-11-07 16:33:57 +00002060 int bad_comp = 0;
David Horstmann0955f822022-11-07 14:24:21 +00002061
2062 /* Suppress warnings in some configurations */
David Horstmann08a37512022-11-07 15:55:00 +00002063 (void) ssl;
David Horstmann0955f822022-11-07 14:24:21 +00002064#if defined(MBEDTLS_ZLIB_SUPPORT)
2065 /* See comments in ssl_write_client_hello() */
2066#if defined(MBEDTLS_SSL_PROTO_DTLS)
2067 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
David Horstmannb4105662022-11-07 16:33:57 +00002068 bad_comp = 1;
David Horstmann0955f822022-11-07 14:24:21 +00002069#endif
2070
2071 if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
2072 comp != MBEDTLS_SSL_COMPRESS_DEFLATE )
David Horstmannb4105662022-11-07 16:33:57 +00002073 bad_comp = 1;
David Horstmann0955f822022-11-07 14:24:21 +00002074#else /* MBEDTLS_ZLIB_SUPPORT */
2075 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
David Horstmannb4105662022-11-07 16:33:57 +00002076 bad_comp = 1;
David Horstmann0955f822022-11-07 14:24:21 +00002077#endif/* MBEDTLS_ZLIB_SUPPORT */
David Horstmannb4105662022-11-07 16:33:57 +00002078 return bad_comp;
David Horstmann0955f822022-11-07 14:24:21 +00002079}
2080
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02002081MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002082static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00002083{
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02002084 int ret, i;
Paul Bakker23986e52011-04-24 08:57:21 +00002085 size_t n;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +02002086 size_t ext_len;
Paul Bakker48916f92012-09-16 19:57:18 +00002087 unsigned char *buf, *ext;
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +02002088 unsigned char comp;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002089#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00002090 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +01002091#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00002092 int handshake_failure = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002093 const mbedtls_ssl_ciphersuite_t *suite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00002094
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002095 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002096
Hanno Becker327c93b2018-08-15 13:56:18 +01002097 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002098 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002099 /* No alert on a read error. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002100 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002101 return( ret );
2102 }
2103
Hanno Becker79594fd2019-05-08 09:38:41 +01002104 buf = ssl->in_msg;
2105
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002106 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +00002107 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002108#if defined(MBEDTLS_SSL_RENEGOTIATION)
2109 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02002110 {
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +02002111 ssl->renego_records_seen++;
2112
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002113 if( ssl->conf->renego_max_records >= 0 &&
2114 ssl->renego_records_seen > ssl->conf->renego_max_records )
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +02002115 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002116 MBEDTLS_SSL_DEBUG_MSG( 1,
2117 ( "renegotiation requested, but not honored by server" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002118 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +02002119 }
2120
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002121 MBEDTLS_SSL_DEBUG_MSG( 1,
2122 ( "non-handshake message during renegotiation" ) );
Hanno Beckeraf0665d2017-05-24 09:16:26 +01002123
2124 ssl->keep_current_message = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002125 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02002126 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002127#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02002128
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002129 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002130 mbedtls_ssl_send_alert_message(
2131 ssl,
2132 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2133 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002134 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002135 }
2136
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002137#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002138 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02002139 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002140 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02002141 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002142 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
2143 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02002144 return( ssl_parse_hello_verify_request( ssl ) );
2145 }
2146 else
2147 {
2148 /* We made it through the verification process */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002149 mbedtls_free( ssl->handshake->verify_cookie );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02002150 ssl->handshake->verify_cookie = NULL;
2151 ssl->handshake->verify_cookie_len = 0;
2152 }
2153 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002154#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +00002155
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002156 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
2157 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
Paul Bakker5121ce52009-01-03 21:22:43 +00002158 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002159 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002160 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2161 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002162 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +00002163 }
2164
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02002165 /*
2166 * 0 . 1 server_version
2167 * 2 . 33 random (maybe including 4 bytes of Unix time)
2168 * 34 . 34 session_id length = n
2169 * 35 . 34+n session_id
2170 * 35+n . 36+n cipher_suite
2171 * 37+n . 37+n compression_method
2172 *
2173 * 38+n . 39+n extensions length (optional)
2174 * 40+n . .. extensions
2175 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002176 buf += mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02002177
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002178 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
2179 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002180 ssl->conf->transport, buf + 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002181
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002182 if( ssl->major_ver < ssl->conf->min_major_ver ||
2183 ssl->minor_ver < ssl->conf->min_minor_ver ||
2184 ssl->major_ver > ssl->conf->max_major_ver ||
2185 ssl->minor_ver > ssl->conf->max_minor_ver )
Paul Bakker1d29fb52012-09-28 13:28:45 +00002186 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002187 MBEDTLS_SSL_DEBUG_MSG( 1,
2188 ( "server version out of bounds - min: [%d:%d], server: [%d:%d], max: [%d:%d]",
2189 ssl->conf->min_major_ver,
2190 ssl->conf->min_minor_ver,
2191 ssl->major_ver, ssl->minor_ver,
2192 ssl->conf->max_major_ver,
2193 ssl->conf->max_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +00002194
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002195 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2196 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Paul Bakker1d29fb52012-09-28 13:28:45 +00002197
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002198 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Paul Bakker1d29fb52012-09-28 13:28:45 +00002199 }
2200
Andres Amaya Garcia6bce9cb2017-09-06 15:33:34 +01002201 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
Paul Elliott9f352112020-12-09 14:55:45 +00002202 ( (unsigned long) buf[2] << 24 ) |
2203 ( (unsigned long) buf[3] << 16 ) |
2204 ( (unsigned long) buf[4] << 8 ) |
2205 ( (unsigned long) buf[5] ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002206
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02002207 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002208
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02002209 n = buf[34];
Paul Bakker5121ce52009-01-03 21:22:43 +00002210
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002211 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002212
Paul Bakker48916f92012-09-16 19:57:18 +00002213 if( n > 32 )
2214 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002215 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002216 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2217 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002218 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +00002219 }
2220
Manuel Pégourié-Gonnarda6e5bd52015-07-23 12:14:13 +02002221 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
Paul Bakker5121ce52009-01-03 21:22:43 +00002222 {
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02002223 ext_len = ( ( buf[38 + n] << 8 )
2224 | ( buf[39 + n] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002225
Paul Bakker48916f92012-09-16 19:57:18 +00002226 if( ( ext_len > 0 && ext_len < 4 ) ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002227 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
Paul Bakker48916f92012-09-16 19:57:18 +00002228 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002229 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002230 mbedtls_ssl_send_alert_message(
2231 ssl,
2232 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2233 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002234 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +00002235 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002236 }
Manuel Pégourié-Gonnarda6e5bd52015-07-23 12:14:13 +02002237 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +02002238 {
2239 ext_len = 0;
2240 }
2241 else
2242 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002243 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002244 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2245 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002246 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +02002247 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002248
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02002249 /* ciphersuite (used later) */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02002250 i = ( buf[35 + n] << 8 ) | buf[36 + n];
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02002251
2252 /*
2253 * Read and check compression
2254 */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02002255 comp = buf[37 + n];
Paul Bakker5121ce52009-01-03 21:22:43 +00002256
David Horstmannb4105662022-11-07 16:33:57 +00002257 if( is_compression_bad( ssl, comp ) )
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02002258 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002259 MBEDTLS_SSL_DEBUG_MSG( 1,
2260 ( "server hello, bad compression: %d", comp ) );
2261 mbedtls_ssl_send_alert_message(
2262 ssl,
2263 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2264 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002265 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02002266 }
2267
Paul Bakker380da532012-04-18 16:10:25 +00002268 /*
2269 * Initialize update checksum functions
2270 */
Hanno Beckere694c3e2017-12-27 21:34:08 +00002271 ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i );
2272 if( ssl->handshake->ciphersuite_info == NULL )
Paul Bakker68884e32013-01-07 18:20:04 +01002273 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002274 MBEDTLS_SSL_DEBUG_MSG( 1,
Paul Elliott9f352112020-12-09 14:55:45 +00002275 ( "ciphersuite info for %04x not found", (unsigned int)i ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002276 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2277 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002278 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +01002279 }
Paul Bakker380da532012-04-18 16:10:25 +00002280
Hanno Beckere694c3e2017-12-27 21:34:08 +00002281 mbedtls_ssl_optimize_checksum( ssl, ssl->handshake->ciphersuite_info );
Manuel Pégourié-Gonnard3c599f12014-03-10 13:25:07 +01002282
Paul Elliottd48d5c62021-01-07 14:47:05 +00002283 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002284 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
Paul Bakker5121ce52009-01-03 21:22:43 +00002285
2286 /*
2287 * Check if the session can be resumed
2288 */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01002289 if( ssl->handshake->resume == 0 || n == 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002290#if defined(MBEDTLS_SSL_RENEGOTIATION)
2291 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01002292#endif
Paul Bakker48916f92012-09-16 19:57:18 +00002293 ssl->session_negotiate->ciphersuite != i ||
2294 ssl->session_negotiate->compression != comp ||
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +02002295 ssl->session_negotiate->id_len != n ||
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02002296 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002297 {
2298 ssl->state++;
Paul Bakker0a597072012-09-25 21:55:46 +00002299 ssl->handshake->resume = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002300#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +01002301 ssl->session_negotiate->start = mbedtls_time( NULL );
Paul Bakkerfa9b1002013-07-03 15:31:03 +02002302#endif
Paul Bakker48916f92012-09-16 19:57:18 +00002303 ssl->session_negotiate->ciphersuite = i;
2304 ssl->session_negotiate->compression = comp;
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +02002305 ssl->session_negotiate->id_len = n;
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02002306 memcpy( ssl->session_negotiate->id, buf + 35, n );
Paul Bakker5121ce52009-01-03 21:22:43 +00002307 }
2308 else
2309 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002310 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakker5121ce52009-01-03 21:22:43 +00002311 }
2312
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002313 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Paul Bakker0a597072012-09-25 21:55:46 +00002314 ssl->handshake->resume ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002315
Paul Elliott3891caf2020-12-17 18:42:40 +00002316 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", (unsigned) i ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002317 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
2318 buf[37 + n] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002319
Andrzej Kurek03bac442018-04-25 05:06:07 -04002320 /*
2321 * Perform cipher suite validation in same way as in ssl_write_client_hello.
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +01002322 */
Paul Bakker5121ce52009-01-03 21:22:43 +00002323 i = 0;
2324 while( 1 )
2325 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002326 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002327 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002328 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002329 mbedtls_ssl_send_alert_message(
2330 ssl,
2331 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2332 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002333 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +00002334 }
2335
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002336 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
Paul Bakker8f4ddae2013-04-15 15:09:54 +02002337 ssl->session_negotiate->ciphersuite )
2338 {
Paul Bakker5121ce52009-01-03 21:22:43 +00002339 break;
Paul Bakker8f4ddae2013-04-15 15:09:54 +02002340 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002341 }
2342
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002343 suite_info = mbedtls_ssl_ciphersuite_from_id(
2344 ssl->session_negotiate->ciphersuite );
2345 if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver,
2346 ssl->minor_ver ) != 0 )
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +01002347 {
2348 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002349 mbedtls_ssl_send_alert_message(
2350 ssl,
2351 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2352 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +01002353 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
2354 }
2355
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002356 MBEDTLS_SSL_DEBUG_MSG( 3,
2357 ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +01002358
Gilles Peskineeccd8882020-03-10 12:19:08 +01002359#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnardda19f4c2018-06-12 12:40:54 +02002360 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
2361 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2362 {
2363 ssl->handshake->ecrs_enabled = 1;
2364 }
2365#endif
2366
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002367 if( comp != MBEDTLS_SSL_COMPRESS_NULL
2368#if defined(MBEDTLS_ZLIB_SUPPORT)
2369 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
Paul Bakker2770fbd2012-07-03 13:30:23 +00002370#endif
2371 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002372 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002373 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002374 mbedtls_ssl_send_alert_message(
2375 ssl,
2376 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2377 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002378 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +00002379 }
Paul Bakker48916f92012-09-16 19:57:18 +00002380 ssl->session_negotiate->compression = comp;
Paul Bakker5121ce52009-01-03 21:22:43 +00002381
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02002382 ext = buf + 40 + n;
Paul Bakker48916f92012-09-16 19:57:18 +00002383
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002384 MBEDTLS_SSL_DEBUG_MSG( 2,
Paul Elliottd48d5c62021-01-07 14:47:05 +00002385 ( "server hello, total extension length: %" MBEDTLS_PRINTF_SIZET, ext_len ) );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +02002386
Paul Bakker48916f92012-09-16 19:57:18 +00002387 while( ext_len )
2388 {
2389 unsigned int ext_id = ( ( ext[0] << 8 )
2390 | ( ext[1] ) );
2391 unsigned int ext_size = ( ( ext[2] << 8 )
2392 | ( ext[3] ) );
2393
2394 if( ext_size + 4 > ext_len )
2395 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002396 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002397 mbedtls_ssl_send_alert_message(
2398 ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2399 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002400 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +00002401 }
2402
2403 switch( ext_id )
2404 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002405 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
2406 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
2407#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00002408 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +01002409#endif
Paul Bakker48916f92012-09-16 19:57:18 +00002410
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02002411 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
2412 ext_size ) ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +00002413 return( ret );
2414
2415 break;
2416
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002417#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2418 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002419 MBEDTLS_SSL_DEBUG_MSG( 3,
2420 ( "found max_fragment_length extension" ) );
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +02002421
2422 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
2423 ext + 4, ext_size ) ) != 0 )
2424 {
2425 return( ret );
2426 }
2427
2428 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002429#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +02002430
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002431#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2432 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
2433 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02002434
2435 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
2436 ext + 4, ext_size ) ) != 0 )
2437 {
2438 return( ret );
2439 }
2440
2441 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002442#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02002443
Hanno Beckera0e20d02019-05-15 14:03:01 +01002444#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Beckera8373a12019-04-26 15:37:26 +01002445 case MBEDTLS_TLS_EXT_CID:
2446 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );
2447
2448 if( ( ret = ssl_parse_cid_ext( ssl,
2449 ext + 4,
2450 ext_size ) ) != 0 )
2451 {
2452 return( ret );
2453 }
2454
2455 break;
Hanno Beckera0e20d02019-05-15 14:03:01 +01002456#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckera8373a12019-04-26 15:37:26 +01002457
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002458#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2459 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
2460 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01002461
2462 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
2463 ext + 4, ext_size ) ) != 0 )
2464 {
2465 return( ret );
2466 }
2467
2468 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002469#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01002470
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002471#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2472 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002473 MBEDTLS_SSL_DEBUG_MSG( 3,
2474 ( "found extended_master_secret extension" ) );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02002475
2476 if( ( ret = ssl_parse_extended_ms_ext( ssl,
2477 ext + 4, ext_size ) ) != 0 )
2478 {
2479 return( ret );
2480 }
2481
2482 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002483#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02002484
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002485#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2486 case MBEDTLS_TLS_EXT_SESSION_TICKET:
2487 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +02002488
2489 if( ( ret = ssl_parse_session_ticket_ext( ssl,
2490 ext + 4, ext_size ) ) != 0 )
2491 {
2492 return( ret );
2493 }
2494
2495 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002496#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +02002497
Robert Cragie136884c2015-10-02 13:34:31 +01002498#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +01002499 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002500 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002501 MBEDTLS_SSL_DEBUG_MSG( 3,
2502 ( "found supported_point_formats extension" ) );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02002503
2504 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
2505 ext + 4, ext_size ) ) != 0 )
2506 {
2507 return( ret );
2508 }
2509
2510 break;
Robert Cragieae8535d2015-10-06 17:11:18 +01002511#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
2512 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02002513
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +02002514#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2515 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
2516 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
2517
2518 if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
2519 ext + 4, ext_size ) ) != 0 )
2520 {
2521 return( ret );
2522 }
2523
2524 break;
2525#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00002526
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002527#if defined(MBEDTLS_SSL_ALPN)
2528 case MBEDTLS_TLS_EXT_ALPN:
2529 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02002530
Johan Pascal275874b2020-10-27 10:43:53 +01002531 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
2532 return( ret );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02002533
2534 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002535#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02002536
Johan Pascalb62bb512015-12-03 21:56:45 +01002537#if defined(MBEDTLS_SSL_DTLS_SRTP)
2538 case MBEDTLS_TLS_EXT_USE_SRTP:
2539 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found use_srtp extension" ) );
2540
Johan Pascalc3ccd982020-10-28 17:18:18 +01002541 if( ( ret = ssl_parse_use_srtp_ext( ssl, ext + 4, ext_size ) ) != 0 )
2542 return( ret );
Johan Pascalb62bb512015-12-03 21:56:45 +01002543
2544 break;
2545#endif /* MBEDTLS_SSL_DTLS_SRTP */
2546
Paul Bakker48916f92012-09-16 19:57:18 +00002547 default:
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002548 MBEDTLS_SSL_DEBUG_MSG( 3,
Paul Elliott9f352112020-12-09 14:55:45 +00002549 ( "unknown extension found: %u (ignoring)", ext_id ) );
Paul Bakker48916f92012-09-16 19:57:18 +00002550 }
2551
2552 ext_len -= 4 + ext_size;
2553 ext += 4 + ext_size;
2554
2555 if( ext_len > 0 && ext_len < 4 )
2556 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002557 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
2558 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +00002559 }
2560 }
2561
Andrzej Kurek77473eb2022-07-06 03:26:55 -04002562 /*
2563 * mbedtls_ssl_derive_keys() has to be called after the parsing of the
2564 * extensions. It sets the transform data for the resumed session which in
2565 * case of DTLS includes the server CID extracted from the CID extension.
2566 */
2567 if( ssl->handshake->resume )
Andrzej Kurekc87d97b2022-06-14 07:12:33 -04002568 {
2569 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
2570 {
2571 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
2572 mbedtls_ssl_send_alert_message(
2573 ssl,
2574 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2575 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
2576 return( ret );
2577 }
2578 }
2579
Paul Bakker48916f92012-09-16 19:57:18 +00002580 /*
2581 * Renegotiation security checks
2582 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002583 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002584 ssl->conf->allow_legacy_renegotiation ==
2585 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +00002586 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002587 MBEDTLS_SSL_DEBUG_MSG( 1,
2588 ( "legacy renegotiation, breaking off handshake" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00002589 handshake_failure = 1;
2590 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002591#if defined(MBEDTLS_SSL_RENEGOTIATION)
2592 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2593 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Paul Bakker48916f92012-09-16 19:57:18 +00002594 renegotiation_info_seen == 0 )
2595 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002596 MBEDTLS_SSL_DEBUG_MSG( 1,
2597 ( "renegotiation_info extension missing (secure)" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00002598 handshake_failure = 1;
2599 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002600 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2601 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002602 ssl->conf->allow_legacy_renegotiation ==
2603 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +00002604 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002605 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00002606 handshake_failure = 1;
2607 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002608 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2609 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00002610 renegotiation_info_seen == 1 )
2611 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002612 MBEDTLS_SSL_DEBUG_MSG( 1,
2613 ( "renegotiation_info extension present (legacy)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00002614 handshake_failure = 1;
2615 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002616#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00002617
2618 if( handshake_failure == 1 )
2619 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002620 mbedtls_ssl_send_alert_message(
2621 ssl,
2622 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2623 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002624 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +00002625 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002626
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002627 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002628
2629 return( 0 );
2630}
2631
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002632#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2633 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02002634MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002635static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl,
2636 unsigned char **p,
Paul Bakker29e1f122013-04-16 13:07:56 +02002637 unsigned char *end )
2638{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002639 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Gilles Peskinee8a2fc82020-12-08 22:46:11 +01002640 size_t dhm_actual_bitlen;
Paul Bakker29e1f122013-04-16 13:07:56 +02002641
Paul Bakker29e1f122013-04-16 13:07:56 +02002642 /*
2643 * Ephemeral DH parameters:
2644 *
2645 * struct {
2646 * opaque dh_p<1..2^16-1>;
2647 * opaque dh_g<1..2^16-1>;
2648 * opaque dh_Ys<1..2^16-1>;
2649 * } ServerDHParams;
2650 */
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002651 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx,
2652 p, end ) ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +02002653 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002654 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
Paul Bakker29e1f122013-04-16 13:07:56 +02002655 return( ret );
2656 }
2657
Gilles Peskinee8a2fc82020-12-08 22:46:11 +01002658 dhm_actual_bitlen = mbedtls_mpi_bitlen( &ssl->handshake->dhm_ctx.P );
2659 if( dhm_actual_bitlen < ssl->conf->dhm_min_bitlen )
Paul Bakker29e1f122013-04-16 13:07:56 +02002660 {
Paul Elliottd48d5c62021-01-07 14:47:05 +00002661 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u",
Gilles Peskinee8a2fc82020-12-08 22:46:11 +01002662 dhm_actual_bitlen,
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +02002663 ssl->conf->dhm_min_bitlen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002664 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +02002665 }
2666
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002667 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2668 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2669 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
Paul Bakker29e1f122013-04-16 13:07:56 +02002670
2671 return( ret );
2672}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002673#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2674 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +02002675
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002676#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2677 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2678 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2679 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2680 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02002681MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002682static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002683{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002684 const mbedtls_ecp_curve_info *curve_info;
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05002685 mbedtls_ecp_group_id grp_id;
2686#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
2687 grp_id = ssl->handshake->ecdh_ctx.grp.id;
2688#else
2689 grp_id = ssl->handshake->ecdh_ctx.grp_id;
2690#endif
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +01002691
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05002692 curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +01002693 if( curve_info == NULL )
2694 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002695 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2696 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +01002697 }
2698
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002699 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002700
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02002701#if defined(MBEDTLS_ECP_C)
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05002702 if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
David Horstmanndbb6f082022-11-02 15:33:31 +00002703 return( -1 );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01002704#else
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002705 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
2706 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002707 return( -1 );
David Horstmanndbb6f082022-11-02 15:33:31 +00002708#endif
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002709
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05002710 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
2711 MBEDTLS_DEBUG_ECDH_QP );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002712
2713 return( 0 );
2714}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002715#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2716 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2717 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2718 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2719 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002720
Hanno Beckerbb89e272019-01-08 12:54:37 +00002721#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
2722 ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2723 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02002724MBEDTLS_CHECK_RETURN_CRITICAL
Hanno Beckerbb89e272019-01-08 12:54:37 +00002725static int ssl_parse_server_ecdh_params_psa( mbedtls_ssl_context *ssl,
2726 unsigned char **p,
2727 unsigned char *end )
2728{
2729 uint16_t tls_id;
Gilles Peskine42459802019-12-19 13:31:53 +01002730 size_t ecdh_bits = 0;
Hanno Beckerbb89e272019-01-08 12:54:37 +00002731 uint8_t ecpoint_len;
2732 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2733
2734 /*
2735 * Parse ECC group
2736 */
2737
2738 if( end - *p < 4 )
2739 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2740
2741 /* First byte is curve_type; only named_curve is handled */
2742 if( *(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE )
2743 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2744
2745 /* Next two bytes are the namedcurve value */
2746 tls_id = *(*p)++;
2747 tls_id <<= 8;
2748 tls_id |= *(*p)++;
2749
Manuel Pégourié-Gonnard01784872022-01-25 11:46:19 +01002750 /* Check it's a curve we offered */
2751 if( mbedtls_ssl_check_curve_tls_id( ssl, tls_id ) != 0 )
2752 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2753
Hanno Beckerbb89e272019-01-08 12:54:37 +00002754 /* Convert EC group to PSA key type. */
Gilles Peskine42459802019-12-19 13:31:53 +01002755 if( ( handshake->ecdh_psa_type =
2756 mbedtls_psa_parse_tls_ecc_group( tls_id, &ecdh_bits ) ) == 0 )
Hanno Beckerbb89e272019-01-08 12:54:37 +00002757 {
2758 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2759 }
Gilles Peskine42459802019-12-19 13:31:53 +01002760 if( ecdh_bits > 0xffff )
2761 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2762 handshake->ecdh_bits = (uint16_t) ecdh_bits;
Hanno Beckerbb89e272019-01-08 12:54:37 +00002763
2764 /*
2765 * Put peer's ECDH public key in the format understood by PSA.
2766 */
2767
2768 ecpoint_len = *(*p)++;
2769 if( (size_t)( end - *p ) < ecpoint_len )
2770 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2771
Gilles Peskine42459802019-12-19 13:31:53 +01002772 if( mbedtls_psa_tls_ecpoint_to_psa_ec(
Hanno Beckerbb89e272019-01-08 12:54:37 +00002773 *p, ecpoint_len,
2774 handshake->ecdh_psa_peerkey,
2775 sizeof( handshake->ecdh_psa_peerkey ),
2776 &handshake->ecdh_psa_peerkey_len ) != 0 )
2777 {
2778 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
2779 }
2780
2781 *p += ecpoint_len;
2782 return( 0 );
2783}
2784#endif /* MBEDTLS_USE_PSA_CRYPTO &&
2785 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2786 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
2787
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002788#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2789 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2790 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02002791MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002792static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
Paul Bakker29e1f122013-04-16 13:07:56 +02002793 unsigned char **p,
2794 unsigned char *end )
2795{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002796 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +02002797
Paul Bakker29e1f122013-04-16 13:07:56 +02002798 /*
2799 * Ephemeral ECDH parameters:
2800 *
2801 * struct {
2802 * ECParameters curve_params;
2803 * ECPoint public;
2804 * } ServerECDHParams;
2805 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002806 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
Paul Bakker29e1f122013-04-16 13:07:56 +02002807 (const unsigned char **) p, end ) ) != 0 )
2808 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002809 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
Gilles Peskineeccd8882020-03-10 12:19:08 +01002810#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard1c1c20e2018-09-12 10:34:43 +02002811 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2812 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +02002813#endif
Paul Bakker29e1f122013-04-16 13:07:56 +02002814 return( ret );
2815 }
2816
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002817 if( ssl_check_server_ecdh_params( ssl ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +02002818 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002819 MBEDTLS_SSL_DEBUG_MSG( 1,
2820 ( "bad server key exchange message (ECDHE curve)" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002821 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +02002822 }
2823
Paul Bakker29e1f122013-04-16 13:07:56 +02002824 return( ret );
2825}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002826#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2827 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2828 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +02002829
Gilles Peskineeccd8882020-03-10 12:19:08 +01002830#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02002831MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002832static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002833 unsigned char **p,
2834 unsigned char *end )
2835{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002836 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
irwir6527bd62019-09-21 18:51:25 +03002837 uint16_t len;
Paul Bakkerc5a79cc2013-06-26 15:08:35 +02002838 ((void) ssl);
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002839
2840 /*
2841 * PSK parameters:
2842 *
2843 * opaque psk_identity_hint<0..2^16-1>;
2844 */
Hanno Becker0c161d12018-10-08 13:40:50 +01002845 if( end - (*p) < 2 )
Krzysztof Stachowiak740b2182018-03-13 11:31:14 +01002846 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002847 MBEDTLS_SSL_DEBUG_MSG( 1,
2848 ( "bad server key exchange message (psk_identity_hint length)" ) );
Krzysztof Stachowiak740b2182018-03-13 11:31:14 +01002849 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2850 }
Manuel Pégourié-Gonnard59b9fe22013-10-15 11:55:33 +02002851 len = (*p)[0] << 8 | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002852 *p += 2;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002853
irwir6527bd62019-09-21 18:51:25 +03002854 if( end - (*p) < len )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002855 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002856 MBEDTLS_SSL_DEBUG_MSG( 1,
2857 ( "bad server key exchange message (psk_identity_hint length)" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002858 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002859 }
2860
Manuel Pégourié-Gonnard9d624122016-02-22 11:10:14 +01002861 /*
2862 * Note: we currently ignore the PKS identity hint, as we only allow one
2863 * PSK to be provisionned on the client. This could be changed later if
2864 * someone needs that feature.
2865 */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002866 *p += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002867 ret = 0;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002868
2869 return( ret );
2870}
Gilles Peskineeccd8882020-03-10 12:19:08 +01002871#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002872
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002873#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2874 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002875/*
2876 * Generate a pre-master secret and encrypt it with the server's RSA key
2877 */
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02002878MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002879static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002880 size_t offset, size_t *olen,
2881 size_t pms_offset )
2882{
Janos Follath865b3eb2019-12-16 11:46:15 +00002883 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002884 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002885 unsigned char *p = ssl->handshake->premaster + pms_offset;
Hanno Beckerc7d7e292019-02-06 16:49:54 +00002886 mbedtls_pk_context * peer_pk;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002887
Angus Grattond8213d02016-05-25 20:56:48 +10002888 if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02002889 {
2890 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
2891 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2892 }
2893
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002894 /*
2895 * Generate (part of) the pre-master as
2896 * struct {
2897 * ProtocolVersion client_version;
2898 * opaque random[46];
2899 * } PreMasterSecret;
2900 */
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002901 mbedtls_ssl_write_version( ssl->conf->max_major_ver,
2902 ssl->conf->max_minor_ver,
2903 ssl->conf->transport, p );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002904
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01002905 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002906 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002907 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002908 return( ret );
2909 }
2910
2911 ssl->handshake->pmslen = 48;
2912
Hanno Beckerc7d7e292019-02-06 16:49:54 +00002913#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2914 peer_pk = &ssl->handshake->peer_pubkey;
2915#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +02002916 if( ssl->session_negotiate->peer_cert == NULL )
2917 {
Hanno Becker8273df82019-02-06 17:37:32 +00002918 /* Should never happen */
Hanno Becker62d58ed2019-02-26 11:51:06 +00002919 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Hanno Becker8273df82019-02-06 17:37:32 +00002920 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +02002921 }
Hanno Beckerc7d7e292019-02-06 16:49:54 +00002922 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2923#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +02002924
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002925 /*
2926 * Now write it out, encrypted
2927 */
Hanno Beckerc7d7e292019-02-06 16:49:54 +00002928 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_RSA ) )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002929 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002930 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
2931 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002932 }
2933
Hanno Beckerc7d7e292019-02-06 16:49:54 +00002934 if( ( ret = mbedtls_pk_encrypt( peer_pk,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002935 p, ssl->handshake->pmslen,
2936 ssl->out_msg + offset + len_bytes, olen,
Angus Grattond8213d02016-05-25 20:56:48 +10002937 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01002938 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002939 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002940 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002941 return( ret );
2942 }
2943
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002944#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2945 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002946 if( len_bytes == 2 )
2947 {
Joe Subbianic54e9082021-07-19 11:56:54 +01002948 MBEDTLS_PUT_UINT16_BE( *olen, ssl->out_msg, offset );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002949 *olen += 2;
2950 }
2951#endif
2952
Hanno Beckerae553dd2019-02-08 14:06:00 +00002953#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2954 /* We don't need the peer's public key anymore. Free it. */
2955 mbedtls_pk_free( peer_pk );
2956#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002957 return( 0 );
2958}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002959#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2960 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +02002961
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002962#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard5c2a7ca2015-10-23 08:48:41 +02002963#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2964 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2965 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02002966MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002967static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
Paul Bakker29e1f122013-04-16 13:07:56 +02002968 unsigned char **p,
2969 unsigned char *end,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002970 mbedtls_md_type_t *md_alg,
2971 mbedtls_pk_type_t *pk_alg )
Paul Bakker29e1f122013-04-16 13:07:56 +02002972{
Paul Bakkerc5a79cc2013-06-26 15:08:35 +02002973 ((void) ssl);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002974 *md_alg = MBEDTLS_MD_NONE;
2975 *pk_alg = MBEDTLS_PK_NONE;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002976
2977 /* Only in TLS 1.2 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002978 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002979 {
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002980 return( 0 );
2981 }
Paul Bakker29e1f122013-04-16 13:07:56 +02002982
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002983 if( (*p) + 2 > end )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002984 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +02002985
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002986 /*
2987 * Get hash algorithm
2988 */
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002989 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) )
2990 == MBEDTLS_MD_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +02002991 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01002992 MBEDTLS_SSL_DEBUG_MSG( 1,
2993 ( "Server used unsupported HashAlgorithm %d", *(p)[0] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002994 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +02002995 }
2996
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002997 /*
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002998 * Get signature algorithm
2999 */
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003000 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) )
3001 == MBEDTLS_PK_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +02003002 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003003 MBEDTLS_SSL_DEBUG_MSG( 1,
3004 ( "server used unsupported SignatureAlgorithm %d", (*p)[1] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003005 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +02003006 }
3007
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02003008 /*
3009 * Check if the hash is acceptable
3010 */
3011 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
3012 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003013 MBEDTLS_SSL_DEBUG_MSG( 1,
3014 ( "server used HashAlgorithm %d that was not offered", *(p)[0] ) );
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02003015 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
3016 }
3017
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003018 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d",
3019 (*p)[1] ) );
3020 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d",
3021 (*p)[0] ) );
Paul Bakker29e1f122013-04-16 13:07:56 +02003022 *p += 2;
3023
3024 return( 0 );
3025}
Manuel Pégourié-Gonnard5c2a7ca2015-10-23 08:48:41 +02003026#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3027 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3028 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003029#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +02003030
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003031#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3032 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02003033MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003034static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01003035{
Janos Follath865b3eb2019-12-16 11:46:15 +00003036 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003037 const mbedtls_ecp_keypair *peer_key;
Hanno Beckerbe7f5082019-02-06 17:44:07 +00003038 mbedtls_pk_context * peer_pk;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01003039
Hanno Beckerbe7f5082019-02-06 17:44:07 +00003040#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3041 peer_pk = &ssl->handshake->peer_pubkey;
3042#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +02003043 if( ssl->session_negotiate->peer_cert == NULL )
3044 {
Hanno Becker8273df82019-02-06 17:37:32 +00003045 /* Should never happen */
Hanno Beckerbd5580a2019-02-26 12:36:01 +00003046 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Hanno Becker8273df82019-02-06 17:37:32 +00003047 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +02003048 }
Hanno Beckerbe7f5082019-02-06 17:44:07 +00003049 peer_pk = &ssl->session_negotiate->peer_cert->pk;
3050#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +02003051
Manuel Pégourié-Gonnard06e1fcd2022-06-16 10:48:06 +02003052 /* This is a public key, so it can't be opaque, so can_do() is a good
3053 * enough check to ensure pk_ec() is safe to use below. */
Hanno Beckerbe7f5082019-02-06 17:44:07 +00003054 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECKEY ) )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01003055 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003056 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
3057 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01003058 }
3059
Hanno Beckerbe7f5082019-02-06 17:44:07 +00003060 peer_key = mbedtls_pk_ec( *peer_pk );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01003061
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003062 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
3063 MBEDTLS_ECDH_THEIRS ) ) != 0 )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01003064 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003065 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01003066 return( ret );
3067 }
3068
3069 if( ssl_check_server_ecdh_params( ssl ) != 0 )
3070 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003071 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
3072 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01003073 }
3074
Hanno Beckerae553dd2019-02-08 14:06:00 +00003075#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3076 /* We don't need the peer's public key anymore. Free it,
3077 * so that more RAM is available for upcoming expensive
3078 * operations like ECDHE. */
3079 mbedtls_pk_free( peer_pk );
3080#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3081
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01003082 return( ret );
3083}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003084#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
3085 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01003086
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02003087MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003088static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
Paul Bakker41c83d32013-03-20 14:39:14 +01003089{
Janos Follath865b3eb2019-12-16 11:46:15 +00003090 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +01003091 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +00003092 ssl->handshake->ciphersuite_info;
Andres Amaya Garcia53c77cc2017-06-27 16:15:06 +01003093 unsigned char *p = NULL, *end = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +00003094
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003095 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003096
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003097#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3098 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +00003099 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003100 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003101 ssl->state++;
3102 return( 0 );
3103 }
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +02003104 ((void) p);
3105 ((void) end);
3106#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00003107
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003108#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3109 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3110 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3111 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01003112 {
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01003113 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
3114 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003115 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003116 mbedtls_ssl_send_alert_message(
3117 ssl,
3118 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3119 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01003120 return( ret );
3121 }
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01003122
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003123 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01003124 ssl->state++;
3125 return( 0 );
3126 }
3127 ((void) p);
3128 ((void) end);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003129#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3130 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01003131
Gilles Peskineeccd8882020-03-10 12:19:08 +01003132#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +02003133 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +02003134 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +02003135 {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +02003136 goto start_processing;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +02003137 }
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +02003138#endif
3139
Hanno Becker327c93b2018-08-15 13:56:18 +01003140 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003141 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003142 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003143 return( ret );
3144 }
3145
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003146 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +00003147 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003148 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003149 mbedtls_ssl_send_alert_message(
3150 ssl,
3151 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3152 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003153 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00003154 }
3155
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +02003156 /*
3157 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
3158 * doesn't use a psk_identity_hint
3159 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003160 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
Paul Bakker5121ce52009-01-03 21:22:43 +00003161 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003162 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3163 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Paul Bakker188c8de2013-04-19 09:13:37 +02003164 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +01003165 /* Current message is probably either
3166 * CertificateRequest or ServerHelloDone */
3167 ssl->keep_current_message = 1;
Paul Bakker188c8de2013-04-19 09:13:37 +02003168 goto exit;
3169 }
3170
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003171 MBEDTLS_SSL_DEBUG_MSG( 1,
3172 ( "server key exchange message must not be skipped" ) );
3173 mbedtls_ssl_send_alert_message(
3174 ssl,
3175 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3176 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Hanno Beckeraf0665d2017-05-24 09:16:26 +01003177
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003178 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00003179 }
3180
Gilles Peskineeccd8882020-03-10 12:19:08 +01003181#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +02003182 if( ssl->handshake->ecrs_enabled )
3183 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
3184
3185start_processing:
3186#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003187 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Paul Bakker3b6a07b2013-03-21 11:56:50 +01003188 end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003189 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
Paul Bakker3b6a07b2013-03-21 11:56:50 +01003190
Gilles Peskineeccd8882020-03-10 12:19:08 +01003191#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003192 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3193 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3194 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3195 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +02003196 {
3197 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
3198 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003199 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003200 mbedtls_ssl_send_alert_message(
3201 ssl,
3202 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3203 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003204 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +02003205 }
Shaun Case0e7791f2021-12-20 21:14:10 -08003206 } /* FALLTHROUGH */
Gilles Peskineeccd8882020-03-10 12:19:08 +01003207#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +02003208
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003209#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
3210 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3211 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3212 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +02003213 ; /* nothing more to do */
3214 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003215#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
3216 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3217#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3218 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3219 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
3220 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +00003221 {
Paul Bakker29e1f122013-04-16 13:07:56 +02003222 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +01003223 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003224 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003225 mbedtls_ssl_send_alert_message(
3226 ssl,
3227 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3228 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003229 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02003230 }
3231 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003232 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003233#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3234 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Hanno Beckerbb89e272019-01-08 12:54:37 +00003235#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
3236 ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3237 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
3238 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3239 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
3240 {
3241 if( ssl_parse_server_ecdh_params_psa( ssl, &p, end ) != 0 )
3242 {
3243 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003244 mbedtls_ssl_send_alert_message(
3245 ssl,
3246 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3247 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Hanno Beckerbb89e272019-01-08 12:54:37 +00003248 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
3249 }
3250 }
3251 else
3252#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3253 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3254 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003255#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3256 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
3257 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
3258 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3259 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
3260 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02003261 {
3262 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
3263 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003264 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003265 mbedtls_ssl_send_alert_message(
3266 ssl,
3267 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3268 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003269 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker41c83d32013-03-20 14:39:14 +01003270 }
Paul Bakker1ef83d62012-04-11 12:09:53 +00003271 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003272 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003273#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3274 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
3275 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +02003276#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3277 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3278 {
3279 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
3280 p, end - p );
3281 if( ret != 0 )
3282 {
3283 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003284 mbedtls_ssl_send_alert_message(
3285 ssl,
3286 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3287 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +02003288 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
3289 }
3290 }
3291 else
3292#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +01003293 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003294 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3295 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003296 }
Paul Bakker1ef83d62012-04-11 12:09:53 +00003297
Gilles Peskineeccd8882020-03-10 12:19:08 +01003298#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Hanno Becker1aa267c2017-04-28 17:08:27 +01003299 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
Paul Bakker1ef83d62012-04-11 12:09:53 +00003300 {
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +00003301 size_t sig_len, hashlen;
Ronald Cron3a95d2b2021-10-18 09:47:58 +02003302#if defined(MBEDTLS_USE_PSA_CRYPTO)
3303 unsigned char hash[PSA_HASH_MAX_SIZE];
3304#else
3305 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
3306#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003307 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
3308 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
3309 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +00003310 size_t params_len = p - params;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +02003311 void *rs_ctx = NULL;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02003312
Hanno Beckera6899bb2019-02-06 18:26:03 +00003313 mbedtls_pk_context * peer_pk;
3314
Paul Bakker29e1f122013-04-16 13:07:56 +02003315 /*
3316 * Handle the digitally-signed structure
3317 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003318#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3319 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker1ef83d62012-04-11 12:09:53 +00003320 {
Paul Bakker9659dae2013-08-28 16:21:34 +02003321 if( ssl_parse_signature_algorithm( ssl, &p, end,
3322 &md_alg, &pk_alg ) != 0 )
3323 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003324 MBEDTLS_SSL_DEBUG_MSG( 1,
3325 ( "bad server key exchange message" ) );
3326 mbedtls_ssl_send_alert_message(
3327 ssl,
3328 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3329 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003330 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker9659dae2013-08-28 16:21:34 +02003331 }
Paul Bakker1ef83d62012-04-11 12:09:53 +00003332
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003333 if( pk_alg !=
3334 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
Paul Bakker1ef83d62012-04-11 12:09:53 +00003335 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003336 MBEDTLS_SSL_DEBUG_MSG( 1,
3337 ( "bad server key exchange message" ) );
3338 mbedtls_ssl_send_alert_message(
3339 ssl,
3340 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3341 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003342 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003343 }
3344 }
Manuel Pégourié-Gonnard09edda82013-08-19 13:50:33 +02003345 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003346#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3347#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3348 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3349 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnard09edda82013-08-19 13:50:33 +02003350 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003351 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003352
Paul Bakker9659dae2013-08-28 16:21:34 +02003353 /* Default hash for ECDSA is SHA-1 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003354 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
3355 md_alg = MBEDTLS_MD_SHA1;
Paul Bakker9659dae2013-08-28 16:21:34 +02003356 }
3357 else
3358#endif
3359 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003360 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3361 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker9659dae2013-08-28 16:21:34 +02003362 }
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02003363
3364 /*
3365 * Read signature
3366 */
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +01003367
3368 if( p > end - 2 )
3369 {
3370 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003371 mbedtls_ssl_send_alert_message(
3372 ssl,
3373 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3374 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +01003375 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
3376 }
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02003377 sig_len = ( p[0] << 8 ) | p[1];
Paul Bakker1ef83d62012-04-11 12:09:53 +00003378 p += 2;
Paul Bakker1ef83d62012-04-11 12:09:53 +00003379
Krzysztof Stachowiak027f84c2018-03-13 11:29:24 +01003380 if( p != end - sig_len )
Paul Bakker41c83d32013-03-20 14:39:14 +01003381 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003382 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003383 mbedtls_ssl_send_alert_message(
3384 ssl,
3385 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3386 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003387 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker41c83d32013-03-20 14:39:14 +01003388 }
Paul Bakker5121ce52009-01-03 21:22:43 +00003389
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003390 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +02003391
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02003392 /*
3393 * Compute the hash that has been signed
3394 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003395#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3396 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3397 if( md_alg == MBEDTLS_MD_NONE )
Paul Bakkerc3f177a2012-04-11 16:11:49 +00003398 {
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02003399 hashlen = 36;
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01003400 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params,
3401 params_len );
3402 if( ret != 0 )
Andres Amaya Garciaf0e521e2017-06-28 12:11:42 +01003403 return( ret );
Paul Bakker29e1f122013-04-16 13:07:56 +02003404 }
3405 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003406#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3407 MBEDTLS_SSL_PROTO_TLS1_1 */
3408#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3409 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3410 if( md_alg != MBEDTLS_MD_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +02003411 {
Gilles Peskineca1d7422018-04-24 11:53:22 +02003412 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
3413 params, params_len,
3414 md_alg );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01003415 if( ret != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +02003416 return( ret );
Paul Bakker29e1f122013-04-16 13:07:56 +02003417 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003418 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003419#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
3420 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +02003421 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003422 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3423 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +02003424 }
Paul Bakker29e1f122013-04-16 13:07:56 +02003425
Gilles Peskineca1d7422018-04-24 11:53:22 +02003426 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
Paul Bakker29e1f122013-04-16 13:07:56 +02003427
Hanno Beckera6899bb2019-02-06 18:26:03 +00003428#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3429 peer_pk = &ssl->handshake->peer_pubkey;
3430#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +02003431 if( ssl->session_negotiate->peer_cert == NULL )
3432 {
Hanno Becker8273df82019-02-06 17:37:32 +00003433 /* Should never happen */
Hanno Beckerbd5580a2019-02-26 12:36:01 +00003434 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Hanno Becker8273df82019-02-06 17:37:32 +00003435 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +02003436 }
Hanno Beckera6899bb2019-02-06 18:26:03 +00003437 peer_pk = &ssl->session_negotiate->peer_cert->pk;
3438#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +02003439
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02003440 /*
3441 * Verify signature
3442 */
Hanno Beckera6899bb2019-02-06 18:26:03 +00003443 if( !mbedtls_pk_can_do( peer_pk, pk_alg ) )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02003444 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003445 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003446 mbedtls_ssl_send_alert_message(
3447 ssl,
3448 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3449 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003450 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02003451 }
3452
Gilles Peskineeccd8882020-03-10 12:19:08 +01003453#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +02003454 if( ssl->handshake->ecrs_enabled )
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +02003455 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +02003456#endif
3457
Hanno Beckera6899bb2019-02-06 18:26:03 +00003458 if( ( ret = mbedtls_pk_verify_restartable( peer_pk,
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +02003459 md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02003460 {
Gilles Peskineeccd8882020-03-10 12:19:08 +01003461#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +02003462 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
David Horstmann0448de52022-11-02 18:05:24 +00003463 {
3464 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
3465 return( MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS );
3466 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +02003467#endif
David Horstmann0448de52022-11-02 18:05:24 +00003468 mbedtls_ssl_send_alert_message(
3469 ssl,
3470 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3471 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
3472 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
Paul Bakkerc70b9822013-04-07 22:00:46 +02003473 return( ret );
Paul Bakkerc3f177a2012-04-11 16:11:49 +00003474 }
Hanno Beckerae553dd2019-02-08 14:06:00 +00003475
3476#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3477 /* We don't need the peer's public key anymore. Free it,
3478 * so that more RAM is available for upcoming expensive
3479 * operations like ECDHE. */
3480 mbedtls_pk_free( peer_pk );
3481#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakker5121ce52009-01-03 21:22:43 +00003482 }
Gilles Peskineeccd8882020-03-10 12:19:08 +01003483#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00003484
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02003485exit:
Paul Bakker5121ce52009-01-03 21:22:43 +00003486 ssl->state++;
3487
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003488 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003489
3490 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003491}
3492
Gilles Peskineeccd8882020-03-10 12:19:08 +01003493#if ! defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02003494MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003495static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +01003496{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +01003497 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +00003498 ssl->handshake->ciphersuite_info;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +01003499
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003500 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +01003501
Hanno Becker1aa267c2017-04-28 17:08:27 +01003502 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +01003503 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003504 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +01003505 ssl->state++;
3506 return( 0 );
3507 }
3508
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003509 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3510 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +01003511}
Gilles Peskineeccd8882020-03-10 12:19:08 +01003512#else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02003513MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003514static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00003515{
Janos Follath865b3eb2019-12-16 11:46:15 +00003516 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +00003517 unsigned char *buf;
3518 size_t n = 0;
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003519 size_t cert_type_len = 0, dn_len = 0;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +01003520 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +00003521 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00003522
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003523 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003524
Hanno Becker1aa267c2017-04-28 17:08:27 +01003525 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +01003526 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003527 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +01003528 ssl->state++;
3529 return( 0 );
3530 }
3531
Hanno Becker327c93b2018-08-15 13:56:18 +01003532 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003533 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +01003534 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3535 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003536 }
3537
Hanno Beckeraf0665d2017-05-24 09:16:26 +01003538 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3539 {
3540 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003541 mbedtls_ssl_send_alert_message(
3542 ssl,
3543 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3544 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Hanno Beckeraf0665d2017-05-24 09:16:26 +01003545 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3546 }
Paul Bakker5121ce52009-01-03 21:22:43 +00003547
Hanno Beckeraf0665d2017-05-24 09:16:26 +01003548 ssl->state++;
3549 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
Paul Bakker5121ce52009-01-03 21:22:43 +00003550
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003551 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
Paul Bakker5121ce52009-01-03 21:22:43 +00003552 ssl->client_auth ? "a" : "no" ) );
3553
Paul Bakker926af752012-11-23 13:38:07 +01003554 if( ssl->client_auth == 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +01003555 {
Johan Pascala89ca862020-08-25 10:03:19 +02003556 /* Current message is probably the ServerHelloDone */
3557 ssl->keep_current_message = 1;
Paul Bakker926af752012-11-23 13:38:07 +01003558 goto exit;
Hanno Beckeraf0665d2017-05-24 09:16:26 +01003559 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02003560
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +02003561 /*
3562 * struct {
3563 * ClientCertificateType certificate_types<1..2^8-1>;
3564 * SignatureAndHashAlgorithm
3565 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
3566 * DistinguishedName certificate_authorities<0..2^16-1>;
3567 * } CertificateRequest;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +00003568 *
3569 * Since we only support a single certificate on clients, let's just
3570 * ignore all the information that's supposed to help us pick a
3571 * certificate.
3572 *
3573 * We could check that our certificate matches the request, and bail out
3574 * if it doesn't, but it's simpler to just send the certificate anyway,
3575 * and give the server the opportunity to decide if it should terminate
3576 * the connection when it doesn't like our certificate.
3577 *
3578 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
3579 * point we only have one hash available (see comments in
Simon Butcherc0957bd2016-03-01 13:16:57 +00003580 * write_certificate_verify), so let's just use what we have.
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +00003581 *
3582 * However, we still minimally parse the message to check it is at least
3583 * superficially sane.
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +02003584 */
Paul Bakker926af752012-11-23 13:38:07 +01003585 buf = ssl->in_msg;
Paul Bakkerf7abd422013-04-16 13:15:56 +02003586
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +00003587 /* certificate_types */
Krzysztof Stachowiak73b183c2018-04-05 10:20:09 +02003588 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) )
3589 {
3590 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3591 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3592 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3593 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3594 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003595 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
Paul Bakker926af752012-11-23 13:38:07 +01003596 n = cert_type_len;
3597
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +01003598 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +02003599 * In the subsequent code there are two paths that read from buf:
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +01003600 * * the length of the signature algorithms field (if minor version of
3601 * SSL is 3),
3602 * * distinguished name length otherwise.
3603 * Both reach at most the index:
3604 * ...hdr_len + 2 + n,
3605 * therefore the buffer length at this point must be greater than that
3606 * regardless of the actual code path.
3607 */
3608 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
Paul Bakker926af752012-11-23 13:38:07 +01003609 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003610 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02003611 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3612 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003613 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Paul Bakker926af752012-11-23 13:38:07 +01003614 }
3615
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +00003616 /* supported_signature_algorithms */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003617#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3618 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +01003619 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003620 size_t sig_alg_len =
3621 ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3622 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Simon Butcher99000142016-10-13 17:21:01 +01003623#if defined(MBEDTLS_DEBUG_C)
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +01003624 unsigned char* sig_alg;
Simon Butcher99000142016-10-13 17:21:01 +01003625 size_t i;
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +01003626#endif
Simon Butcher99000142016-10-13 17:21:01 +01003627
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +01003628 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +02003629 * The furthest access in buf is in the loop few lines below:
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +01003630 * sig_alg[i + 1],
3631 * where:
3632 * sig_alg = buf + ...hdr_len + 3 + n,
3633 * max(i) = sig_alg_len - 1.
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +02003634 * Therefore the furthest access is:
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +01003635 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
3636 * which reduces to:
3637 * buf[...hdr_len + 3 + n + sig_alg_len],
3638 * which is one less than we need the buf to be.
3639 */
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003640 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl )
3641 + 3 + n + sig_alg_len )
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +01003642 {
3643 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003644 mbedtls_ssl_send_alert_message(
3645 ssl,
3646 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3647 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +01003648 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3649 }
3650
3651#if defined(MBEDTLS_DEBUG_C)
3652 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
Simon Butcher99000142016-10-13 17:21:01 +01003653 for( i = 0; i < sig_alg_len; i += 2 )
3654 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003655 MBEDTLS_SSL_DEBUG_MSG( 3,
3656 ( "Supported Signature Algorithm found: %d,%d",
3657 sig_alg[i], sig_alg[i + 1] ) );
Simon Butcher99000142016-10-13 17:21:01 +01003658 }
3659#endif
Paul Bakker926af752012-11-23 13:38:07 +01003660
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +00003661 n += 2 + sig_alg_len;
Paul Bakkerf7abd422013-04-16 13:15:56 +02003662 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003663#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker926af752012-11-23 13:38:07 +01003664
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +00003665 /* certificate_authorities */
3666 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3667 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Paul Bakker926af752012-11-23 13:38:07 +01003668
3669 n += dn_len;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +00003670 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
Paul Bakker926af752012-11-23 13:38:07 +01003671 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003672 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02003673 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3674 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003675 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Paul Bakker926af752012-11-23 13:38:07 +01003676 }
3677
3678exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003679 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003680
3681 return( 0 );
3682}
Gilles Peskineeccd8882020-03-10 12:19:08 +01003683#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00003684
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02003685MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003686static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00003687{
Janos Follath865b3eb2019-12-16 11:46:15 +00003688 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +00003689
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003690 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003691
Hanno Becker327c93b2018-08-15 13:56:18 +01003692 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003693 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +01003694 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3695 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003696 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +01003697
3698 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3699 {
3700 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3701 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3702 }
Paul Bakker5121ce52009-01-03 21:22:43 +00003703
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003704 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
3705 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
Paul Bakker5121ce52009-01-03 21:22:43 +00003706 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003707 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02003708 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3709 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003710 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
Paul Bakker5121ce52009-01-03 21:22:43 +00003711 }
3712
3713 ssl->state++;
3714
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003715#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02003716 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003717 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003718#endif
3719
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003720 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003721
3722 return( 0 );
3723}
3724
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02003725MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003726static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00003727{
Janos Follath865b3eb2019-12-16 11:46:15 +00003728 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00003729
3730 size_t header_len;
3731 size_t content_len;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +01003732 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +00003733 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00003734
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003735 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003736
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003737#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3738 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +00003739 {
Paul Bakker5121ce52009-01-03 21:22:43 +00003740 /*
3741 * DHM key exchange -- send G^X mod P
3742 */
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00003743 content_len = ssl->handshake->dhm_ctx.len;
Paul Bakker5121ce52009-01-03 21:22:43 +00003744
Joe Subbianic54e9082021-07-19 11:56:54 +01003745 MBEDTLS_PUT_UINT16_BE( content_len, ssl->out_msg, 4 );
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00003746 header_len = 6;
Paul Bakker5121ce52009-01-03 21:22:43 +00003747
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003748 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003749 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
3750 &ssl->out_msg[header_len], content_len,
3751 ssl->conf->f_rng, ssl->conf->p_rng );
Paul Bakker5121ce52009-01-03 21:22:43 +00003752 if( ret != 0 )
3753 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003754 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003755 return( ret );
3756 }
3757
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003758 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
3759 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
Paul Bakker5121ce52009-01-03 21:22:43 +00003760
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003761 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003762 ssl->handshake->premaster,
3763 MBEDTLS_PREMASTER_SIZE,
3764 &ssl->handshake->pmslen,
3765 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003766 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003767 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003768 return( ret );
3769 }
3770
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003771 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker5121ce52009-01-03 21:22:43 +00003772 }
3773 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003774#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
Hanno Becker4a63ed42019-01-08 11:39:35 +00003775#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
3776 ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3777 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
3778 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3779 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
3780 {
Andrzej Kurek4b1216b2022-02-24 13:38:48 -05003781 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3782 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
Janos Follath53b8ec22019-08-08 10:28:27 +01003783 psa_key_attributes_t key_attributes;
Hanno Becker4a63ed42019-01-08 11:39:35 +00003784
3785 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3786
3787 unsigned char own_pubkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
3788 size_t own_pubkey_len;
3789 unsigned char *own_pubkey_ecpoint;
3790 size_t own_pubkey_ecpoint_len;
3791
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00003792 header_len = 4;
Hanno Becker4a63ed42019-01-08 11:39:35 +00003793
Hanno Becker0a94a642019-01-11 14:35:30 +00003794 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) );
3795
Hanno Becker4a63ed42019-01-08 11:39:35 +00003796 /*
3797 * Generate EC private key for ECDHE exchange.
3798 */
3799
Hanno Becker4a63ed42019-01-08 11:39:35 +00003800 /* The master secret is obtained from the shared ECDH secret by
3801 * applying the TLS 1.2 PRF with a specific salt and label. While
3802 * the PSA Crypto API encourages combining key agreement schemes
3803 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
3804 * yet support the provisioning of salt + label to the KDF.
3805 * For the time being, we therefore need to split the computation
3806 * of the ECDH secret and the application of the TLS 1.2 PRF. */
Janos Follath53b8ec22019-08-08 10:28:27 +01003807 key_attributes = psa_key_attributes_init();
3808 psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
Janos Follathdf3b0892019-08-08 11:12:24 +01003809 psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
Gilles Peskine42459802019-12-19 13:31:53 +01003810 psa_set_key_type( &key_attributes, handshake->ecdh_psa_type );
3811 psa_set_key_bits( &key_attributes, handshake->ecdh_bits );
Hanno Becker4a63ed42019-01-08 11:39:35 +00003812
3813 /* Generate ECDH private key. */
Janos Follath53b8ec22019-08-08 10:28:27 +01003814 status = psa_generate_key( &key_attributes,
Janos Follathdf3b0892019-08-08 11:12:24 +01003815 &handshake->ecdh_psa_privkey );
Hanno Becker4a63ed42019-01-08 11:39:35 +00003816 if( status != PSA_SUCCESS )
3817 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3818
3819 /* Export the public part of the ECDH private key from PSA
3820 * and convert it to ECPoint format used in ClientKeyExchange. */
3821 status = psa_export_public_key( handshake->ecdh_psa_privkey,
3822 own_pubkey, sizeof( own_pubkey ),
3823 &own_pubkey_len );
3824 if( status != PSA_SUCCESS )
Andrzej Kurek4b1216b2022-02-24 13:38:48 -05003825 {
3826 psa_destroy_key( handshake->ecdh_psa_privkey );
3827 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Hanno Becker4a63ed42019-01-08 11:39:35 +00003828 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Andrzej Kurek4b1216b2022-02-24 13:38:48 -05003829 }
Hanno Becker4a63ed42019-01-08 11:39:35 +00003830
3831 if( mbedtls_psa_tls_psa_ec_to_ecpoint( own_pubkey,
3832 own_pubkey_len,
3833 &own_pubkey_ecpoint,
3834 &own_pubkey_ecpoint_len ) != 0 )
3835 {
Andrzej Kurek4b1216b2022-02-24 13:38:48 -05003836 psa_destroy_key( handshake->ecdh_psa_privkey );
3837 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Hanno Becker4a63ed42019-01-08 11:39:35 +00003838 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3839 }
3840
3841 /* Copy ECPoint structure to outgoing message buffer. */
Andrzej Kurekade9e282019-05-07 08:19:33 -04003842 ssl->out_msg[header_len] = (unsigned char) own_pubkey_ecpoint_len;
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00003843 memcpy( ssl->out_msg + header_len + 1,
3844 own_pubkey_ecpoint, own_pubkey_ecpoint_len );
3845 content_len = own_pubkey_ecpoint_len + 1;
Hanno Becker4a63ed42019-01-08 11:39:35 +00003846
Hanno Becker4a63ed42019-01-08 11:39:35 +00003847 /* The ECDH secret is the premaster secret used for key derivation. */
3848
Janos Follathdf3b0892019-08-08 11:12:24 +01003849 /* Compute ECDH shared secret. */
3850 status = psa_raw_key_agreement( PSA_ALG_ECDH,
3851 handshake->ecdh_psa_privkey,
3852 handshake->ecdh_psa_peerkey,
3853 handshake->ecdh_psa_peerkey_len,
3854 ssl->handshake->premaster,
3855 sizeof( ssl->handshake->premaster ),
3856 &ssl->handshake->pmslen );
Hanno Becker4a63ed42019-01-08 11:39:35 +00003857
Andrzej Kurek4b1216b2022-02-24 13:38:48 -05003858 destruction_status = psa_destroy_key( handshake->ecdh_psa_privkey );
Ronald Croncf56a0a2020-08-04 09:51:30 +02003859 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Andrzej Kurek4b1216b2022-02-24 13:38:48 -05003860
3861 if( status != PSA_SUCCESS || destruction_status != PSA_SUCCESS )
3862 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
Hanno Becker4a63ed42019-01-08 11:39:35 +00003863 }
3864 else
3865#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3866 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3867 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003868#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3869 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3870 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3871 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3872 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3873 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3874 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3875 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Paul Bakker41c83d32013-03-20 14:39:14 +01003876 {
3877 /*
3878 * ECDH key exchange -- send client public value
3879 */
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00003880 header_len = 4;
Paul Bakker41c83d32013-03-20 14:39:14 +01003881
Gilles Peskineeccd8882020-03-10 12:19:08 +01003882#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +02003883 if( ssl->handshake->ecrs_enabled )
3884 {
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +02003885 if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +02003886 goto ecdh_calc_secret;
Manuel Pégourié-Gonnard23e41622017-05-18 12:35:37 +02003887
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +02003888 mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx );
3889 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +02003890#endif
3891
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003892 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00003893 &content_len,
3894 &ssl->out_msg[header_len], 1000,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01003895 ssl->conf->f_rng, ssl->conf->p_rng );
Paul Bakker41c83d32013-03-20 14:39:14 +01003896 if( ret != 0 )
3897 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003898 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Gilles Peskineeccd8882020-03-10 12:19:08 +01003899#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +02003900 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3901 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3902#endif
Paul Bakker41c83d32013-03-20 14:39:14 +01003903 return( ret );
3904 }
3905
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05003906 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3907 MBEDTLS_DEBUG_ECDH_Q );
Paul Bakker41c83d32013-03-20 14:39:14 +01003908
Gilles Peskineeccd8882020-03-10 12:19:08 +01003909#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +02003910 if( ssl->handshake->ecrs_enabled )
3911 {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00003912 ssl->handshake->ecrs_n = content_len;
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +02003913 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +02003914 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +02003915
3916ecdh_calc_secret:
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +02003917 if( ssl->handshake->ecrs_enabled )
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00003918 content_len = ssl->handshake->ecrs_n;
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +02003919#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003920 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003921 &ssl->handshake->pmslen,
3922 ssl->handshake->premaster,
3923 MBEDTLS_MPI_MAX_SIZE,
3924 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +01003925 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003926 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
Gilles Peskineeccd8882020-03-10 12:19:08 +01003927#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +02003928 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3929 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3930#endif
Paul Bakker41c83d32013-03-20 14:39:14 +01003931 return( ret );
3932 }
3933
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05003934 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3935 MBEDTLS_DEBUG_ECDH_Z );
Paul Bakker41c83d32013-03-20 14:39:14 +01003936 }
3937 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003938#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3939 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3940 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3941 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Gilles Peskineeccd8882020-03-10 12:19:08 +01003942#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Hanno Becker1aa267c2017-04-28 17:08:27 +01003943 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02003944 {
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02003945 /*
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02003946 * opaque psk_identity<0..2^16-1>;
3947 */
Hanno Becker520224e2018-10-26 11:38:07 +01003948 if( ssl_conf_has_static_psk( ssl->conf ) == 0 )
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +02003949 {
Hanno Becker2e4f6162018-10-23 11:54:44 +01003950 /* We don't offer PSK suites if we don't have a PSK,
3951 * and we check that the server's choice is among the
3952 * ciphersuites we offered, so this should never happen. */
3953 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +02003954 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02003955
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00003956 header_len = 4;
3957 content_len = ssl->conf->psk_identity_len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02003958
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00003959 if( header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02003960 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01003961 MBEDTLS_SSL_DEBUG_MSG( 1,
3962 ( "psk identity too long or SSL buffer too short" ) );
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02003963 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3964 }
3965
Joe Subbianiad1115a2021-07-16 14:27:50 +01003966 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1( content_len );
3967 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0( content_len );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003968
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00003969 memcpy( ssl->out_msg + header_len,
3970 ssl->conf->psk_identity,
3971 ssl->conf->psk_identity_len );
3972 header_len += ssl->conf->psk_identity_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003973
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003974#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3975 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003976 {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00003977 content_len = 0;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02003978 }
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02003979 else
3980#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003981#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3982 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02003983 {
Hanno Beckerdfab8e22018-10-23 11:59:34 +01003984#if defined(MBEDTLS_USE_PSA_CRYPTO)
3985 /* Opaque PSKs are currently only supported for PSK-only suites. */
Hanno Becker520224e2018-10-26 11:38:07 +01003986 if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
Manuel Pégourié-Gonnarda49a00c2022-06-14 10:45:19 +02003987 {
3988 MBEDTLS_SSL_DEBUG_MSG( 1, ( "opaque PSK not supported with RSA-PSK" ) );
Hanno Beckerdfab8e22018-10-23 11:59:34 +01003989 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda49a00c2022-06-14 10:45:19 +02003990 }
Hanno Beckerdfab8e22018-10-23 11:59:34 +01003991#endif /* MBEDTLS_USE_PSA_CRYPTO */
3992
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00003993 if( ( ret = ssl_write_encrypted_pms( ssl, header_len,
3994 &content_len, 2 ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02003995 return( ret );
3996 }
3997 else
3998#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003999#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
4000 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02004001 {
Hanno Beckerdfab8e22018-10-23 11:59:34 +01004002#if defined(MBEDTLS_USE_PSA_CRYPTO)
4003 /* Opaque PSKs are currently only supported for PSK-only suites. */
Hanno Becker520224e2018-10-26 11:38:07 +01004004 if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
Manuel Pégourié-Gonnarda49a00c2022-06-14 10:45:19 +02004005 {
4006 MBEDTLS_SSL_DEBUG_MSG( 1, ( "opaque PSK not supported with DHE-PSK" ) );
Hanno Beckerdfab8e22018-10-23 11:59:34 +01004007 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda49a00c2022-06-14 10:45:19 +02004008 }
Hanno Beckerdfab8e22018-10-23 11:59:34 +01004009#endif /* MBEDTLS_USE_PSA_CRYPTO */
4010
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02004011 /*
4012 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
4013 */
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00004014 content_len = ssl->handshake->dhm_ctx.len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02004015
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00004016 if( header_len + 2 + content_len >
4017 MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02004018 {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01004019 MBEDTLS_SSL_DEBUG_MSG( 1,
4020 ( "psk identity or DHM size too long or SSL buffer too short" ) );
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02004021 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
4022 }
4023
Joe Subbianiad1115a2021-07-16 14:27:50 +01004024 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1( content_len );
4025 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0( content_len );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02004026
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004027 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
4028 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00004029 &ssl->out_msg[header_len], content_len,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01004030 ssl->conf->f_rng, ssl->conf->p_rng );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02004031 if( ret != 0 )
4032 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004033 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02004034 return( ret );
4035 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02004036 }
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02004037 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004038#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
4039#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
4040 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02004041 {
Hanno Beckerdfab8e22018-10-23 11:59:34 +01004042#if defined(MBEDTLS_USE_PSA_CRYPTO)
4043 /* Opaque PSKs are currently only supported for PSK-only suites. */
Hanno Becker520224e2018-10-26 11:38:07 +01004044 if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
Manuel Pégourié-Gonnarda49a00c2022-06-14 10:45:19 +02004045 {
4046 MBEDTLS_SSL_DEBUG_MSG( 1, ( "opaque PSK not supported with ECDHE-PSK" ) );
Hanno Beckerdfab8e22018-10-23 11:59:34 +01004047 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda49a00c2022-06-14 10:45:19 +02004048 }
Hanno Beckerdfab8e22018-10-23 11:59:34 +01004049#endif /* MBEDTLS_USE_PSA_CRYPTO */
4050
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02004051 /*
4052 * ClientECDiffieHellmanPublic public;
4053 */
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00004054 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
4055 &content_len,
4056 &ssl->out_msg[header_len],
4057 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01004058 ssl->conf->f_rng, ssl->conf->p_rng );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02004059 if( ret != 0 )
4060 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004061 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02004062 return( ret );
4063 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02004064
Andrzej Kurekc470b6b2019-01-31 08:20:20 -05004065 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
4066 MBEDTLS_DEBUG_ECDH_Q );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02004067 }
4068 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004069#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02004070 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004071 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4072 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02004073 }
4074
Hanno Beckerafd311e2018-10-23 15:26:40 +01004075#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
4076 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
4077 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
4078 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
Hanno Becker520224e2018-10-26 11:38:07 +01004079 ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
Hanno Beckerafd311e2018-10-23 15:26:40 +01004080 {
Ronald Cron5ee57072020-06-11 09:34:06 +02004081 MBEDTLS_SSL_DEBUG_MSG( 1,
4082 ( "skip PMS generation for opaque PSK" ) );
Hanno Beckerafd311e2018-10-23 15:26:40 +01004083 }
4084 else
4085#endif /* MBEDTLS_USE_PSA_CRYPTO &&
4086 MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004087 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02004088 ciphersuite_info->key_exchange ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02004089 {
Ronald Cron5ee57072020-06-11 09:34:06 +02004090 MBEDTLS_SSL_DEBUG_RET( 1,
4091 "mbedtls_ssl_psk_derive_premaster", ret );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02004092 return( ret );
4093 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02004094 }
4095 else
Gilles Peskineeccd8882020-03-10 12:19:08 +01004096#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004097#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
4098 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +00004099 {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00004100 header_len = 4;
4101 if( ( ret = ssl_write_encrypted_pms( ssl, header_len,
4102 &content_len, 0 ) ) != 0 )
Paul Bakkera3d195c2011-11-27 21:07:34 +00004103 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00004104 }
Paul Bakkered27a042013-04-18 22:46:23 +02004105 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004106#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +02004107#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4108 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
4109 {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00004110 header_len = 4;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +02004111
4112 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00004113 ssl->out_msg + header_len,
4114 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
4115 &content_len,
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +02004116 ssl->conf->f_rng, ssl->conf->p_rng );
4117 if( ret != 0 )
4118 {
4119 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
4120 return( ret );
4121 }
4122
4123 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
4124 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
4125 ssl->conf->f_rng, ssl->conf->p_rng );
4126 if( ret != 0 )
4127 {
4128 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
4129 return( ret );
4130 }
4131 }
4132 else
4133#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakkered27a042013-04-18 22:46:23 +02004134 {
4135 ((void) ciphersuite_info);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4137 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkered27a042013-04-18 22:46:23 +02004138 }
Paul Bakker5121ce52009-01-03 21:22:43 +00004139
Hanno Beckerc14a3bb2019-01-14 09:41:16 +00004140 ssl->out_msglen = header_len + content_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004141 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4142 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +00004143
4144 ssl->state++;
4145
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02004146 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00004147 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02004148 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00004149 return( ret );
4150 }
4151
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004152 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00004153
4154 return( 0 );
4155}
4156
Gilles Peskineeccd8882020-03-10 12:19:08 +01004157#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02004158MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004159static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00004160{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +01004161 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +00004162 ssl->handshake->ciphersuite_info;
Janos Follath865b3eb2019-12-16 11:46:15 +00004163 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +00004164
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004165 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00004166
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004167 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +02004168 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004169 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +02004170 return( ret );
4171 }
4172
Hanno Becker77adddc2019-02-07 12:32:43 +00004173 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Paul Bakkered27a042013-04-18 22:46:23 +02004174 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004175 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakkered27a042013-04-18 22:46:23 +02004176 ssl->state++;
4177 return( 0 );
4178 }
4179
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004180 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4181 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02004182}
Gilles Peskineeccd8882020-03-10 12:19:08 +01004183#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02004184MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004185static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02004186{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004187 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +01004188 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +00004189 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02004190 size_t n = 0, offset = 0;
4191 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02004192 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004193 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02004194 size_t hashlen;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +02004195 void *rs_ctx = NULL;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02004196
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004197 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02004198
Gilles Peskineeccd8882020-03-10 12:19:08 +01004199#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +02004200 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +02004201 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +02004202 {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +02004203 goto sign;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +02004204 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +02004205#endif
4206
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004207 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +02004208 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004209 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +02004210 return( ret );
4211 }
4212
Hanno Becker77adddc2019-02-07 12:32:43 +00004213 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02004214 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004215 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02004216 ssl->state++;
4217 return( 0 );
4218 }
4219
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004220 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00004221 {
Johan Pascala89ca862020-08-25 10:03:19 +02004222 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
4223 ssl->state++;
4224 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00004225 }
4226
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004227 if( mbedtls_ssl_own_key( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00004228 {
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +02004229 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004230 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +00004231 }
4232
4233 /*
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +02004234 * Make a signature of the handshake digests
Paul Bakker5121ce52009-01-03 21:22:43 +00004235 */
Gilles Peskineeccd8882020-03-10 12:19:08 +01004236#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +02004237 if( ssl->handshake->ecrs_enabled )
4238 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
4239
4240sign:
4241#endif
4242
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +02004243 ssl->handshake->calc_verify( ssl, hash, &hashlen );
Paul Bakker5121ce52009-01-03 21:22:43 +00004244
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004245#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
4246 defined(MBEDTLS_SSL_PROTO_TLS1_1)
4247 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker1ef83d62012-04-11 12:09:53 +00004248 {
Paul Bakker926af752012-11-23 13:38:07 +01004249 /*
4250 * digitally-signed struct {
4251 * opaque md5_hash[16];
4252 * opaque sha_hash[20];
4253 * };
4254 *
4255 * md5_hash
4256 * MD5(handshake_messages);
4257 *
4258 * sha_hash
4259 * SHA(handshake_messages);
4260 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004261 md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02004262
4263 /*
4264 * For ECDSA, default hash is SHA-1 only
4265 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004266 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02004267 {
4268 hash_start += 16;
4269 hashlen -= 16;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004270 md_alg = MBEDTLS_MD_SHA1;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02004271 }
Paul Bakker926af752012-11-23 13:38:07 +01004272 }
4273 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004274#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
4275 MBEDTLS_SSL_PROTO_TLS1_1 */
4276#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4277 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +01004278 {
4279 /*
4280 * digitally-signed struct {
4281 * opaque handshake_messages[handshake_messages_length];
4282 * };
4283 *
4284 * Taking shortcut here. We assume that the server always allows the
4285 * PRF Hash function and has sent it in the allowed signature
4286 * algorithms list received in the Certificate Request message.
4287 *
4288 * Until we encounter a server that does not, we will take this
4289 * shortcut.
4290 *
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01004291 * Reason: Otherwise we should have running hashes for SHA512 and
4292 * SHA224 in order to satisfy 'weird' needs from the server
4293 * side.
Paul Bakker926af752012-11-23 13:38:07 +01004294 */
Hanno Beckere694c3e2017-12-27 21:34:08 +00004295 if( ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +00004296 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004297 md_alg = MBEDTLS_MD_SHA384;
4298 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
Paul Bakkerca4ab492012-04-18 14:23:57 +00004299 }
4300 else
4301 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004302 md_alg = MBEDTLS_MD_SHA256;
4303 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
Paul Bakkerca4ab492012-04-18 14:23:57 +00004304 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004305 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00004306
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02004307 /* Info from md_alg will be used instead */
4308 hashlen = 0;
Paul Bakker1ef83d62012-04-11 12:09:53 +00004309 offset = 2;
4310 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02004311 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004312#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +02004313 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004314 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4315 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +02004316 }
Paul Bakker1ef83d62012-04-11 12:09:53 +00004317
Gilles Peskineeccd8882020-03-10 12:19:08 +01004318#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +02004319 if( ssl->handshake->ecrs_enabled )
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +02004320 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +02004321#endif
4322
4323 if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ),
4324 md_alg, hash_start, hashlen,
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02004325 ssl->out_msg + 6 + offset, &n,
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +02004326 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx ) ) != 0 )
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +02004327 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004328 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
Gilles Peskineeccd8882020-03-10 12:19:08 +01004329#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +02004330 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
4331 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
4332#endif
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02004333 return( ret );
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +02004334 }
Paul Bakker926af752012-11-23 13:38:07 +01004335
Joe Subbianic54e9082021-07-19 11:56:54 +01004336 MBEDTLS_PUT_UINT16_BE( n, ssl->out_msg, offset + 4 );
Paul Bakker5121ce52009-01-03 21:22:43 +00004337
Paul Bakker1ef83d62012-04-11 12:09:53 +00004338 ssl->out_msglen = 6 + n + offset;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004339 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4340 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +00004341
4342 ssl->state++;
4343
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02004344 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00004345 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +02004346 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00004347 return( ret );
4348 }
4349
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004350 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00004351
Paul Bakkered27a042013-04-18 22:46:23 +02004352 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00004353}
Gilles Peskineeccd8882020-03-10 12:19:08 +01004354#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00004355
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004356#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnardd904d662022-06-17 10:24:00 +02004357MBEDTLS_CHECK_RETURN_CRITICAL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004358static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004359{
Janos Follath865b3eb2019-12-16 11:46:15 +00004360 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004361 uint32_t lifetime;
4362 size_t ticket_len;
4363 unsigned char *ticket;
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +02004364 const unsigned char *msg;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004365
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004366 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004367
Hanno Becker327c93b2018-08-15 13:56:18 +01004368 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004369 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004370 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004371 return( ret );
4372 }
4373
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004374 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004375 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004376 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Hanno Beckerb2fff6d2017-05-08 11:06:19 +01004377 mbedtls_ssl_send_alert_message(
4378 ssl,
4379 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4380 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004381 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004382 }
4383
4384 /*
4385 * struct {
4386 * uint32 ticket_lifetime_hint;
4387 * opaque ticket<0..2^16-1>;
4388 * } NewSessionTicket;
4389 *
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +02004390 * 0 . 3 ticket_lifetime_hint
4391 * 4 . 5 ticket_len (n)
4392 * 6 . 5+n ticket content
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004393 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004394 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
4395 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004396 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004397 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02004398 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4399 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004400 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004401 }
4402
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004403 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004404
Philippe Antoineb5b25432018-05-11 11:06:29 +02004405 lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) |
4406 ( msg[2] << 8 ) | ( msg[3] );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004407
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +02004408 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
4409
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004410 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004411 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004412 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02004413 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4414 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004415 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004416 }
4417
Paul Elliottd48d5c62021-01-07 14:47:05 +00004418 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004419
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +02004420 /* We're not waiting for a NewSessionTicket message any more */
4421 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004422 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +02004423
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004424 /*
4425 * Zero-length ticket means the server changed his mind and doesn't want
4426 * to send a ticket after all, so just forget it
4427 */
Paul Bakker66d5d072014-06-17 16:39:18 +02004428 if( ticket_len == 0 )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004429 return( 0 );
4430
Hanno Beckerb2964cb2019-01-30 14:46:35 +00004431 if( ssl->session != NULL && ssl->session->ticket != NULL )
4432 {
4433 mbedtls_platform_zeroize( ssl->session->ticket,
4434 ssl->session->ticket_len );
4435 mbedtls_free( ssl->session->ticket );
4436 ssl->session->ticket = NULL;
4437 ssl->session->ticket_len = 0;
4438 }
4439
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05004440 mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
4441 ssl->session_negotiate->ticket_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004442 mbedtls_free( ssl->session_negotiate->ticket );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004443 ssl->session_negotiate->ticket = NULL;
4444 ssl->session_negotiate->ticket_len = 0;
4445
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02004446 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004447 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +02004448 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02004449 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4450 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02004451 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004452 }
4453
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +02004454 memcpy( ticket, msg + 6, ticket_len );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004455
4456 ssl->session_negotiate->ticket = ticket;
4457 ssl->session_negotiate->ticket_len = ticket_len;
4458 ssl->session_negotiate->ticket_lifetime = lifetime;
4459
4460 /*
4461 * RFC 5077 section 3.4:
4462 * "If the client receives a session ticket from the server, then it
4463 * discards any Session ID that was sent in the ServerHello."
4464 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004465 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +02004466 ssl->session_negotiate->id_len = 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004467
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004468 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004469
4470 return( 0 );
4471}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004472#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004473
Paul Bakker5121ce52009-01-03 21:22:43 +00004474/*
Paul Bakker1961b702013-01-25 14:49:24 +01004475 * SSL handshake -- client side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +00004476 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004477int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00004478{
4479 int ret = 0;
4480
Manuel Pégourié-Gonnarddba460f2015-06-24 22:59:30 +02004481 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004482 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +00004483
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004484 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
Paul Bakker1961b702013-01-25 14:49:24 +01004485
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004486 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker1961b702013-01-25 14:49:24 +01004487 return( ret );
4488
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004489#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02004490 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004491 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02004492 {
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +02004493 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02004494 return( ret );
4495 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +01004496#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02004497
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004498 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +02004499 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004500#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4501 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +02004502 ssl->handshake->new_session_ticket != 0 )
4503 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004504 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +02004505 }
4506#endif
4507
Paul Bakker1961b702013-01-25 14:49:24 +01004508 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +00004509 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004510 case MBEDTLS_SSL_HELLO_REQUEST:
4511 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +00004512 break;
4513
Paul Bakker1961b702013-01-25 14:49:24 +01004514 /*
4515 * ==> ClientHello
4516 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004517 case MBEDTLS_SSL_CLIENT_HELLO:
Paul Bakker1961b702013-01-25 14:49:24 +01004518 ret = ssl_write_client_hello( ssl );
4519 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00004520
Paul Bakker1961b702013-01-25 14:49:24 +01004521 /*
4522 * <== ServerHello
4523 * Certificate
4524 * ( ServerKeyExchange )
4525 * ( CertificateRequest )
4526 * ServerHelloDone
4527 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004528 case MBEDTLS_SSL_SERVER_HELLO:
Paul Bakker1961b702013-01-25 14:49:24 +01004529 ret = ssl_parse_server_hello( ssl );
4530 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00004531
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004532 case MBEDTLS_SSL_SERVER_CERTIFICATE:
4533 ret = mbedtls_ssl_parse_certificate( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01004534 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00004535
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004536 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Paul Bakker1961b702013-01-25 14:49:24 +01004537 ret = ssl_parse_server_key_exchange( ssl );
4538 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00004539
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004540 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Paul Bakker1961b702013-01-25 14:49:24 +01004541 ret = ssl_parse_certificate_request( ssl );
4542 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00004543
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004544 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Paul Bakker1961b702013-01-25 14:49:24 +01004545 ret = ssl_parse_server_hello_done( ssl );
4546 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00004547
Paul Bakker1961b702013-01-25 14:49:24 +01004548 /*
4549 * ==> ( Certificate/Alert )
4550 * ClientKeyExchange
4551 * ( CertificateVerify )
4552 * ChangeCipherSpec
4553 * Finished
4554 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004555 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
4556 ret = mbedtls_ssl_write_certificate( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01004557 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00004558
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004559 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Paul Bakker1961b702013-01-25 14:49:24 +01004560 ret = ssl_write_client_key_exchange( ssl );
4561 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00004562
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004563 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Paul Bakker1961b702013-01-25 14:49:24 +01004564 ret = ssl_write_certificate_verify( ssl );
4565 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00004566
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004567 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
4568 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01004569 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00004570
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004571 case MBEDTLS_SSL_CLIENT_FINISHED:
4572 ret = mbedtls_ssl_write_finished( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01004573 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00004574
Paul Bakker1961b702013-01-25 14:49:24 +01004575 /*
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02004576 * <== ( NewSessionTicket )
4577 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +01004578 * Finished
4579 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004580#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4581 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +02004582 ret = ssl_parse_new_session_ticket( ssl );
4583 break;
Paul Bakkera503a632013-08-14 13:48:06 +02004584#endif
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +02004585
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004586 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4587 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01004588 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00004589
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004590 case MBEDTLS_SSL_SERVER_FINISHED:
4591 ret = mbedtls_ssl_parse_finished( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01004592 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00004593
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004594 case MBEDTLS_SSL_FLUSH_BUFFERS:
4595 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
4596 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Paul Bakker1961b702013-01-25 14:49:24 +01004597 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00004598
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004599 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
4600 mbedtls_ssl_handshake_wrapup( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01004601 break;
Paul Bakker48916f92012-09-16 19:57:18 +00004602
Paul Bakker1961b702013-01-25 14:49:24 +01004603 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004604 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
4605 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1961b702013-01-25 14:49:24 +01004606 }
Paul Bakker5121ce52009-01-03 21:22:43 +00004607
4608 return( ret );
4609}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02004610#endif /* MBEDTLS_SSL_CLI_C */