TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / aa7cbd619c670f665822b1859fcf52432a478a84 / . / library / ssl_tls12_client.c
blob: a53ea03cd2c7ae04f03a464608256dc09fc245fc [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]2 * TLS client-side functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]20#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]23
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]24#include "mbedtls/platform.h"
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]25
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]26#include "mbedtls/ssl.h"
Ronald Cron7320e642022-03-08 13:34:49 +0100[diff] [blame]27#include "ssl_client.h"
Chris Jones84a773f2021-03-05 18:38:47 +0000[diff] [blame]28#include "ssl_misc.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]29#include "mbedtls/debug.h"
30#include "mbedtls/error.h"
Gabor Mezei765862c2021-10-19 12:22:25 +0200[diff] [blame]31#include "mbedtls/constant_time.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]32
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]33#if defined(MBEDTLS_USE_PSA_CRYPTO)
34#include "mbedtls/psa_util.h"
Ronald Cron69a63422021-10-18 09:47:58 +0200[diff] [blame]35#include "psa/crypto.h"
Andrzej Kurek1c7a9982023-05-30 09:21:20 -0400[diff] [blame]36#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]37/* Define a local translating function to save code size by not using too many
38 * arguments in each translating place. */
39static int local_err_translation(psa_status_t status)
40{
41 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -0400[diff] [blame]42 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]43 psa_generic_status_to_mbedtls);
44}
45#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kurek1c7a9982023-05-30 09:21:20 -0400[diff] [blame]46#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]47#endif /* MBEDTLS_USE_PSA_CRYPTO */
48
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]49#include <string.h>
50
Manuel Pégourié-Gonnard93866642015-06-22 19:21:23 +0200[diff] [blame]51#include <stdint.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]52
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]54#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]55#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]58#include "mbedtls/platform_util.h"
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]59#endif
60
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]61#if defined(MBEDTLS_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]62MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]63static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
64 unsigned char *buf,
65 const unsigned char *end,
66 size_t *olen)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]67{
68 unsigned char *p = buf;
69
70 *olen = 0;
71
Tom Cosgrovece7f18c2022-07-28 05:50:56 +0100[diff] [blame]72 /* We're always including a TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
Hanno Becker40f8b512017-10-12 14:58:55 +0100[diff] [blame]73 * initial ClientHello, in which case also adding the renegotiation
74 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]75 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
76 return 0;
77 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]78
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]79 MBEDTLS_SSL_DEBUG_MSG(3,
80 ("client hello, adding renegotiation extension"));
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]81
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]82 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + ssl->verify_data_len);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]83
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]84 /*
85 * Secure renegotiation
86 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]87 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]88 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]89
90 *p++ = 0x00;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]91 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len + 1);
92 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len);
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]93
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]94 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]95
96 *olen = 5 + ssl->verify_data_len;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]97
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]98 return 0;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]99}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]100#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]101
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]102#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
103 defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]104 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]105
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]106MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]107static int ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
108 unsigned char *buf,
109 const unsigned char *end,
110 size_t *olen)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]111{
112 unsigned char *p = buf;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]113 (void) ssl; /* ssl used for debugging only */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]114
115 *olen = 0;
116
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]117 MBEDTLS_SSL_DEBUG_MSG(3,
118 ("client hello, adding supported_point_formats extension"));
119 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]120
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]121 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]122 p += 2;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]123
124 *p++ = 0x00;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]125 *p++ = 2;
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]126
127 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]128 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]129
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]130 *olen = 6;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]131
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]132 return 0;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]133}
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]134#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
135 MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]136
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]137#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]138MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]139static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
140 unsigned char *buf,
141 const unsigned char *end,
142 size_t *olen)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]143{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]144 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]145 unsigned char *p = buf;
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]146 size_t kkpp_len = 0;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]147
148 *olen = 0;
149
150 /* Skip costly extension if we can't use EC J-PAKE anyway */
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]151#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]152 if (ssl->handshake->psa_pake_ctx_is_ok != 1) {
153 return 0;
154 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]155#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]156 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
157 return 0;
158 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]159#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]160
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]161 MBEDTLS_SSL_DEBUG_MSG(3,
162 ("client hello, adding ecjpake_kkpp extension"));
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]163
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]164 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]165
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]166 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]167 p += 2;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]168
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]169 /*
170 * We may need to send ClientHello multiple times for Hello verification.
171 * We don't want to compute fresh values every time (both for performance
172 * and consistency reasons), so cache the extension content.
173 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]174 if (ssl->handshake->ecjpake_cache == NULL ||
175 ssl->handshake->ecjpake_cache_len == 0) {
176 MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters"));
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]177
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]178#if defined(MBEDTLS_USE_PSA_CRYPTO)
Valerio Setti6b3dab02022-11-17 17:14:54 +0100[diff] [blame]179 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]180 p + 2, end - p - 2, &kkpp_len,
181 MBEDTLS_ECJPAKE_ROUND_ONE);
182 if (ret != 0) {
183 psa_destroy_key(ssl->handshake->psa_pake_password);
184 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
185 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
186 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]187 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]188#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]189 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
190 p + 2, end - p - 2, &kkpp_len,
191 ssl->conf->f_rng, ssl->conf->p_rng);
192 if (ret != 0) {
193 MBEDTLS_SSL_DEBUG_RET(1,
194 "mbedtls_ecjpake_write_round_one", ret);
195 return ret;
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]196 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]197#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]198
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]199 ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len);
200 if (ssl->handshake->ecjpake_cache == NULL) {
201 MBEDTLS_SSL_DEBUG_MSG(1, ("allocation failed"));
202 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]203 }
204
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]205 memcpy(ssl->handshake->ecjpake_cache, p + 2, kkpp_len);
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]206 ssl->handshake->ecjpake_cache_len = kkpp_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]207 } else {
208 MBEDTLS_SSL_DEBUG_MSG(3, ("re-using cached ecjpake parameters"));
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]209
210 kkpp_len = ssl->handshake->ecjpake_cache_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]211 MBEDTLS_SSL_CHK_BUF_PTR(p + 2, end, kkpp_len);
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]212
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]213 memcpy(p + 2, ssl->handshake->ecjpake_cache, kkpp_len);
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]214 }
215
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]216 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]217 p += 2;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]218
219 *olen = kkpp_len + 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]220
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]221 return 0;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]222}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]223#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]224
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]225#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]226MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]227static int ssl_write_cid_ext(mbedtls_ssl_context *ssl,
228 unsigned char *buf,
229 const unsigned char *end,
230 size_t *olen)
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]231{
232 unsigned char *p = buf;
233 size_t ext_len;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]234
235 /*
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]236 * struct {
237 * opaque cid<0..2^8-1>;
238 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]239 */
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]240
241 *olen = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]242 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
243 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
244 return 0;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]245 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]246 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding CID extension"));
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]247
248 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
249 * which is at most 255, so the increment cannot overflow. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]250 MBEDTLS_SSL_CHK_BUF_PTR(p, end, (unsigned) (ssl->own_cid_len + 5));
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]251
252 /* Add extension ID + size */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]253 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]254 p += 2;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]255 ext_len = (size_t) ssl->own_cid_len + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]256 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]257 p += 2;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]258
259 *p++ = (uint8_t) ssl->own_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]260 memcpy(p, ssl->own_cid, ssl->own_cid_len);
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]261
262 *olen = ssl->own_cid_len + 5;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]263
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]264 return 0;
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]265}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]266#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker49770ff2019-04-25 16:55:15 +0100[diff] [blame]267
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]268#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]269MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]270static int ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
271 unsigned char *buf,
272 const unsigned char *end,
273 size_t *olen)
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]274{
275 unsigned char *p = buf;
276
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]277 *olen = 0;
278
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]279 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
280 return 0;
281 }
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]282
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]283 MBEDTLS_SSL_DEBUG_MSG(3,
284 ("client hello, adding max_fragment_length extension"));
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]285
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]286 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]287
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]288 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]289 p += 2;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]290
291 *p++ = 0x00;
292 *p++ = 1;
293
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]294 *p++ = ssl->conf->mfl_code;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]295
296 *olen = 5;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]297
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]298 return 0;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]299}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]300#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]301
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]302#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]303MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]304static int ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
305 unsigned char *buf,
306 const unsigned char *end,
307 size_t *olen)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]308{
309 unsigned char *p = buf;
310
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]311 *olen = 0;
312
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]313 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
314 return 0;
315 }
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]316
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]317 MBEDTLS_SSL_DEBUG_MSG(3,
318 ("client hello, adding encrypt_then_mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]319
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]320 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]321
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]322 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]323 p += 2;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]324
325 *p++ = 0x00;
326 *p++ = 0x00;
327
328 *olen = 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]329
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]330 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]331}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]332#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]333
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]334#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]335MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]336static int ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
337 unsigned char *buf,
338 const unsigned char *end,
339 size_t *olen)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]340{
341 unsigned char *p = buf;
342
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]343 *olen = 0;
344
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]345 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
346 return 0;
347 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]348
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]349 MBEDTLS_SSL_DEBUG_MSG(3,
350 ("client hello, adding extended_master_secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]351
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]352 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]353
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]354 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]355 p += 2;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]356
357 *p++ = 0x00;
358 *p++ = 0x00;
359
360 *olen = 4;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]361
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]362 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]363}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]364#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]365
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]366#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]367MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]368static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
369 unsigned char *buf,
370 const unsigned char *end,
371 size_t *olen)
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]372{
373 unsigned char *p = buf;
374 size_t tlen = ssl->session_negotiate->ticket_len;
375
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]376 *olen = 0;
377
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]378 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
379 return 0;
380 }
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]381
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]382 MBEDTLS_SSL_DEBUG_MSG(3,
383 ("client hello, adding session ticket extension"));
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]384
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]385 /* The addition is safe here since the ticket length is 16 bit. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]386 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + tlen);
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]387
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]388 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]389 p += 2;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]390
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]391 MBEDTLS_PUT_UINT16_BE(tlen, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]392 p += 2;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]393
394 *olen = 4;
395
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]396 if (ssl->session_negotiate->ticket == NULL || tlen == 0) {
397 return 0;
398 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]399
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]400 MBEDTLS_SSL_DEBUG_MSG(3,
401 ("sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen));
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]402
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]403 memcpy(p, ssl->session_negotiate->ticket, tlen);
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]404
405 *olen += tlen;
Hanno Becker261602c2017-04-12 14:54:42 +0100[diff] [blame]406
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]407 return 0;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]408}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]409#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]410
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]411#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]412MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]413static int ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
414 unsigned char *buf,
415 const unsigned char *end,
416 size_t *olen)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]417{
418 unsigned char *p = buf;
Johan Pascalf6417ec2020-09-22 15:15:19 +0200[diff] [blame]419 size_t protection_profiles_index = 0, ext_len = 0;
420 uint16_t mki_len = 0, profile_value = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]421
422 *olen = 0;
423
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]424 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
425 (ssl->conf->dtls_srtp_profile_list == NULL) ||
426 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
427 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]428 }
429
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]430 /* RFC 5764 section 4.1.1
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]431 * uint8 SRTPProtectionProfile[2];
432 *
433 * struct {
434 * SRTPProtectionProfiles SRTPProtectionProfiles;
435 * opaque srtp_mki<0..255>;
436 * } UseSRTPData;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]437 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]438 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]439 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]440 mki_len = ssl->dtls_srtp_info.mki_len;
441 }
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]442 /* Extension length = 2 bytes for profiles length,
443 * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ),
444 * 1 byte for srtp_mki vector length and the mki_len value
445 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]446 ext_len = 2 + 2 * (ssl->conf->dtls_srtp_profile_list_len) + 1 + mki_len;
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]447
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]448 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding use_srtp extension"));
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]449
450 /* Check there is room in the buffer for the extension + 4 bytes
451 * - the extension tag (2 bytes)
452 * - the extension length (2 bytes)
453 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]454 MBEDTLS_SSL_CHK_BUF_PTR(p, end, ext_len + 4);
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]455
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]456 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]457 p += 2;
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]458
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]459 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]460 p += 2;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]461
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]462 /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */
Johan Pascalaae4d222020-09-22 21:21:39 +0200[diff] [blame]463 /* micro-optimization:
464 * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH
465 * which is lower than 127, so the upper byte of the length is always 0
466 * For the documentation, the more generic code is left in comments
467 * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len )
468 * >> 8 ) & 0xFF );
469 */
470 *p++ = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]471 *p++ = MBEDTLS_BYTE_0(2 * ssl->conf->dtls_srtp_profile_list_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]472
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]473 for (protection_profiles_index = 0;
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]474 protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]475 protection_profiles_index++) {
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]476 profile_value = mbedtls_ssl_check_srtp_profile_value
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]477 (ssl->conf->dtls_srtp_profile_list[protection_profiles_index]);
478 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
479 MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_write_use_srtp_ext, add profile: %04x",
480 profile_value));
481 MBEDTLS_PUT_UINT16_BE(profile_value, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]482 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]483 } else {
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]484 /*
485 * Note: we shall never arrive here as protection profiles
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]486 * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]487 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]488 MBEDTLS_SSL_DEBUG_MSG(3,
489 ("client hello, "
490 "illegal DTLS-SRTP protection profile %d",
491 ssl->conf->dtls_srtp_profile_list[protection_profiles_index]
492 ));
493 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]494 }
495 }
496
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]497 *p++ = mki_len & 0xFF;
498
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]499 if (mki_len != 0) {
500 memcpy(p, ssl->dtls_srtp_info.mki_value, mki_len);
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]501 /*
502 * Increment p to point to the current position.
503 */
504 p += mki_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]505 MBEDTLS_SSL_DEBUG_BUF(3, "sending mki", ssl->dtls_srtp_info.mki_value,
506 ssl->dtls_srtp_info.mki_len);
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]507 }
508
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]509 /*
510 * total extension length: extension type (2 bytes)
511 * + extension length (2 bytes)
512 * + protection profile length (2 bytes)
513 * + 2 * number of protection profiles
514 * + srtp_mki vector length(1 byte)
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]515 * + mki value
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]516 */
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]517 *olen = p - buf;
Johan Pascal77696ee2020-09-22 21:49:40 +0200[diff] [blame]518
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]519 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]520}
521#endif /* MBEDTLS_SSL_DTLS_SRTP */
522
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]523int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
524 unsigned char *buf,
525 const unsigned char *end,
526 int uses_ec,
527 size_t *out_len)
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]528{
529 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
530 unsigned char *p = buf;
531 size_t ext_len = 0;
532
533 (void) ssl;
534 (void) end;
535 (void) uses_ec;
536 (void) ret;
537 (void) ext_len;
538
539 *out_len = 0;
540
541 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
542 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
543#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]544 if ((ret = ssl_write_renegotiation_ext(ssl, p, end, &ext_len)) != 0) {
545 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_renegotiation_ext", ret);
546 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]547 }
548 p += ext_len;
549#endif
550
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]551#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
552 defined(MBEDTLS_ECDSA_C) || \
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]553 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]554 if (uses_ec) {
555 if ((ret = ssl_write_supported_point_formats_ext(ssl, p, end,
556 &ext_len)) != 0) {
557 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_point_formats_ext", ret);
558 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]559 }
560 p += ext_len;
561 }
562#endif
563
564#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]565 if ((ret = ssl_write_ecjpake_kkpp_ext(ssl, p, end, &ext_len)) != 0) {
566 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_ecjpake_kkpp_ext", ret);
567 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]568 }
569 p += ext_len;
570#endif
571
572#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]573 if ((ret = ssl_write_cid_ext(ssl, p, end, &ext_len)) != 0) {
574 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_cid_ext", ret);
575 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]576 }
577 p += ext_len;
578#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
579
580#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]581 if ((ret = ssl_write_max_fragment_length_ext(ssl, p, end,
582 &ext_len)) != 0) {
583 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_max_fragment_length_ext", ret);
584 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]585 }
586 p += ext_len;
587#endif
588
589#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]590 if ((ret = ssl_write_encrypt_then_mac_ext(ssl, p, end, &ext_len)) != 0) {
591 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_encrypt_then_mac_ext", ret);
592 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]593 }
594 p += ext_len;
595#endif
596
597#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]598 if ((ret = ssl_write_extended_ms_ext(ssl, p, end, &ext_len)) != 0) {
599 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_extended_ms_ext", ret);
600 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]601 }
602 p += ext_len;
603#endif
604
605#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]606 if ((ret = ssl_write_use_srtp_ext(ssl, p, end, &ext_len)) != 0) {
607 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_use_srtp_ext", ret);
608 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]609 }
610 p += ext_len;
611#endif
612
613#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]614 if ((ret = ssl_write_session_ticket_ext(ssl, p, end, &ext_len)) != 0) {
615 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_session_ticket_ext", ret);
616 return ret;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]617 }
618 p += ext_len;
619#endif
620
621 *out_len = p - buf;
622
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]623 return 0;
Ronald Cron12dcdf02022-02-16 15:28:22 +0100[diff] [blame]624}
625
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]626MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]627static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
628 const unsigned char *buf,
629 size_t len)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]630{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]631#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]632 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]633 /* Check verify-data in constant-time. The length OTOH is no secret */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634 if (len != 1 + ssl->verify_data_len * 2 ||
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]635 buf[0] != ssl->verify_data_len * 2 ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]636 mbedtls_ct_memcmp(buf + 1,
637 ssl->own_verify_data, ssl->verify_data_len) != 0 ||
638 mbedtls_ct_memcmp(buf + 1 + ssl->verify_data_len,
639 ssl->peer_verify_data, ssl->verify_data_len) != 0) {
640 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]641 mbedtls_ssl_send_alert_message(
642 ssl,
643 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]644 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
645 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]646 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]647 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]648#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]649 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]650 if (len != 1 || buf[0] != 0x00) {
651 MBEDTLS_SSL_DEBUG_MSG(1,
652 ("non-zero length renegotiation info"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]653 mbedtls_ssl_send_alert_message(
654 ssl,
655 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]656 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
657 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]658 }
659
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]660 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]661 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]662
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]663 return 0;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]664}
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]665
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]666#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]667MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]668static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
669 const unsigned char *buf,
670 size_t len)
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]671{
672 /*
673 * server should use the extension only if we did,
674 * and if so the server's value should match ours (and len is always 1)
675 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]676 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]677 len != 1 ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]678 buf[0] != ssl->conf->mfl_code) {
679 MBEDTLS_SSL_DEBUG_MSG(1,
680 ("non-matching max fragment length extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]681 mbedtls_ssl_send_alert_message(
682 ssl,
683 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]684 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
685 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]686 }
687
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]688 return 0;
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]689}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]690#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]691
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]692#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]693MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]694static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
695 const unsigned char *buf,
696 size_t len)
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]697{
698 size_t peer_cid_len;
699
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]700 if ( /* CID extension only makes sense in DTLS */
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]701 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
702 /* The server must only send the CID extension if we have offered it. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]703 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
704 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension unexpected"));
705 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
706 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
707 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Hanno Becker22626482019-05-03 12:46:59 +0100[diff] [blame]708 }
709
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]710 if (len == 0) {
711 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
712 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
713 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
714 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]715 }
716
717 peer_cid_len = *buf++;
718 len--;
719
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]720 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
721 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
722 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
723 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
724 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]725 }
726
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]727 if (len != peer_cid_len) {
728 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
729 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
730 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
731 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]732 }
733
Hanno Becker5a299902019-05-03 12:47:49 +0100[diff] [blame]734 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]735 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]736 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]737
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]738 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
739 MBEDTLS_SSL_DEBUG_BUF(3, "Server CID", buf, peer_cid_len);
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]740
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]741 return 0;
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]742}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]743#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]744
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]745#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]746MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]747static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
748 const unsigned char *buf,
749 size_t len)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]750{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]751 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
752 len != 0) {
753 MBEDTLS_SSL_DEBUG_MSG(1,
754 ("non-matching encrypt-then-MAC extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]755 mbedtls_ssl_send_alert_message(
756 ssl,
757 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]758 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
759 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]760 }
761
762 ((void) buf);
763
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]764 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]765
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]766 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]767}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]768#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]769
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]770#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]771MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]772static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
773 const unsigned char *buf,
774 size_t len)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]775{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]776 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
777 len != 0) {
778 MBEDTLS_SSL_DEBUG_MSG(1,
779 ("non-matching extended master secret extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]780 mbedtls_ssl_send_alert_message(
781 ssl,
782 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]783 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
784 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]785 }
786
787 ((void) buf);
788
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]789 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]790
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]791 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]792}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]793#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]794
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]795#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]796MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]797static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
798 const unsigned char *buf,
799 size_t len)
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]800{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]801 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
802 len != 0) {
803 MBEDTLS_SSL_DEBUG_MSG(1,
804 ("non-matching session ticket extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]805 mbedtls_ssl_send_alert_message(
806 ssl,
807 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]808 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
809 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]810 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]811
812 ((void) buf);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]813
814 ssl->handshake->new_session_ticket = 1;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]815
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]816 return 0;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]817}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]818#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]819
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]820#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
821 defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]822 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]823MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]824static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl,
825 const unsigned char *buf,
826 size_t len)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]827{
828 size_t list_size;
829 const unsigned char *p;
830
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]831 if (len == 0 || (size_t) (buf[0] + 1) != len) {
832 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
833 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
834 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
835 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]836 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]837 list_size = buf[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]838
Manuel Pégourié-Gonnardfd35af12014-06-23 14:10:13 +0200[diff] [blame]839 p = buf + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]840 while (list_size > 0) {
841 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
842 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]843#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
844 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]845 ssl->handshake->ecdh_ctx.point_format = p[0];
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]846#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]847#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]848 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
849 mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
850 p[0]);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]851#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]852 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
853 return 0;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]854 }
855
856 list_size--;
857 p++;
858 }
859
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]860 MBEDTLS_SSL_DEBUG_MSG(1, ("no point format in common"));
861 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
862 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
863 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]864}
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]865#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
866 MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]867
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]868#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]869MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]870static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
871 const unsigned char *buf,
872 size_t len)
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]873{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]874 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]875
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]876 if (ssl->handshake->ciphersuite_info->key_exchange !=
877 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
878 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
879 return 0;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]880 }
881
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]882 /* If we got here, we no longer need our cached extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]883 mbedtls_free(ssl->handshake->ecjpake_cache);
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]884 ssl->handshake->ecjpake_cache = NULL;
885 ssl->handshake->ecjpake_cache_len = 0;
886
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]887#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]888 if ((ret = mbedtls_psa_ecjpake_read_round(
889 &ssl->handshake->psa_pake_ctx, buf, len,
890 MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
891 psa_destroy_key(ssl->handshake->psa_pake_password);
892 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]893
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]894 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]895 mbedtls_ssl_send_alert_message(
896 ssl,
897 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]898 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
899 return ret;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]900 }
901
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]902 return 0;
903#else
904 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
905 buf, len)) != 0) {
906 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
907 mbedtls_ssl_send_alert_message(
908 ssl,
909 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
910 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
911 return ret;
912 }
913
914 return 0;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]915#endif /* MBEDTLS_USE_PSA_CRYPTO */
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]916}
917#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]918
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]919#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]920MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]921static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
922 const unsigned char *buf, size_t len)
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]923{
924 size_t list_len, name_len;
925 const char **p;
926
927 /* If we didn't send it, the server shouldn't send it */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]928 if (ssl->conf->alpn_list == NULL) {
929 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching ALPN extension"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]930 mbedtls_ssl_send_alert_message(
931 ssl,
932 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]933 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
934 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]935 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]936
937 /*
938 * opaque ProtocolName<1..2^8-1>;
939 *
940 * struct {
941 * ProtocolName protocol_name_list<2..2^16-1>
942 * } ProtocolNameList;
943 *
944 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
945 */
946
947 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]948 if (len < 4) {
949 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
950 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
951 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]952 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]953
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]954 list_len = (buf[0] << 8) | buf[1];
955 if (list_len != len - 2) {
956 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
957 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
958 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]959 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]960
961 name_len = buf[2];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]962 if (name_len != list_len - 1) {
963 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
964 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
965 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]966 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]967
968 /* Check that the server chosen protocol was in our list and save it */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]969 for (p = ssl->conf->alpn_list; *p != NULL; p++) {
970 if (name_len == strlen(*p) &&
971 memcmp(buf + 3, *p, name_len) == 0) {
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]972 ssl->alpn_chosen = *p;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]973 return 0;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]974 }
975 }
976
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]977 MBEDTLS_SSL_DEBUG_MSG(1, ("ALPN extension: no matching protocol"));
978 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
979 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
980 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]981}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]982#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]983
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]984#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]985MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]986static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
987 const unsigned char *buf,
988 size_t len)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]989{
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]990 mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]991 size_t i, mki_len = 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]992 uint16_t server_protection_profile_value = 0;
993
994 /* If use_srtp is not configured, just ignore the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]995 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
996 (ssl->conf->dtls_srtp_profile_list == NULL) ||
997 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
998 return 0;
999 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1000
Ron Eldora9788042018-12-05 11:04:31 +0200[diff] [blame]1001 /* RFC 5764 section 4.1.1
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1002 * uint8 SRTPProtectionProfile[2];
1003 *
1004 * struct {
1005 * SRTPProtectionProfiles SRTPProtectionProfiles;
1006 * opaque srtp_mki<0..255>;
1007 * } UseSRTPData;
1008
1009 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
1010 *
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1011 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1012 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1013 mki_len = ssl->dtls_srtp_info.mki_len;
1014 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1015
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1016 /*
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]1017 * Length is 5 + optional mki_value : one protection profile length (2 bytes)
1018 * + protection profile (2 bytes)
1019 * + mki_len(1 byte)
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]1020 * and optional srtp_mki
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1021 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1022 if ((len < 5) || (len != (buf[4] + 5u))) {
1023 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1024 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1025
1026 /*
1027 * get the server protection profile
1028 */
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1029
1030 /*
1031 * protection profile length must be 0x0002 as we must have only
1032 * one protection profile in server Hello
1033 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1034 if ((buf[0] != 0) || (buf[1] != 2)) {
1035 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1036 }
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1037
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1038 server_protection_profile_value = (buf[2] << 8) | buf[3];
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1039 server_protection = mbedtls_ssl_check_srtp_profile_value(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1040 server_protection_profile_value);
1041 if (server_protection != MBEDTLS_TLS_SRTP_UNSET) {
1042 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
1043 mbedtls_ssl_get_srtp_profile_as_string(
1044 server_protection)));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1045 }
1046
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1047 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1048
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1049 /*
1050 * Check we have the server profile in our list
1051 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1052 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
1053 if (server_protection == ssl->conf->dtls_srtp_profile_list[i]) {
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]1054 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1055 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1056 mbedtls_ssl_get_srtp_profile_as_string(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1057 server_protection)));
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1058 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1059 }
1060 }
1061
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1062 /* If no match was found : server problem, it shall never answer with incompatible profile */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1063 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
1064 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1065 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1066 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1067 }
Johan Pascal20c7db32020-10-26 22:45:58 +0100[diff] [blame]1068
1069 /* If server does not use mki in its reply, make sure the client won't keep
1070 * one as negotiated */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1071 if (len == 5) {
Johan Pascal20c7db32020-10-26 22:45:58 +0100[diff] [blame]1072 ssl->dtls_srtp_info.mki_len = 0;
1073 }
1074
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1075 /*
1076 * RFC5764:
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1077 * If the client detects a nonzero-length MKI in the server's response
1078 * that is different than the one the client offered, then the client
1079 * MUST abort the handshake and SHOULD send an invalid_parameter alert.
1080 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1081 if (len > 5 && (buf[4] != mki_len ||
1082 (memcmp(ssl->dtls_srtp_info.mki_value, &buf[5], mki_len)))) {
1083 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1084 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1085 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1086 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1087#if defined(MBEDTLS_DEBUG_C)
1088 if (len > 5) {
1089 MBEDTLS_SSL_DEBUG_BUF(3, "received mki", ssl->dtls_srtp_info.mki_value,
1090 ssl->dtls_srtp_info.mki_len);
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]1091 }
1092#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1093 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1094}
1095#endif /* MBEDTLS_SSL_DTLS_SRTP */
1096
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1097/*
1098 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1099 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1100#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1101MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1102static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1103{
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]1104 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1105 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Glenn Strauss83158112022-04-13 14:59:34 -0400[diff] [blame]1106 uint16_t dtls_legacy_version;
Jerry Yue01304f2022-04-07 10:51:55 +0800[diff] [blame]1107
1108#if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
1109 uint8_t cookie_len;
1110#else
1111 uint16_t cookie_len;
1112#endif
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1113
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1114 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse hello verify request"));
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1115
Gilles Peskineb64bf062019-09-27 14:02:44 +0200[diff] [blame]1116 /* Check that there is enough room for:
1117 * - 2 bytes of version
1118 * - 1 byte of cookie_len
1119 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1120 if (mbedtls_ssl_hs_hdr_len(ssl) + 3 > ssl->in_msglen) {
1121 MBEDTLS_SSL_DEBUG_MSG(1,
1122 ("incoming HelloVerifyRequest message is too short"));
1123 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1124 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1125 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Gilles Peskineb64bf062019-09-27 14:02:44 +0200[diff] [blame]1126 }
1127
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1128 /*
1129 * struct {
1130 * ProtocolVersion server_version;
1131 * opaque cookie<0..2^8-1>;
1132 * } HelloVerifyRequest;
1133 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1134 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
1135 dtls_legacy_version = MBEDTLS_GET_UINT16_BE(p, 0);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1136 p += 2;
1137
TRodziewicz2d8800e2021-05-13 19:14:19 +0200[diff] [blame]1138 /*
Glenn Strauss83158112022-04-13 14:59:34 -0400[diff] [blame]1139 * Since the RFC is not clear on this point, accept DTLS 1.0 (0xfeff)
1140 * The DTLS 1.3 (current draft) renames ProtocolVersion server_version to
1141 * legacy_version and locks the value of legacy_version to 0xfefd (DTLS 1.2)
TRodziewicz2d8800e2021-05-13 19:14:19 +0200[diff] [blame]1142 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1143 if (dtls_legacy_version != 0xfefd && dtls_legacy_version != 0xfeff) {
1144 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server version"));
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1145
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1146 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1147 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1148
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1149 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1150 }
1151
1152 cookie_len = *p++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1153 if ((ssl->in_msg + ssl->in_msglen) - p < cookie_len) {
1154 MBEDTLS_SSL_DEBUG_MSG(1,
1155 ("cookie length does not match incoming message size"));
1156 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1157 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1158 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1159 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1160 MBEDTLS_SSL_DEBUG_BUF(3, "cookie", p, cookie_len);
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1161
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1162 mbedtls_free(ssl->handshake->cookie);
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1163
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1164 ssl->handshake->cookie = mbedtls_calloc(1, cookie_len);
1165 if (ssl->handshake->cookie == NULL) {
1166 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc failed (%d bytes)", cookie_len));
1167 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1168 }
1169
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1170 memcpy(ssl->handshake->cookie, p, cookie_len);
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1171 ssl->handshake->cookie_len = cookie_len;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1172
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]1173 /* Start over at ClientHello */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1174 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]1175 ret = mbedtls_ssl_reset_checksum(ssl);
1176 if (0 != ret) {
1177 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_reset_checksum"), ret);
1178 return ret;
1179 }
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1180
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1181 mbedtls_ssl_recv_flight_completed(ssl);
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1182
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1183 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse hello verify request"));
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1184
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1185 return 0;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1186}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1187#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1188
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1189MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1190static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1191{
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1192 int ret, i;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1193 size_t n;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1194 size_t ext_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1195 unsigned char *buf, *ext;
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1196 unsigned char comp;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1197#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1198 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1199#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1200 int handshake_failure = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1201 const mbedtls_ssl_ciphersuite_t *suite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1202
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1203 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1204
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1205 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1206 /* No alert on a read error. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1207 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
1208 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1209 }
1210
Hanno Becker79594fd2019-05-08 09:38:41 +0100[diff] [blame]1211 buf = ssl->in_msg;
1212
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1213 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1214#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1215 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1216 ssl->renego_records_seen++;
1217
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1218 if (ssl->conf->renego_max_records >= 0 &&
1219 ssl->renego_records_seen > ssl->conf->renego_max_records) {
1220 MBEDTLS_SSL_DEBUG_MSG(1,
1221 ("renegotiation requested, but not honored by server"));
1222 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1223 }
1224
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1225 MBEDTLS_SSL_DEBUG_MSG(1,
1226 ("non-handshake message during renegotiation"));
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]1227
1228 ssl->keep_current_message = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1229 return MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO;
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1230 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1231#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1232
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1233 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1234 mbedtls_ssl_send_alert_message(
1235 ssl,
1236 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1237 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
1238 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1239 }
1240
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1241#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1242 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1243 if (buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST) {
1244 MBEDTLS_SSL_DEBUG_MSG(2, ("received hello verify request"));
1245 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
1246 return ssl_parse_hello_verify_request(ssl);
1247 } else {
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1248 /* We made it through the verification process */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1249 mbedtls_free(ssl->handshake->cookie);
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]1250 ssl->handshake->cookie = NULL;
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1251 ssl->handshake->cookie_len = 0;
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1252 }
1253 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1254#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1255
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1256 if (ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len(ssl) ||
1257 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO) {
1258 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1259 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1260 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1261 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1262 }
1263
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1264 /*
1265 * 0 . 1 server_version
1266 * 2 . 33 random (maybe including 4 bytes of Unix time)
1267 * 34 . 34 session_id length = n
1268 * 35 . 34+n session_id
1269 * 35+n . 36+n cipher_suite
1270 * 37+n . 37+n compression_method
1271 *
1272 * 38+n . 39+n extensions length (optional)
1273 * 40+n . .. extensions
1274 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1275 buf += mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1276
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1277 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", buf, 2);
1278 ssl->tls_version = mbedtls_ssl_read_version(buf, ssl->conf->transport);
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1279 ssl->session_negotiate->tls_version = ssl->tls_version;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1280
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1281 if (ssl->tls_version < ssl->conf->min_tls_version ||
1282 ssl->tls_version > ssl->conf->max_tls_version) {
1283 MBEDTLS_SSL_DEBUG_MSG(1,
1284 (
1285 "server version out of bounds - min: [0x%x], server: [0x%x], max: [0x%x]",
1286 (unsigned) ssl->conf->min_tls_version,
1287 (unsigned) ssl->tls_version,
1288 (unsigned) ssl->conf->max_tls_version));
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1289
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1290 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1291 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1292
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1293 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1294 }
1295
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1296 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %lu",
1297 ((unsigned long) buf[2] << 24) |
1298 ((unsigned long) buf[3] << 16) |
1299 ((unsigned long) buf[4] << 8) |
1300 ((unsigned long) buf[5])));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1301
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1302 memcpy(ssl->handshake->randbytes + 32, buf + 2, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1303
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1304 n = buf[34];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1305
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1306 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 2, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1307
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1308 if (n > 32) {
1309 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1310 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1311 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1312 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1313 }
1314
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1315 if (ssl->in_hslen > mbedtls_ssl_hs_hdr_len(ssl) + 39 + n) {
1316 ext_len = ((buf[38 + n] << 8)
1317 | (buf[39 + n]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1318
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1319 if ((ext_len > 0 && ext_len < 4) ||
1320 ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 40 + n + ext_len) {
1321 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1322 mbedtls_ssl_send_alert_message(
1323 ssl,
1324 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1325 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1326 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1327 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1328 } else if (ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl) + 38 + n) {
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1329 ext_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1330 } else {
1331 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1332 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1333 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1334 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1335 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1336
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1337 /* ciphersuite (used later) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1338 i = (buf[35 + n] << 8) | buf[36 + n];
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1339
1340 /*
1341 * Read and check compression
1342 */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1343 comp = buf[37 + n];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1344
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1345 if (comp != MBEDTLS_SSL_COMPRESS_NULL) {
1346 MBEDTLS_SSL_DEBUG_MSG(1,
1347 ("server hello, bad compression: %d", comp));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1348 mbedtls_ssl_send_alert_message(
1349 ssl,
1350 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1351 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1352 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1353 }
1354
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1355 /*
1356 * Initialize update checksum functions
1357 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1358 ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(i);
1359 if (ssl->handshake->ciphersuite_info == NULL) {
1360 MBEDTLS_SSL_DEBUG_MSG(1,
1361 ("ciphersuite info for %04x not found", (unsigned int) i));
1362 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1363 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
1364 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1365 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1366
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1367 mbedtls_ssl_optimize_checksum(ssl, ssl->handshake->ciphersuite_info);
Manuel Pégourié-Gonnard3c599f12014-03-10 13:25:07 +0100[diff] [blame]1368
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1369 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
1370 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 35, n);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1371
1372 /*
1373 * Check if the session can be resumed
1374 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1375 if (ssl->handshake->resume == 0 || n == 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1376#if defined(MBEDTLS_SSL_RENEGOTIATION)
1377 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1378#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1379 ssl->session_negotiate->ciphersuite != i ||
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1380 ssl->session_negotiate->id_len != n ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1381 memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1382 ssl->state++;
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1383 ssl->handshake->resume = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1384#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1385 ssl->session_negotiate->start = mbedtls_time(NULL);
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1386#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1387 ssl->session_negotiate->ciphersuite = i;
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1388 ssl->session_negotiate->id_len = n;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1389 memcpy(ssl->session_negotiate->id, buf + 35, n);
1390 } else {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1391 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1392 }
1393
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1394 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
1395 ssl->handshake->resume ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1396
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1397 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %04x", (unsigned) i));
1398 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: %d",
1399 buf[37 + n]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1400
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]1401 /*
1402 * Perform cipher suite validation in same way as in ssl_write_client_hello.
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1403 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1404 i = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1405 while (1) {
1406 if (ssl->conf->ciphersuite_list[i] == 0) {
1407 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1408 mbedtls_ssl_send_alert_message(
1409 ssl,
1410 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1411 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1412 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1413 }
1414
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1415 if (ssl->conf->ciphersuite_list[i++] ==
1416 ssl->session_negotiate->ciphersuite) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1417 break;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1418 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1419 }
1420
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1421 suite_info = mbedtls_ssl_ciphersuite_from_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1422 ssl->session_negotiate->ciphersuite);
1423 if (mbedtls_ssl_validate_ciphersuite(ssl, suite_info, ssl->tls_version,
1424 ssl->tls_version) != 0) {
1425 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1426 mbedtls_ssl_send_alert_message(
1427 ssl,
1428 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1429 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1430 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1431 }
1432
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1433 MBEDTLS_SSL_DEBUG_MSG(3,
1434 ("server hello, chosen ciphersuite: %s", suite_info->name));
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1435
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1436#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1437 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
1438 ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
Manuel Pégourié-Gonnardda19f4c2018-06-12 12:40:54 +0200[diff] [blame]1439 ssl->handshake->ecrs_enabled = 1;
1440 }
1441#endif
1442
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1443 if (comp != MBEDTLS_SSL_COMPRESS_NULL) {
1444 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1445 mbedtls_ssl_send_alert_message(
1446 ssl,
1447 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1448 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1449 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1450 }
1451
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1452 ext = buf + 40 + n;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1453
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1454 MBEDTLS_SSL_DEBUG_MSG(2,
1455 ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
1456 ext_len));
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1457
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1458 while (ext_len) {
1459 unsigned int ext_id = ((ext[0] << 8)
1460 | (ext[1]));
1461 unsigned int ext_size = ((ext[2] << 8)
1462 | (ext[3]));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1463
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1464 if (ext_size + 4 > ext_len) {
1465 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1466 mbedtls_ssl_send_alert_message(
1467 ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1468 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1469 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1470 }
1471
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1472 switch (ext_id) {
1473 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1474 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1475#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1476 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1477#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1478
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1479 if ((ret = ssl_parse_renegotiation_info(ssl, ext + 4,
1480 ext_size)) != 0) {
1481 return ret;
1482 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1483
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1484 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1485
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1486#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1487 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1488 MBEDTLS_SSL_DEBUG_MSG(3,
1489 ("found max_fragment_length extension"));
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1490
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1491 if ((ret = ssl_parse_max_fragment_length_ext(ssl,
1492 ext + 4, ext_size)) != 0) {
1493 return ret;
1494 }
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1495
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1496 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1497#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1498
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1499#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1500 case MBEDTLS_TLS_EXT_CID:
1501 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1502
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1503 if ((ret = ssl_parse_cid_ext(ssl,
1504 ext + 4,
1505 ext_size)) != 0) {
1506 return ret;
1507 }
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1508
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1509 break;
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1510#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Beckera8373a12019-04-26 15:37:26 +0100[diff] [blame]1511
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1512#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1513 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1514 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt_then_mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1515
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1516 if ((ret = ssl_parse_encrypt_then_mac_ext(ssl,
1517 ext + 4, ext_size)) != 0) {
1518 return ret;
1519 }
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1520
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1521 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1522#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1523
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1524#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1525 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1526 MBEDTLS_SSL_DEBUG_MSG(3,
1527 ("found extended_master_secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1528
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1529 if ((ret = ssl_parse_extended_ms_ext(ssl,
1530 ext + 4, ext_size)) != 0) {
1531 return ret;
1532 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1533
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1534 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1535#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1536
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1537#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1538 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1539 MBEDTLS_SSL_DEBUG_MSG(3, ("found session_ticket extension"));
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1540
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1541 if ((ret = ssl_parse_session_ticket_ext(ssl,
1542 ext + 4, ext_size)) != 0) {
1543 return ret;
1544 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1545
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1546 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1547#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1548
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]1549#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
1550 defined(MBEDTLS_ECDSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1551 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1552 MBEDTLS_SSL_DEBUG_MSG(3,
1553 ("found supported_point_formats extension"));
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1554
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1555 if ((ret = ssl_parse_supported_point_formats_ext(ssl,
1556 ext + 4, ext_size)) != 0) {
1557 return ret;
1558 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1559
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1560 break;
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]1561#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1562 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1563
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1564#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1565 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1566 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake_kkpp extension"));
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1567
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1568 if ((ret = ssl_parse_ecjpake_kkpp(ssl,
1569 ext + 4, ext_size)) != 0) {
1570 return ret;
1571 }
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1572
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1573 break;
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1574#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1575
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1576#if defined(MBEDTLS_SSL_ALPN)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1577 case MBEDTLS_TLS_EXT_ALPN:
1578 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1579
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1580 if ((ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size)) != 0) {
1581 return ret;
1582 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1583
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1584 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1585#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1586
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1587#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1588 case MBEDTLS_TLS_EXT_USE_SRTP:
1589 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1590
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1591 if ((ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size)) != 0) {
1592 return ret;
1593 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1594
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1595 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1596#endif /* MBEDTLS_SSL_DTLS_SRTP */
1597
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1598 default:
1599 MBEDTLS_SSL_DEBUG_MSG(3,
1600 ("unknown extension found: %u (ignoring)", ext_id));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1601 }
1602
1603 ext_len -= 4 + ext_size;
1604 ext += 4 + ext_size;
1605
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1606 if (ext_len > 0 && ext_len < 4) {
1607 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1608 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1609 }
1610 }
1611
1612 /*
Andrzej Kurek21b50802022-07-06 03:26:55 -0400[diff] [blame]1613 * mbedtls_ssl_derive_keys() has to be called after the parsing of the
1614 * extensions. It sets the transform data for the resumed session which in
1615 * case of DTLS includes the server CID extracted from the CID extension.
1616 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1617 if (ssl->handshake->resume) {
1618 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
1619 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
Andrzej Kurek7cf87252022-06-14 07:12:33 -0400[diff] [blame]1620 mbedtls_ssl_send_alert_message(
1621 ssl,
1622 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1623 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
1624 return ret;
Andrzej Kurek7cf87252022-06-14 07:12:33 -0400[diff] [blame]1625 }
1626 }
1627
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1628 /*
1629 * Renegotiation security checks
1630 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1631 if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1632 ssl->conf->allow_legacy_renegotiation ==
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1633 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1634 MBEDTLS_SSL_DEBUG_MSG(1,
1635 ("legacy renegotiation, breaking off handshake"));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1636 handshake_failure = 1;
1637 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1638#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1639 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1640 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1641 renegotiation_info_seen == 0) {
1642 MBEDTLS_SSL_DEBUG_MSG(1,
1643 ("renegotiation_info extension missing (secure)"));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1644 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1645 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1646 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1647 ssl->conf->allow_legacy_renegotiation ==
1648 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1649 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1650 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1651 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1652 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1653 renegotiation_info_seen == 1) {
1654 MBEDTLS_SSL_DEBUG_MSG(1,
1655 ("renegotiation_info extension present (legacy)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1656 handshake_failure = 1;
1657 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1658#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1659
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1660 if (handshake_failure == 1) {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]1661 mbedtls_ssl_send_alert_message(
1662 ssl,
1663 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1664 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1665 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1666 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1667
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1668 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1669
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1670 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1671}
1672
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1673#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1674 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1675MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1676static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl,
1677 unsigned char **p,
1678 unsigned char *end)
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1679{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1680 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Gilles Peskinee8a2fc82020-12-08 22:46:11 +0100[diff] [blame]1681 size_t dhm_actual_bitlen;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1682
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1683 /*
1684 * Ephemeral DH parameters:
1685 *
1686 * struct {
1687 * opaque dh_p<1..2^16-1>;
1688 * opaque dh_g<1..2^16-1>;
1689 * opaque dh_Ys<1..2^16-1>;
1690 * } ServerDHParams;
1691 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1692 if ((ret = mbedtls_dhm_read_params(&ssl->handshake->dhm_ctx,
1693 p, end)) != 0) {
1694 MBEDTLS_SSL_DEBUG_RET(2, ("mbedtls_dhm_read_params"), ret);
1695 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1696 }
1697
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1698 dhm_actual_bitlen = mbedtls_dhm_get_bitlen(&ssl->handshake->dhm_ctx);
1699 if (dhm_actual_bitlen < ssl->conf->dhm_min_bitlen) {
1700 MBEDTLS_SSL_DEBUG_MSG(1, ("DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u",
1701 dhm_actual_bitlen,
1702 ssl->conf->dhm_min_bitlen));
1703 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1704 }
1705
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1706 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
1707 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
1708 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1709
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1710 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1711}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1712#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1713 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1714
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]1715#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1716#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1717 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1718 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1719MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1720static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
1721 unsigned char **p,
1722 unsigned char *end)
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1723{
1724 uint16_t tls_id;
1725 uint8_t ecpoint_len;
1726 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]1727 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]1728 size_t ec_bits = 0;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1729
1730 /*
Manuel Pégourié-Gonnarde5119892021-12-09 11:45:03 +0100[diff] [blame]1731 * struct {
1732 * ECParameters curve_params;
1733 * ECPoint public;
1734 * } ServerECDHParams;
1735 *
Manuel Pégourié-Gonnard422370d2022-02-07 11:55:21 +0100[diff] [blame]1736 * 1 curve_type (must be "named_curve")
Manuel Pégourié-Gonnarde5119892021-12-09 11:45:03 +0100[diff] [blame]1737 * 2..3 NamedCurve
1738 * 4 ECPoint.len
1739 * 5+ ECPoint contents
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1740 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1741 if (end - *p < 4) {
1742 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1743 }
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1744
1745 /* First byte is curve_type; only named_curve is handled */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1746 if (*(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) {
1747 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1748 }
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1749
1750 /* Next two bytes are the namedcurve value */
1751 tls_id = *(*p)++;
1752 tls_id <<= 8;
1753 tls_id |= *(*p)++;
1754
Manuel Pégourié-Gonnard141be6c2022-01-25 11:46:19 +0100[diff] [blame]1755 /* Check it's a curve we offered */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1756 if (mbedtls_ssl_check_curve_tls_id(ssl, tls_id) != 0) {
1757 MBEDTLS_SSL_DEBUG_MSG(2,
1758 ("bad server key exchange message (ECDHE curve): %u",
1759 (unsigned) tls_id));
1760 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnardff229cf2022-02-07 12:00:32 +0100[diff] [blame]1761 }
Manuel Pégourié-Gonnard141be6c2022-01-25 11:46:19 +0100[diff] [blame]1762
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]1763 /* Convert EC's TLS ID to PSA key type. */
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]1764 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1765 &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
1766 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1767 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]1768 handshake->xxdh_psa_type = key_type;
1769 handshake->xxdh_bits = ec_bits;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1770
Manuel Pégourié-Gonnard4a0ac1f2022-01-18 12:30:40 +0100[diff] [blame]1771 /* Keep a copy of the peer's public key */
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1772 ecpoint_len = *(*p)++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1773 if ((size_t) (end - *p) < ecpoint_len) {
1774 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1775 }
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1776
Przemek Stekiel615cbcd2023-07-06 11:08:39 +0200[diff] [blame]1777 /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
1778 the sizes of the FFDH keys which are at least 2048 bits.
1779 The size of the array is thus greater than 256 bytes which is greater than any
1780 possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]1781#if !defined(PSA_WANT_ALG_FFDH)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]1782 if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1783 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1784 }
Przemek Stekiel615cbcd2023-07-06 11:08:39 +0200[diff] [blame]1785#else
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]1786 MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
1787 "peer key buffer too small");
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]1788#endif
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1789
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]1790 memcpy(handshake->xxdh_psa_peerkey, *p, ecpoint_len);
1791 handshake->xxdh_psa_peerkey_len = ecpoint_len;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1792 *p += ecpoint_len;
Manuel Pégourié-Gonnard4a0ac1f2022-01-18 12:30:40 +0100[diff] [blame]1793
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1794 return 0;
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1795}
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1796#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1797 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1798 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]1799#else
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1800#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1801 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1802 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1803 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1804 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1805MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1806static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl)
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1807{
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]1808 uint16_t tls_id;
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1809 mbedtls_ecp_group_id grp_id;
1810#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
1811 grp_id = ssl->handshake->ecdh_ctx.grp.id;
1812#else
1813 grp_id = ssl->handshake->ecdh_ctx.grp_id;
1814#endif
Hanno Beckerbb89e272019-01-08 12:54:37 +0000[diff] [blame]1815
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1816 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
1817 if (tls_id == 0) {
1818 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1819 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1820 }
1821
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1822 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s",
1823 mbedtls_ssl_get_curve_name_from_tls_id(tls_id)));
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1824
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1825 if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
1826 return -1;
1827 }
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1828
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1829 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
1830 MBEDTLS_DEBUG_ECDH_QP);
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1831
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1832 return 0;
Neil Armstrong1f198d82022-04-13 15:02:30 +0200[diff] [blame]1833}
1834
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1835#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1836 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
1837 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1838 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1839 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1840
1841#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1842 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1843 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1844MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1845static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
1846 unsigned char **p,
1847 unsigned char *end)
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1848{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1849 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1850
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1851 /*
1852 * Ephemeral ECDH parameters:
1853 *
1854 * struct {
1855 * ECParameters curve_params;
1856 * ECPoint public;
1857 * } ServerECDHParams;
1858 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1859 if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx,
1860 (const unsigned char **) p, end)) != 0) {
1861 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1862#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1863 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard1c1c20e2018-09-12 10:34:43 +0200[diff] [blame]1864 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1865 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]1866#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1867 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1868 }
1869
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1870 if (ssl_check_server_ecdh_params(ssl) != 0) {
1871 MBEDTLS_SSL_DEBUG_MSG(1,
1872 ("bad server key exchange message (ECDHE curve)"));
1873 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1874 }
1875
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1876 return ret;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1877}
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1878#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \
1879 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
Andrzej Kurek468c5062022-10-24 10:30:14 -0400[diff] [blame]1880 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1881#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1882#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1883MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1884static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
1885 unsigned char **p,
1886 unsigned char *end)
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1887{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1888 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
irwir6527bd62019-09-21 18:51:25 +0300[diff] [blame]1889 uint16_t len;
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]1890 ((void) ssl);
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1891
1892 /*
1893 * PSK parameters:
1894 *
1895 * opaque psk_identity_hint<0..2^16-1>;
1896 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1897 if (end - (*p) < 2) {
1898 MBEDTLS_SSL_DEBUG_MSG(1,
1899 ("bad server key exchange message (psk_identity_hint length)"));
1900 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Krzysztof Stachowiak740b2182018-03-13 11:31:14 +0100[diff] [blame]1901 }
Manuel Pégourié-Gonnard59b9fe22013-10-15 11:55:33 +0200[diff] [blame]1902 len = (*p)[0] << 8 | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1903 *p += 2;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1904
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1905 if (end - (*p) < len) {
1906 MBEDTLS_SSL_DEBUG_MSG(1,
1907 ("bad server key exchange message (psk_identity_hint length)"));
1908 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1909 }
1910
Manuel Pégourié-Gonnard9d624122016-02-22 11:10:14 +0100[diff] [blame]1911 /*
Tom Cosgroveed4f59e2022-12-05 12:07:50 +0000[diff] [blame]1912 * Note: we currently ignore the PSK identity hint, as we only allow one
Tom Cosgrove1797b052022-12-04 17:19:59 +0000[diff] [blame]1913 * PSK to be provisioned on the client. This could be changed later if
Manuel Pégourié-Gonnard9d624122016-02-22 11:10:14 +0100[diff] [blame]1914 * someone needs that feature.
1915 */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1916 *p += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1917 ret = 0;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1918
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1919 return ret;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1920}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1921#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1922
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1923#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
1924 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1925/*
1926 * Generate a pre-master secret and encrypt it with the server's RSA key
1927 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1928MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1929static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl,
1930 size_t offset, size_t *olen,
1931 size_t pms_offset)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1932{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1933 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]1934 size_t len_bytes = 2;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1935 unsigned char *p = ssl->handshake->premaster + pms_offset;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1936 mbedtls_pk_context *peer_pk;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1937
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1938 if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) {
1939 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms"));
1940 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]1941 }
1942
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1943 /*
1944 * Generate (part of) the pre-master as
1945 * struct {
1946 * ProtocolVersion client_version;
1947 * opaque random[46];
1948 * } PreMasterSecret;
1949 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1950 mbedtls_ssl_write_version(p, ssl->conf->transport,
1951 MBEDTLS_SSL_VERSION_TLS1_2);
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1952
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1953 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) {
1954 MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
1955 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1956 }
1957
1958 ssl->handshake->pmslen = 48;
1959
Hanno Beckerc7d7e292019-02-06 16:49:54 +0000[diff] [blame]1960#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1961 peer_pk = &ssl->handshake->peer_pubkey;
1962#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1963 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Becker8273df82019-02-06 17:37:32 +0000[diff] [blame]1964 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1965 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1966 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]1967 }
Hanno Beckerc7d7e292019-02-06 16:49:54 +0000[diff] [blame]1968 peer_pk = &ssl->session_negotiate->peer_cert->pk;
1969#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]1970
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1971 /*
1972 * Now write it out, encrypted
1973 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1974 if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) {
1975 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch"));
1976 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1977 }
1978
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1979 if ((ret = mbedtls_pk_encrypt(peer_pk,
1980 p, ssl->handshake->pmslen,
1981 ssl->out_msg + offset + len_bytes, olen,
1982 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
1983 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
1984 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret);
1985 return ret;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1986 }
1987
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1988 if (len_bytes == 2) {
1989 MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset);
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1990 *olen += 2;
1991 }
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1992
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]1993#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1994 /* We don't need the peer's public key anymore. Free it. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1995 mbedtls_pk_free(peer_pk);
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]1996#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1997 return 0;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1998}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1999#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2000 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2001
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2002#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2003 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2004MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2005static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2006{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2007 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2008 mbedtls_pk_context *peer_pk;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2009
Hanno Beckerbe7f5082019-02-06 17:44:07 +0000[diff] [blame]2010#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2011 peer_pk = &ssl->handshake->peer_pubkey;
2012#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2013 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Becker8273df82019-02-06 17:37:32 +0000[diff] [blame]2014 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2015 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2016 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2017 }
Hanno Beckerbe7f5082019-02-06 17:44:07 +0000[diff] [blame]2018 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2019#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2020
Manuel Pégourié-Gonnard66b0d612022-06-17 10:49:29 +0200[diff] [blame]2021 /* This is a public key, so it can't be opaque, so can_do() is a good
2022 * enough check to ensure pk_ec() is safe to use below. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2023 if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECKEY)) {
2024 MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
2025 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2026 }
2027
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2028#if defined(MBEDTLS_ECP_C)
2029 const mbedtls_ecp_keypair *peer_key = mbedtls_pk_ec_ro(*peer_pk);
2030#endif /* MBEDTLS_ECP_C */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2031
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2032#if defined(MBEDTLS_USE_PSA_CRYPTO)
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2033 uint16_t tls_id = 0;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2034 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2035 mbedtls_ecp_group_id grp_id = mbedtls_pk_get_group_id(peer_pk);
Przemek Stekiel561a4232022-03-16 13:16:24 +0100[diff] [blame]2036
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2037 if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2038 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
2039 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
Przemek Stekiel561a4232022-03-16 13:16:24 +0100[diff] [blame]2040 }
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2041
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2042 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2043 if (tls_id == 0) {
2044 MBEDTLS_SSL_DEBUG_MSG(1, ("ECC group %u not suported",
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2045 grp_id));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2046 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2047 }
2048
Valerio Setti1e868cc2023-01-09 17:30:01 +0100[diff] [blame]2049 /* If the above conversion to TLS ID was fine, then also this one will be,
2050 so there is no need to check the return value here */
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2051 mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2052 &ssl->handshake->xxdh_bits);
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2053
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2054 ssl->handshake->xxdh_psa_type = key_type;
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2055
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2056 /* Store peer's public key in psa format. */
Valerio Settid7ca3952023-05-17 15:36:18 +0200[diff] [blame]2057#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2058 memcpy(ssl->handshake->xxdh_psa_peerkey, peer_pk->pub_raw, peer_pk->pub_raw_len);
2059 ssl->handshake->xxdh_psa_peerkey_len = peer_pk->pub_raw_len;
Valerio Settid7ca3952023-05-17 15:36:18 +0200[diff] [blame]2060 ret = 0;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2061#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
Valerio Settid7ca3952023-05-17 15:36:18 +0200[diff] [blame]2062 size_t olen = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2063 ret = mbedtls_ecp_point_write_binary(&peer_key->grp, &peer_key->Q,
2064 MBEDTLS_ECP_PF_UNCOMPRESSED, &olen,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2065 ssl->handshake->xxdh_psa_peerkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2066 MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH);
Przemek Stekielea4000f2022-03-16 09:49:33 +0100[diff] [blame]2067
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2068 if (ret != 0) {
2069 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecp_point_write_binary"), ret);
2070 return ret;
Przemek Stekiel561a4232022-03-16 13:16:24 +0100[diff] [blame]2071 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2072 ssl->handshake->xxdh_psa_peerkey_len = olen;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2073#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
2074#else /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2075 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key,
2076 MBEDTLS_ECDH_THEIRS)) != 0) {
2077 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
2078 return ret;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2079 }
2080
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2081 if (ssl_check_server_ecdh_params(ssl) != 0) {
2082 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
2083 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2084 }
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2085#endif /* MBEDTLS_USE_PSA_CRYPTO */
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2086#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2087 /* We don't need the peer's public key anymore. Free it,
2088 * so that more RAM is available for upcoming expensive
2089 * operations like ECDHE. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2090 mbedtls_pk_free(peer_pk);
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2091#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2092
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2093 return ret;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2094}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2095#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2096 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2097
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2098MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2099static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2100{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2101 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2102 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2103 ssl->handshake->ciphersuite_info;
Andres Amaya Garcia53c77cc2017-06-27 16:15:06 +0100[diff] [blame]2104 unsigned char *p = NULL, *end = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2105
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2106 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2107
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2108#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2109 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
2110 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2111 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2112 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2113 }
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +0200[diff] [blame]2114 ((void) p);
2115 ((void) end);
2116#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2117
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2118#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2119 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2120 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2121 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
2122 if ((ret = ssl_get_ecdh_params_from_cert(ssl)) != 0) {
2123 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2124 mbedtls_ssl_send_alert_message(
2125 ssl,
2126 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2127 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2128 return ret;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2129 }
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2130
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2131 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2132 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2133 return 0;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2134 }
2135 ((void) p);
2136 ((void) end);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2137#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2138 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2139
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2140#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2141 if (ssl->handshake->ecrs_enabled &&
2142 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2143 goto start_processing;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2144 }
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2145#endif
2146
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2147 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2148 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2149 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2150 }
2151
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2152 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2153 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2154 mbedtls_ssl_send_alert_message(
2155 ssl,
2156 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2157 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
2158 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2159 }
2160
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2161 /*
2162 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2163 * doesn't use a psk_identity_hint
2164 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2165 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE) {
2166 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2167 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2168 /* Current message is probably either
2169 * CertificateRequest or ServerHelloDone */
2170 ssl->keep_current_message = 1;
Paul Bakker188c8de2013-04-19 09:13:37 +0200[diff] [blame]2171 goto exit;
2172 }
2173
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2174 MBEDTLS_SSL_DEBUG_MSG(1,
2175 ("server key exchange message must not be skipped"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2176 mbedtls_ssl_send_alert_message(
2177 ssl,
2178 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2179 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2180
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2181 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2182 }
2183
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2184#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2185 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2186 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2187 }
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2188
2189start_processing:
2190#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2191 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2192 end = ssl->in_msg + ssl->in_hslen;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2193 MBEDTLS_SSL_DEBUG_BUF(3, "server key exchange", p, end - p);
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2194
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2195#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2196 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2197 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2198 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2199 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
2200 if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) {
2201 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2202 mbedtls_ssl_send_alert_message(
2203 ssl,
2204 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2205 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2206 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2207 }
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]2208 } /* FALLTHROUGH */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2209#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2210
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2211#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2212 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2213 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2214 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2215 ; /* nothing more to do */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2216 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2217#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2218 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2219#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2220 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2221 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2222 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
2223 if (ssl_parse_server_dh_params(ssl, &p, end) != 0) {
2224 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2225 mbedtls_ssl_send_alert_message(
2226 ssl,
2227 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2228 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2229 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2230 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2231 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2232#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2233 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]2234#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2235 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2236 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2237 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2238 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2239 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
2240 if (ssl_parse_server_ecdh_params(ssl, &p, end) != 0) {
2241 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2242 mbedtls_ssl_send_alert_message(
2243 ssl,
2244 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2245 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2246 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2247 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2248 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2249#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2250 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2251 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2252#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2253 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2254#if defined(MBEDTLS_USE_PSA_CRYPTO)
Valerio Setti9bed8ec2022-11-17 16:36:19 +0100[diff] [blame]2255 /*
2256 * The first 3 bytes are:
2257 * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
2258 * [1, 2] elliptic curve's TLS ID
2259 *
2260 * However since we only support secp256r1 for now, we check only
2261 * that TLS ID here
2262 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2263 uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE(p, 1);
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2264 uint16_t exp_tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2265 MBEDTLS_ECP_DP_SECP256R1);
Valerio Setti9bed8ec2022-11-17 16:36:19 +0100[diff] [blame]2266
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2267 if (exp_tls_id == 0) {
2268 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Valerio Setti9bed8ec2022-11-17 16:36:19 +0100[diff] [blame]2269 }
2270
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2271 if ((*p != MBEDTLS_ECP_TLS_NAMED_CURVE) ||
2272 (read_tls_id != exp_tls_id)) {
2273 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Valerio Setti5151bdf2022-11-21 14:30:02 +0100[diff] [blame]2274 }
Valerio Setti9bed8ec2022-11-17 16:36:19 +0100[diff] [blame]2275
2276 p += 3;
2277
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2278 if ((ret = mbedtls_psa_ecjpake_read_round(
2279 &ssl->handshake->psa_pake_ctx, p, end - p,
2280 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
2281 psa_destroy_key(ssl->handshake->psa_pake_password);
2282 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2283
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2284 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2285 mbedtls_ssl_send_alert_message(
2286 ssl,
2287 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2288 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2289 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2290 }
2291#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2292 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
2293 p, end - p);
2294 if (ret != 0) {
2295 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2296 mbedtls_ssl_send_alert_message(
2297 ssl,
2298 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2299 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2300 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2301 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2302#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2303 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2304#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2305 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2306 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2307 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2308 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2309
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2310#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2311 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2312 size_t sig_len, hashlen;
Manuel Pégourié-Gonnard88579842023-03-28 11:20:23 +0200[diff] [blame]2313 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
Przemek Stekiel40afdd22022-09-06 13:08:28 +0200[diff] [blame]2314
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2315 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2316 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2317 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2318 size_t params_len = p - params;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2319 void *rs_ctx = NULL;
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2320 uint16_t sig_alg;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2321
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2322 mbedtls_pk_context *peer_pk;
Hanno Beckera6899bb2019-02-06 18:26:03 +0000[diff] [blame]2323
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2324#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2325 peer_pk = &ssl->handshake->peer_pubkey;
2326#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2327 if (ssl->session_negotiate->peer_cert == NULL) {
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2328 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2329 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2330 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2331 }
2332 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2333#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2334
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2335 /*
2336 * Handle the digitally-signed structure
2337 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2338 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2339 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
2340 if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
2341 sig_alg, &pk_alg, &md_alg) != 0 &&
2342 !mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg) &&
2343 !mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg)) {
2344 MBEDTLS_SSL_DEBUG_MSG(1,
2345 ("bad server key exchange message"));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2346 mbedtls_ssl_send_alert_message(
2347 ssl,
2348 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2349 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2350 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2351 }
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2352 p += 2;
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2353
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2354 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
2355 MBEDTLS_SSL_DEBUG_MSG(1,
2356 ("bad server key exchange message"));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2357 mbedtls_ssl_send_alert_message(
2358 ssl,
2359 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2360 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2361 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2362 }
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2363
2364 /*
2365 * Read signature
2366 */
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +0100[diff] [blame]2367
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2368 if (p > end - 2) {
2369 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2370 mbedtls_ssl_send_alert_message(
2371 ssl,
2372 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2373 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2374 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +0100[diff] [blame]2375 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2376 sig_len = (p[0] << 8) | p[1];
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2377 p += 2;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2378
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2379 if (p != end - sig_len) {
2380 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2381 mbedtls_ssl_send_alert_message(
2382 ssl,
2383 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2384 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2385 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2386 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2387
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2388 MBEDTLS_SSL_DEBUG_BUF(3, "signature", p, sig_len);
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2389
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2390 /*
2391 * Compute the hash that has been signed
2392 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2393 if (md_alg != MBEDTLS_MD_NONE) {
2394 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
2395 params, params_len,
2396 md_alg);
2397 if (ret != 0) {
2398 return ret;
2399 }
2400 } else {
2401 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2402 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2403 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2404
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2405 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2406
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2407 /*
2408 * Verify signature
2409 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2410 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
2411 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2412 mbedtls_ssl_send_alert_message(
2413 ssl,
2414 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2415 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2416 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2417 }
2418
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2419#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2420 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]2421 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2422 }
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2423#endif
2424
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2425#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2426 if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2427 mbedtls_pk_rsassa_pss_options rsassa_pss_options;
2428 rsassa_pss_options.mgf1_hash_id = md_alg;
Andrzej Kurek0ce59212022-08-17 07:54:34 -0400[diff] [blame]2429 rsassa_pss_options.expected_salt_len =
Manuel Pégourié-Gonnard9b41eb82023-03-28 11:14:24 +0200[diff] [blame]2430 mbedtls_md_get_size_from_type(md_alg);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2431 if (rsassa_pss_options.expected_salt_len == 0) {
2432 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2433 }
Andrzej Kurek0ce59212022-08-17 07:54:34 -0400[diff] [blame]2434
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2435 ret = mbedtls_pk_verify_ext(pk_alg, &rsassa_pss_options,
2436 peer_pk,
2437 md_alg, hash, hashlen,
2438 p, sig_len);
2439 } else
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2440#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2441 ret = mbedtls_pk_verify_restartable(peer_pk,
2442 md_alg, hash, hashlen, p, sig_len, rs_ctx);
Jerry Yu693a47a2022-06-23 14:02:28 +0800[diff] [blame]2443
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2444 if (ret != 0) {
David Horstmannb21bbef2022-10-06 17:49:31 +0100[diff] [blame]2445 int send_alert_msg = 1;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2446#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2447 send_alert_msg = (ret != MBEDTLS_ERR_ECP_IN_PROGRESS);
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2448#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2449 if (send_alert_msg) {
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2450 mbedtls_ssl_send_alert_message(
2451 ssl,
2452 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2453 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
2454 }
2455 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2456#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2457 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2458 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2459 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2460#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2461 return ret;
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]2462 }
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2463
2464#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2465 /* We don't need the peer's public key anymore. Free it,
2466 * so that more RAM is available for upcoming expensive
2467 * operations like ECDHE. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2468 mbedtls_pk_free(peer_pk);
Hanno Beckerae553dd2019-02-08 14:06:00 +0000[diff] [blame]2469#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2470 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2471#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2472
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2473exit:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2474 ssl->state++;
2475
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2476 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2477
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2478 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2479}
2480
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2481#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2482MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2483static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2484{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2485 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2486 ssl->handshake->ciphersuite_info;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2487
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2488 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2489
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2490 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2491 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2492 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2493 return 0;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2494 }
2495
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2496 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2497 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2498}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2499#else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2500MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2501static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2502{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2503 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2504 unsigned char *buf;
2505 size_t n = 0;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2506 size_t cert_type_len = 0, dn_len = 0;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2507 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2508 ssl->handshake->ciphersuite_info;
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2509 size_t sig_alg_len;
2510#if defined(MBEDTLS_DEBUG_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2511 unsigned char *sig_alg;
2512 unsigned char *dn;
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2513#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2514
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2515 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2516
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2517 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2518 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2519 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2520 return 0;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2521 }
2522
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2523 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2524 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2525 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2526 }
2527
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2528 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2529 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]2530 mbedtls_ssl_send_alert_message(
2531 ssl,
2532 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2533 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
2534 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2535 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2536
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2537 ssl->state++;
Jerry Yufb28b882022-01-28 11:05:58 +0800[diff] [blame]2538 ssl->handshake->client_auth =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2539 (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2540
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2541 MBEDTLS_SSL_DEBUG_MSG(3, ("got %s certificate request",
2542 ssl->handshake->client_auth ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2543
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2544 if (ssl->handshake->client_auth == 0) {
Johan Pascala89ca862020-08-25 10:03:19 +0200[diff] [blame]2545 /* Current message is probably the ServerHelloDone */
2546 ssl->keep_current_message = 1;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2547 goto exit;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2548 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2549
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]2550 /*
2551 * struct {
2552 * ClientCertificateType certificate_types<1..2^8-1>;
2553 * SignatureAndHashAlgorithm
2554 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
2555 * DistinguishedName certificate_authorities<0..2^16-1>;
2556 * } CertificateRequest;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2557 *
2558 * Since we only support a single certificate on clients, let's just
2559 * ignore all the information that's supposed to help us pick a
2560 * certificate.
2561 *
2562 * We could check that our certificate matches the request, and bail out
2563 * if it doesn't, but it's simpler to just send the certificate anyway,
2564 * and give the server the opportunity to decide if it should terminate
2565 * the connection when it doesn't like our certificate.
2566 *
2567 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
2568 * point we only have one hash available (see comments in
Simon Butcherc0957bd2016-03-01 13:16:57 +0000[diff] [blame]2569 * write_certificate_verify), so let's just use what we have.
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2570 *
2571 * However, we still minimally parse the message to check it is at least
2572 * superficially sane.
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]2573 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2574 buf = ssl->in_msg;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]2575
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2576 /* certificate_types */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2577 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)) {
2578 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2579 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2580 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2581 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Krzysztof Stachowiak73b183c2018-04-05 10:20:09 +0200[diff] [blame]2582 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2583 cert_type_len = buf[mbedtls_ssl_hs_hdr_len(ssl)];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2584 n = cert_type_len;
2585
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]2586 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]2587 * In the subsequent code there are two paths that read from buf:
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]2588 * * the length of the signature algorithms field (if minor version of
2589 * SSL is 3),
2590 * * distinguished name length otherwise.
2591 * Both reach at most the index:
2592 * ...hdr_len + 2 + n,
2593 * therefore the buffer length at this point must be greater than that
2594 * regardless of the actual code path.
2595 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2596 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 2 + n) {
2597 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2598 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2599 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2600 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2601 }
2602
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2603 /* supported_signature_algorithms */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2604 sig_alg_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8)
2605 | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n]));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2606
2607 /*
2608 * The furthest access in buf is in the loop few lines below:
2609 * sig_alg[i + 1],
2610 * where:
2611 * sig_alg = buf + ...hdr_len + 3 + n,
2612 * max(i) = sig_alg_len - 1.
2613 * Therefore the furthest access is:
2614 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
2615 * which reduces to:
2616 * buf[...hdr_len + 3 + n + sig_alg_len],
2617 * which is one less than we need the buf to be.
2618 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2619 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 3 + n + sig_alg_len) {
2620 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2621 mbedtls_ssl_send_alert_message(
2622 ssl,
2623 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2624 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2625 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]2626 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2627
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2628#if defined(MBEDTLS_DEBUG_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2629 sig_alg = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n;
2630 for (size_t i = 0; i < sig_alg_len; i += 2) {
2631 MBEDTLS_SSL_DEBUG_MSG(3,
2632 ("Supported Signature Algorithm found: %02x %02x",
2633 sig_alg[i], sig_alg[i + 1]));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]2634 }
2635#endif
2636
2637 n += 2 + sig_alg_len;
2638
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2639 /* certificate_authorities */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2640 dn_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8)
2641 | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n]));
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2642
2643 n += dn_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2644 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 3 + n) {
2645 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2646 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2647 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2648 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2649 }
2650
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2651#if defined(MBEDTLS_DEBUG_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2652 dn = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n - dn_len;
2653 for (size_t i = 0, dni_len = 0; i < dn_len; i += 2 + dni_len) {
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2654 unsigned char *p = dn + i + 2;
2655 mbedtls_x509_name name;
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2656 size_t asn1_len;
2657 char s[MBEDTLS_X509_MAX_DN_NAME_SIZE];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2658 memset(&name, 0, sizeof(name));
2659 dni_len = MBEDTLS_GET_UINT16_BE(dn + i, 0);
2660 if (dni_len > dn_len - i - 2 ||
2661 mbedtls_asn1_get_tag(&p, p + dni_len, &asn1_len,
2662 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) != 0 ||
2663 mbedtls_x509_get_name(&p, p + asn1_len, &name) != 0) {
2664 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2665 mbedtls_ssl_send_alert_message(
2666 ssl,
2667 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2668 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2669 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2670 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2671 MBEDTLS_SSL_DEBUG_MSG(3,
2672 ("DN hint: %.*s",
2673 mbedtls_x509_dn_gets(s, sizeof(s), &name), s));
2674 mbedtls_asn1_free_named_data_list_shallow(name.next);
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]2675 }
2676#endif
2677
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2678exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2679 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2680
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2681 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2682}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2683#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2684
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2685MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2686static int ssl_parse_server_hello_done(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2687{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2688 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2689
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2690 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2691
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2692 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2693 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2694 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2695 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2696
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2697 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2698 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
2699 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2700 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2701
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2702 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) ||
2703 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE) {
2704 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
2705 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2706 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2707 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2708 }
2709
2710 ssl->state++;
2711
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2712#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2713 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
2714 mbedtls_ssl_recv_flight_completed(ssl);
2715 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2716#endif
2717
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2718 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2719
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2720 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2721}
2722
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2723MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2724static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2725{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2726 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2727
2728 size_t header_len;
2729 size_t content_len;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2730 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2731 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2732
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2733 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2734
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2735#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2736 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2737 /*
2738 * DHM key exchange -- send G^X mod P
2739 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2740 content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2741
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2742 MBEDTLS_PUT_UINT16_BE(content_len, ssl->out_msg, 4);
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2743 header_len = 6;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2744
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2745 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
2746 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
2747 &ssl->out_msg[header_len], content_len,
2748 ssl->conf->f_rng, ssl->conf->p_rng);
2749 if (ret != 0) {
2750 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
2751 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2752 }
2753
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2754 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
2755 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2756
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2757 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
2758 ssl->handshake->premaster,
2759 MBEDTLS_PREMASTER_SIZE,
2760 &ssl->handshake->pmslen,
2761 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2762 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
2763 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2764 }
2765
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2766 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
2767 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2768#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]2769#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2770 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2771 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2772 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2773 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Przemek Stekield905d332022-03-16 09:50:56 +0100[diff] [blame]2774 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
2775 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2776 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
Neil Armstrong11d49452022-04-13 15:03:43 +0200[diff] [blame]2777#if defined(MBEDTLS_USE_PSA_CRYPTO)
Andrzej Kureka0237f82022-02-24 13:24:52 -0500[diff] [blame]2778 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2779 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
Janos Follath53b8ec22019-08-08 10:28:27 +0100[diff] [blame]2780 psa_key_attributes_t key_attributes;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2781
2782 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2783
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2784 header_len = 4;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2785
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2786 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Hanno Becker0a94a642019-01-11 14:35:30 +0000[diff] [blame]2787
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2788 /*
2789 * Generate EC private key for ECDHE exchange.
2790 */
2791
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2792 /* The master secret is obtained from the shared ECDH secret by
2793 * applying the TLS 1.2 PRF with a specific salt and label. While
2794 * the PSA Crypto API encourages combining key agreement schemes
2795 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
2796 * yet support the provisioning of salt + label to the KDF.
2797 * For the time being, we therefore need to split the computation
2798 * of the ECDH secret and the application of the TLS 1.2 PRF. */
Janos Follath53b8ec22019-08-08 10:28:27 +0100[diff] [blame]2799 key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2800 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2801 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2802 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
2803 psa_set_key_bits(&key_attributes, handshake->xxdh_bits);
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2804
2805 /* Generate ECDH private key. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2806 status = psa_generate_key(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2807 &handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2808 if (status != PSA_SUCCESS) {
2809 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2810 }
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2811
Manuel Pégourié-Gonnard58d23832022-01-18 12:17:15 +0100[diff] [blame]2812 /* Export the public part of the ECDH private key from PSA.
Manuel Pégourié-Gonnard5d6053f2022-02-08 10:26:19 +0100[diff] [blame]2813 * The export format is an ECPoint structure as expected by TLS,
Manuel Pégourié-Gonnard58d23832022-01-18 12:17:15 +0100[diff] [blame]2814 * but we just need to add a length byte before that. */
2815 unsigned char *own_pubkey = ssl->out_msg + header_len + 1;
2816 unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2817 size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
Manuel Pégourié-Gonnard58d23832022-01-18 12:17:15 +0100[diff] [blame]2818 size_t own_pubkey_len;
2819
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2820 status = psa_export_public_key(handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2821 own_pubkey, own_pubkey_max_len,
2822 &own_pubkey_len);
2823 if (status != PSA_SUCCESS) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2824 psa_destroy_key(handshake->xxdh_psa_privkey);
2825 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2826 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
Andrzej Kureka0237f82022-02-24 13:24:52 -0500[diff] [blame]2827 }
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2828
Manuel Pégourié-Gonnard58d23832022-01-18 12:17:15 +0100[diff] [blame]2829 ssl->out_msg[header_len] = (unsigned char) own_pubkey_len;
2830 content_len = own_pubkey_len + 1;
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2831
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2832 /* The ECDH secret is the premaster secret used for key derivation. */
2833
Janos Follathdf3b0892019-08-08 11:12:24 +0100[diff] [blame]2834 /* Compute ECDH shared secret. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2835 status = psa_raw_key_agreement(PSA_ALG_ECDH,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2836 handshake->xxdh_psa_privkey,
2837 handshake->xxdh_psa_peerkey,
2838 handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2839 ssl->handshake->premaster,
2840 sizeof(ssl->handshake->premaster),
2841 &ssl->handshake->pmslen);
Hanno Becker4a63ed42019-01-08 11:39:35 +0000[diff] [blame]2842
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2843 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
2844 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Andrzej Kureka0237f82022-02-24 13:24:52 -0500[diff] [blame]2845
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2846 if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) {
2847 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2848 }
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]2849#else
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2850 /*
2851 * ECDH key exchange -- send client public value
2852 */
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2853 header_len = 4;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2854
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2855#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2856 if (ssl->handshake->ecrs_enabled) {
2857 if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret) {
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2858 goto ecdh_calc_secret;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2859 }
Manuel Pégourié-Gonnard23e41622017-05-18 12:35:37 +0200[diff] [blame]2860
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2861 mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx);
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2862 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]2863#endif
2864
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2865 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
2866 &content_len,
2867 &ssl->out_msg[header_len], 1000,
2868 ssl->conf->f_rng, ssl->conf->p_rng);
2869 if (ret != 0) {
2870 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2871#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2872 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2873 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2874 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2875#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2876 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2877 }
2878
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2879 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
2880 MBEDTLS_DEBUG_ECDH_Q);
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2881
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2882#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2883 if (ssl->handshake->ecrs_enabled) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2884 ssl->handshake->ecrs_n = content_len;
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200[diff] [blame]2885 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2886 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]2887
2888ecdh_calc_secret:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2889 if (ssl->handshake->ecrs_enabled) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]2890 content_len = ssl->handshake->ecrs_n;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2891 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]2892#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2893 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
2894 &ssl->handshake->pmslen,
2895 ssl->handshake->premaster,
2896 MBEDTLS_MPI_MAX_SIZE,
2897 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2898 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2899#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2900 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2901 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2902 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2903#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2904 return ret;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2905 }
2906
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2907 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
2908 MBEDTLS_DEBUG_ECDH_Z);
Neil Armstrong11d49452022-04-13 15:03:43 +0200[diff] [blame]2909#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2910 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2911#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2912 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2913 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2914 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2915#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
2916 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2917 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2918 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2919 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
2920 psa_key_attributes_t key_attributes;
2921
2922 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2923
2924 /*
2925 * opaque psk_identity<0..2^16-1>;
2926 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2927 if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2928 /* We don't offer PSK suites if we don't have a PSK,
2929 * and we check that the server's choice is among the
2930 * ciphersuites we offered, so this should never happen. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2931 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2932 }
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2933
Neil Armstrongfc834f22022-03-23 17:54:38 +0100[diff] [blame]2934 /* uint16 to store content length */
2935 const size_t content_len_size = 2;
2936
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2937 header_len = 4;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2938
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2939 if (header_len + content_len_size + ssl->conf->psk_identity_len
2940 > MBEDTLS_SSL_OUT_CONTENT_LEN) {
2941 MBEDTLS_SSL_DEBUG_MSG(1,
2942 ("psk identity too long or SSL buffer too short"));
2943 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2944 }
2945
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2946 unsigned char *p = ssl->out_msg + header_len;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2947
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2948 *p++ = MBEDTLS_BYTE_1(ssl->conf->psk_identity_len);
2949 *p++ = MBEDTLS_BYTE_0(ssl->conf->psk_identity_len);
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2950 header_len += content_len_size;
2951
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2952 memcpy(p, ssl->conf->psk_identity,
2953 ssl->conf->psk_identity_len);
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2954 p += ssl->conf->psk_identity_len;
2955
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2956 header_len += ssl->conf->psk_identity_len;
2957
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2958 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2959
2960 /*
2961 * Generate EC private key for ECDHE exchange.
2962 */
2963
2964 /* The master secret is obtained from the shared ECDH secret by
2965 * applying the TLS 1.2 PRF with a specific salt and label. While
2966 * the PSA Crypto API encourages combining key agreement schemes
2967 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
2968 * yet support the provisioning of salt + label to the KDF.
2969 * For the time being, we therefore need to split the computation
2970 * of the ECDH secret and the application of the TLS 1.2 PRF. */
2971 key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2972 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2973 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2974 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
2975 psa_set_key_bits(&key_attributes, handshake->xxdh_bits);
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2976
2977 /* Generate ECDH private key. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2978 status = psa_generate_key(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2979 &handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2980 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2981 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2982 }
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2983
2984 /* Export the public part of the ECDH private key from PSA.
2985 * The export format is an ECPoint structure as expected by TLS,
2986 * but we just need to add a length byte before that. */
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]2987 unsigned char *own_pubkey = p + 1;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2988 unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2989 size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
Neil Armstrongbc5e8f92022-03-23 17:42:50 +0100[diff] [blame]2990 size_t own_pubkey_len = 0;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2991
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2992 status = psa_export_public_key(handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2993 own_pubkey, own_pubkey_max_len,
2994 &own_pubkey_len);
2995 if (status != PSA_SUCCESS) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2996 psa_destroy_key(handshake->xxdh_psa_privkey);
2997 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2998 return PSA_TO_MBEDTLS_ERR(status);
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]2999 }
3000
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]3001 *p = (unsigned char) own_pubkey_len;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3002 content_len = own_pubkey_len + 1;
3003
Neil Armstrong25400452022-03-23 17:44:07 +0100[diff] [blame]3004 /* As RFC 5489 section 2, the premaster secret is formed as follows:
3005 * - a uint16 containing the length (in octets) of the ECDH computation
3006 * - the octet string produced by the ECDH computation
3007 * - a uint16 containing the length (in octets) of the PSK
3008 * - the PSK itself
3009 */
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]3010 unsigned char *pms = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3011 const unsigned char * const pms_end = pms +
3012 sizeof(ssl->handshake->premaster);
Neil Armstrong0bdb68a2022-03-23 17:46:32 +0100[diff] [blame]3013 /* uint16 to store length (in octets) of the ECDH computation */
3014 const size_t zlen_size = 2;
Neil Armstrongbc5e8f92022-03-23 17:42:50 +0100[diff] [blame]3015 size_t zlen = 0;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3016
Neil Armstrong25400452022-03-23 17:44:07 +0100[diff] [blame]3017 /* Perform ECDH computation after the uint16 reserved for the length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3018 status = psa_raw_key_agreement(PSA_ALG_ECDH,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3019 handshake->xxdh_psa_privkey,
3020 handshake->xxdh_psa_peerkey,
3021 handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3022 pms + zlen_size,
3023 pms_end - (pms + zlen_size),
3024 &zlen);
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3025
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3026 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
3027 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3028
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3029 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3030 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3031 } else if (destruction_status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3032 return PSA_TO_MBEDTLS_ERR(destruction_status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3033 }
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3034
Neil Armstrong25400452022-03-23 17:44:07 +0100[diff] [blame]3035 /* Write the ECDH computation length before the ECDH computation */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3036 MBEDTLS_PUT_UINT16_BE(zlen, pms, 0);
Neil Armstrongb7ca76b2022-04-04 18:27:15 +0200[diff] [blame]3037 pms += zlen_size + zlen;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3038 } else
Neil Armstrong868af822022-03-09 10:26:25 +0100[diff] [blame]3039#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3040 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3041#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3042 if (mbedtls_ssl_ciphersuite_uses_psk(ciphersuite_info)) {
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3043 /*
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3044 * opaque psk_identity<0..2^16-1>;
3045 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3046 if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
Hanno Becker2e4f6162018-10-23 11:54:44 +0100[diff] [blame]3047 /* We don't offer PSK suites if we don't have a PSK,
3048 * and we check that the server's choice is among the
3049 * ciphersuites we offered, so this should never happen. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3050 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3051 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3052
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3053 header_len = 4;
3054 content_len = ssl->conf->psk_identity_len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3055
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3056 if (header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
3057 MBEDTLS_SSL_DEBUG_MSG(1,
3058 ("psk identity too long or SSL buffer too short"));
3059 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3060 }
3061
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3062 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
3063 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3064
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3065 memcpy(ssl->out_msg + header_len,
3066 ssl->conf->psk_identity,
3067 ssl->conf->psk_identity_len);
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3068 header_len += ssl->conf->psk_identity_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3069
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3070#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3071 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3072 content_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3073 } else
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3074#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3075#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3076 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
3077 if ((ret = ssl_write_encrypted_pms(ssl, header_len,
3078 &content_len, 2)) != 0) {
3079 return ret;
3080 }
3081 } else
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3082#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3083#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3084 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3085 /*
3086 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3087 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3088 content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3089
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3090 if (header_len + 2 + content_len >
3091 MBEDTLS_SSL_OUT_CONTENT_LEN) {
3092 MBEDTLS_SSL_DEBUG_MSG(1,
3093 ("psk identity or DHM size too long or SSL buffer too short"));
3094 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3095 }
3096
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3097 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
3098 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3099
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3100 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
3101 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
3102 &ssl->out_msg[header_len], content_len,
3103 ssl->conf->f_rng, ssl->conf->p_rng);
3104 if (ret != 0) {
3105 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
3106 return ret;
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3107 }
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3108
3109#if defined(MBEDTLS_USE_PSA_CRYPTO)
3110 unsigned char *pms = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3111 unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3112 size_t pms_len;
3113
3114 /* Write length only when we know the actual value */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3115 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3116 pms + 2, pms_end - (pms + 2), &pms_len,
3117 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3118 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3119 return ret;
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3120 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3121 MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3122 pms += 2 + pms_len;
3123
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3124 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3125#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3126 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3127#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]3128#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3129 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3130 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3131 /*
3132 * ClientECDiffieHellmanPublic public;
3133 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3134 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
3135 &content_len,
3136 &ssl->out_msg[header_len],
3137 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3138 ssl->conf->f_rng, ssl->conf->p_rng);
3139 if (ret != 0) {
3140 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
3141 return ret;
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3142 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3143
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3144 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3145 MBEDTLS_DEBUG_ECDH_Q);
3146 } else
Neil Armstrongd8419ff2022-04-12 14:39:12 +0200[diff] [blame]3147#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3148 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3149 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3150 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3151 }
3152
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3153#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3154 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3155 ciphersuite_info->key_exchange)) != 0) {
3156 MBEDTLS_SSL_DEBUG_RET(1,
3157 "mbedtls_ssl_psk_derive_premaster", ret);
3158 return ret;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3159 }
Neil Armstrong80f6f322022-05-03 17:56:38 +0200[diff] [blame]3160#endif /* !MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3161 } else
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3162#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3163#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3164 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3165 header_len = 4;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3166 if ((ret = ssl_write_encrypted_pms(ssl, header_len,
3167 &content_len, 0)) != 0) {
3168 return ret;
3169 }
3170 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3171#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3172#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3173 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3174 header_len = 4;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3175
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3176#if defined(MBEDTLS_USE_PSA_CRYPTO)
3177 unsigned char *out_p = ssl->out_msg + header_len;
3178 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
3179 header_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3180 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
3181 out_p, end_p - out_p, &content_len,
3182 MBEDTLS_ECJPAKE_ROUND_TWO);
3183 if (ret != 0) {
3184 psa_destroy_key(ssl->handshake->psa_pake_password);
3185 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
3186 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
3187 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3188 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3189#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3190 ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx,
3191 ssl->out_msg + header_len,
3192 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3193 &content_len,
3194 ssl->conf->f_rng, ssl->conf->p_rng);
3195 if (ret != 0) {
3196 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
3197 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3198 }
3199
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3200 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
3201 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3202 ssl->conf->f_rng, ssl->conf->p_rng);
3203 if (ret != 0) {
3204 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
3205 return ret;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3206 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3207#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3208 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3209#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3210 {
3211 ((void) ciphersuite_info);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3212 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3213 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3214 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3215
Hanno Beckerc14a3bb2019-01-14 09:41:16 +0000[diff] [blame]3216 ssl->out_msglen = header_len + content_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3217 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3218 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3219
3220 ssl->state++;
3221
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3222 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3223 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3224 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3225 }
3226
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3227 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3228
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3229 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3230}
3231
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3232#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3233MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3234static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3235{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3236 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3237 ssl->handshake->ciphersuite_info;
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3238 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3239
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3240 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3241
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3242 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3243 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3244 return ret;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3245 }
3246
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3247 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3248 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3249 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3250 return 0;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3251 }
3252
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3253 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3254 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3255}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3256#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3257MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3258static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3259{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3260 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3261 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3262 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3263 size_t n = 0, offset = 0;
3264 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3265 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3266 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]3267 size_t hashlen;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3268 void *rs_ctx = NULL;
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]3269#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3270 size_t out_buf_len = ssl->out_buf_len - (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]3271#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3272 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]3273#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3274
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3275 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3276
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3277#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3278 if (ssl->handshake->ecrs_enabled &&
3279 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3280 goto sign;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3281 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3282#endif
3283
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3284 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3285 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3286 return ret;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3287 }
3288
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3289 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3290 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3291 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3292 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3293 }
3294
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3295 if (ssl->handshake->client_auth == 0 ||
3296 mbedtls_ssl_own_cert(ssl) == NULL) {
3297 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
Johan Pascala89ca862020-08-25 10:03:19 +0200[diff] [blame]3298 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3299 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3300 }
3301
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3302 if (mbedtls_ssl_own_key(ssl) == NULL) {
3303 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key for certificate"));
3304 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3305 }
3306
3307 /*
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3308 * Make a signature of the handshake digests
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3309 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3310#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3311 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3312 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3313 }
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3314
3315sign:
3316#endif
3317
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]3318 ret = ssl->handshake->calc_verify(ssl, hash, &hashlen);
3319 if (0 != ret) {
3320 MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
3321 return ret;
3322 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3323
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]3324 /*
3325 * digitally-signed struct {
3326 * opaque handshake_messages[handshake_messages_length];
3327 * };
3328 *
3329 * Taking shortcut here. We assume that the server always allows the
3330 * PRF Hash function and has sent it in the allowed signature
3331 * algorithms list received in the Certificate Request message.
3332 *
3333 * Until we encounter a server that does not, we will take this
3334 * shortcut.
3335 *
3336 * Reason: Otherwise we should have running hashes for SHA512 and
3337 * SHA224 in order to satisfy 'weird' needs from the server
3338 * side.
3339 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3340 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]3341 md_alg = MBEDTLS_MD_SHA384;
3342 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3343 } else {
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]3344 md_alg = MBEDTLS_MD_SHA256;
3345 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3346 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3347 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk(mbedtls_ssl_own_key(ssl));
Ronald Cron90915f22022-03-07 11:11:36 +0100[diff] [blame]3348
3349 /* Info from md_alg will be used instead */
3350 hashlen = 0;
3351 offset = 2;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3352
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3353#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3354 if (ssl->handshake->ecrs_enabled) {
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]3355 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3356 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3357#endif
3358
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3359 if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl),
3360 md_alg, hash_start, hashlen,
3361 ssl->out_msg + 6 + offset,
3362 out_buf_len - 6 - offset,
3363 &n,
3364 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx)) != 0) {
3365 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3366#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3367 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3368 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3369 }
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3370#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3371 return ret;
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]3372 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3373
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3374 MBEDTLS_PUT_UINT16_BE(n, ssl->out_msg, offset + 4);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3375
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3376 ssl->out_msglen = 6 + n + offset;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3377 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3378 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3379
3380 ssl->state++;
3381
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3382 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3383 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3384 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3385 }
3386
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3387 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3388
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3389 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3390}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3391#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3392
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3393#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3394MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3395static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3396{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3397 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3398 uint32_t lifetime;
3399 size_t ticket_len;
3400 unsigned char *ticket;
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3401 const unsigned char *msg;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3402
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3403 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3404
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3405 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3406 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3407 return ret;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3408 }
3409
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3410 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3411 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
Hanno Beckerb2fff6d2017-05-08 11:06:19 +0100[diff] [blame]3412 mbedtls_ssl_send_alert_message(
3413 ssl,
3414 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3415 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
3416 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3417 }
3418
3419 /*
3420 * struct {
3421 * uint32 ticket_lifetime_hint;
3422 * opaque ticket<0..2^16-1>;
3423 * } NewSessionTicket;
3424 *
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3425 * 0 . 3 ticket_lifetime_hint
3426 * 4 . 5 ticket_len (n)
3427 * 6 . 5+n ticket content
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3428 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3429 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3430 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len(ssl)) {
3431 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
3432 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3433 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3434 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3435 }
3436
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3437 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3438
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3439 lifetime = (((uint32_t) msg[0]) << 24) | (msg[1] << 16) |
3440 (msg[2] << 8) | (msg[3]);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3441
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3442 ticket_len = (msg[4] << 8) | (msg[5]);
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3443
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3444 if (ticket_len + 6 + mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_hslen) {
3445 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
3446 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3447 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3448 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3449 }
3450
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3451 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len));
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3452
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3453 /* We're not waiting for a NewSessionTicket message any more */
3454 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3455 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3456
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3457 /*
3458 * Zero-length ticket means the server changed his mind and doesn't want
3459 * to send a ticket after all, so just forget it
3460 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3461 if (ticket_len == 0) {
3462 return 0;
3463 }
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3464
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3465 if (ssl->session != NULL && ssl->session->ticket != NULL) {
3466 mbedtls_platform_zeroize(ssl->session->ticket,
3467 ssl->session->ticket_len);
3468 mbedtls_free(ssl->session->ticket);
Hanno Beckerb2964cb2019-01-30 14:46:35 +0000[diff] [blame]3469 ssl->session->ticket = NULL;
3470 ssl->session->ticket_len = 0;
3471 }
3472
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3473 mbedtls_platform_zeroize(ssl->session_negotiate->ticket,
3474 ssl->session_negotiate->ticket_len);
3475 mbedtls_free(ssl->session_negotiate->ticket);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3476 ssl->session_negotiate->ticket = NULL;
3477 ssl->session_negotiate->ticket_len = 0;
3478
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3479 if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
3480 MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
3481 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3482 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
3483 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3484 }
3485
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3486 memcpy(ticket, msg + 6, ticket_len);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3487
3488 ssl->session_negotiate->ticket = ticket;
3489 ssl->session_negotiate->ticket_len = ticket_len;
3490 ssl->session_negotiate->ticket_lifetime = lifetime;
3491
3492 /*
3493 * RFC 5077 section 3.4:
3494 * "If the client receives a session ticket from the server, then it
3495 * discards any Session ID that was sent in the ServerHello."
3496 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3497 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket in use, discarding session id"));
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]3498 ssl->session_negotiate->id_len = 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3499
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3500 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3501
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3502 return 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3503}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3504#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3505
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3506/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3507 * SSL handshake -- client side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3508 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3509int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3510{
3511 int ret = 0;
3512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3513 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3514 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3515#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3516 if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
3517 ssl->handshake->new_session_ticket != 0) {
Jerry Yua357cf42022-07-12 05:36:45 +0000[diff] [blame]3518 ssl->state = MBEDTLS_SSL_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3519 }
3520#endif
3521
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3522 switch (ssl->state) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3523 case MBEDTLS_SSL_HELLO_REQUEST:
3524 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3525 break;
3526
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3527 /*
3528 * ==> ClientHello
3529 */
3530 case MBEDTLS_SSL_CLIENT_HELLO:
3531 ret = mbedtls_ssl_write_client_hello(ssl);
3532 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3533
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3534 /*
3535 * <== ServerHello
3536 * Certificate
3537 * ( ServerKeyExchange )
3538 * ( CertificateRequest )
3539 * ServerHelloDone
3540 */
3541 case MBEDTLS_SSL_SERVER_HELLO:
3542 ret = ssl_parse_server_hello(ssl);
3543 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3544
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3545 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3546 ret = mbedtls_ssl_parse_certificate(ssl);
3547 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3548
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3549 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
3550 ret = ssl_parse_server_key_exchange(ssl);
3551 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3552
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3553 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3554 ret = ssl_parse_certificate_request(ssl);
3555 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3556
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3557 case MBEDTLS_SSL_SERVER_HELLO_DONE:
3558 ret = ssl_parse_server_hello_done(ssl);
3559 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3560
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3561 /*
3562 * ==> ( Certificate/Alert )
3563 * ClientKeyExchange
3564 * ( CertificateVerify )
3565 * ChangeCipherSpec
3566 * Finished
3567 */
3568 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3569 ret = mbedtls_ssl_write_certificate(ssl);
3570 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3571
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3572 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
3573 ret = ssl_write_client_key_exchange(ssl);
3574 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3575
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3576 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3577 ret = ssl_write_certificate_verify(ssl);
3578 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3579
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3580 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3581 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
3582 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3583
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3584 case MBEDTLS_SSL_CLIENT_FINISHED:
3585 ret = mbedtls_ssl_write_finished(ssl);
3586 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3587
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3588 /*
3589 * <== ( NewSessionTicket )
3590 * ChangeCipherSpec
3591 * Finished
3592 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3593#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3594 case MBEDTLS_SSL_NEW_SESSION_TICKET:
3595 ret = ssl_parse_new_session_ticket(ssl);
3596 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]3597#endif
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3598
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3599 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3600 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
3601 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3602
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3603 case MBEDTLS_SSL_SERVER_FINISHED:
3604 ret = mbedtls_ssl_parse_finished(ssl);
3605 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3606
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3607 case MBEDTLS_SSL_FLUSH_BUFFERS:
3608 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
3609 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
3610 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3611
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3612 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3613 mbedtls_ssl_handshake_wrapup(ssl);
3614 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3615
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3616 default:
3617 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
3618 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3619 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3620
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3621 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3622}
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]3623
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]3624#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_2 */