TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 602b2968caa8c38277eeaf86b55ab22510a28c43 / . / library / ssl_tls12_server.c
blob: d3c422369a38235c42b609e9ae960de7e3f0a451 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]2 * TLS server-side functions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]6 */
7
Harry Ramsey0f6bc412024-10-04 10:36:54 +0100[diff] [blame]8#include "ssl_misc.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]9
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]10#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]11
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]12#include "mbedtls/platform.h"
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]13
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]14#include "mbedtls/ssl.h"
Valerio Settib4f50762024-01-17 10:24:52 +0100[diff] [blame]15#include "debug_internal.h"
Janos Follath73c616b2019-12-18 15:07:04 +0000[diff] [blame]16#include "mbedtls/error.h"
Andres Amaya Garcia84914062018-04-24 08:40:46 -0500[diff] [blame]17#include "mbedtls/platform_util.h"
Gabor Mezei22c9a6f2021-10-20 12:09:35 +0200[diff] [blame]18#include "constant_time_internal.h"
Gabor Mezei765862c2021-10-19 12:22:25 +0200[diff] [blame]19#include "mbedtls/constant_time.h"
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]20
21#include <string.h>
22
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]23/* Define a local translating function to save code size by not using too many
24 * arguments in each translating place. */
Andrzej Kurek1c7a9982023-05-30 09:21:20 -0400[diff] [blame]25#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \
26 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]27static int local_err_translation(psa_status_t status)
28{
29 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -0400[diff] [blame]30 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]31 psa_generic_status_to_mbedtls);
32}
33#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]34#endif
35
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]37#include "mbedtls/ecp.h"
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]38#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]39
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]40#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]41#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]42#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]45int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
46 const unsigned char *info,
47 size_t ilen)
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]48{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]49 if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) {
50 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
51 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]52
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]53 mbedtls_free(ssl->cli_id);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]54
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]55 if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) {
56 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
57 }
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]58
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]59 memcpy(ssl->cli_id, info, ilen);
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]60 ssl->cli_id_len = ilen;
61
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]62 return 0;
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]63}
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]64
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]65void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf,
66 mbedtls_ssl_cookie_write_t *f_cookie_write,
67 mbedtls_ssl_cookie_check_t *f_cookie_check,
68 void *p_cookie)
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]69{
Manuel Pégourié-Gonnardd36e33f2015-05-05 10:45:39 +0200[diff] [blame]70 conf->f_cookie_write = f_cookie_write;
71 conf->f_cookie_check = f_cookie_check;
72 conf->p_cookie = p_cookie;
Manuel Pégourié-Gonnardd485d192014-07-23 14:56:15 +0200[diff] [blame]73}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]74#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard43c02182014-07-22 17:32:01 +0200[diff] [blame]75
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]76#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]77MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]78static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf)
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]79{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]80 if (conf->f_psk != NULL) {
81 return 1;
82 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]83
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]84 if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) {
85 return 0;
86 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]87
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]88
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]89 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
90 return 1;
91 }
Neil Armstrong8ecd6682022-05-05 11:40:35 +0200[diff] [blame]92
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]93 if (conf->psk != NULL && conf->psk_len != 0) {
94 return 1;
95 }
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]96
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]97 return 0;
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]98}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]99#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Hanno Becker845b9462018-10-26 12:07:29 +0100[diff] [blame]100
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]101MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]102static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
103 const unsigned char *buf,
104 size_t len)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]105{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]106#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]107 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]108 /* Check verify-data in constant-time. The length OTOH is no secret */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]109 if (len != 1 + ssl->verify_data_len ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]110 buf[0] != ssl->verify_data_len ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]111 mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data,
112 ssl->verify_data_len) != 0) {
113 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
114 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
115 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
116 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]117 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]118 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]119#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]120 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]121 if (len != 1 || buf[0] != 0x0) {
122 MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info"));
123 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
124 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
125 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]126 }
127
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]128 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]129 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]130
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]131 return 0;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]132}
133
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]134#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]135 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]136 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]137/*
Jerry Yud491ea42022-01-13 16:15:25 +0800[diff] [blame]138 * Function for parsing a supported groups (TLS 1.3) or supported elliptic
139 * curves (TLS 1.2) extension.
140 *
141 * The "extension_data" field of a supported groups extension contains a
142 * "NamedGroupList" value (TLS 1.3 RFC8446):
143 * enum {
144 * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
145 * x25519(0x001D), x448(0x001E),
146 * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
147 * ffdhe6144(0x0103), ffdhe8192(0x0104),
148 * ffdhe_private_use(0x01FC..0x01FF),
149 * ecdhe_private_use(0xFE00..0xFEFF),
150 * (0xFFFF)
151 * } NamedGroup;
152 * struct {
153 * NamedGroup named_group_list<2..2^16-1>;
154 * } NamedGroupList;
155 *
156 * The "extension_data" field of a supported elliptic curves extension contains
157 * a "NamedCurveList" value (TLS 1.2 RFC 8422):
158 * enum {
159 * deprecated(1..22),
160 * secp256r1 (23), secp384r1 (24), secp521r1 (25),
161 * x25519(29), x448(30),
162 * reserved (0xFE00..0xFEFF),
163 * deprecated(0xFF01..0xFF02),
164 * (0xFFFF)
165 * } NamedCurve;
166 * struct {
167 * NamedCurve named_curve_list<2..2^16-1>
168 * } NamedCurveList;
169 *
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]170 * The TLS 1.3 supported groups extension was defined to be a compatible
171 * generalization of the TLS 1.2 supported elliptic curves extension. They both
172 * share the same extension identifier.
Jerry Yud491ea42022-01-13 16:15:25 +0800[diff] [blame]173 *
Jerry Yub925f212022-01-12 11:17:02 +0800[diff] [blame]174 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]175MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]176static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
177 const unsigned char *buf,
178 size_t len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]179{
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]180 size_t list_size, our_size;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]181 const unsigned char *p;
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]182 uint16_t *curves_tls_id;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]183
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]184 if (len < 2) {
185 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
186 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
187 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
188 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]189 }
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]190 list_size = MBEDTLS_GET_UINT16_BE(buf, 0);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]191 if (list_size + 2 != len ||
192 list_size % 2 != 0) {
193 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
194 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
195 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
196 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]197 }
198
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]199 /* Should never happen unless client duplicates the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]200 if (ssl->handshake->curves_tls_id != NULL) {
201 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
202 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
203 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
204 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard43c3b282014-10-17 12:42:11 +0200[diff] [blame]205 }
206
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]207 /* Don't allow our peer to make us allocate too much memory,
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]208 * and leave room for a final 0 */
209 our_size = list_size / 2 + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]210 if (our_size > MBEDTLS_ECP_DP_MAX) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]211 our_size = MBEDTLS_ECP_DP_MAX;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]212 }
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]213
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]214 if ((curves_tls_id = mbedtls_calloc(our_size,
215 sizeof(*curves_tls_id))) == NULL) {
216 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
217 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
218 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]219 }
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]220
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]221 ssl->handshake->curves_tls_id = curves_tls_id;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]222
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]223 p = buf + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]224 while (list_size > 0 && our_size > 1) {
225 uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0);
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200[diff] [blame]226
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]227 if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) !=
228 MBEDTLS_ECP_DP_NONE) {
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]229 *curves_tls_id++ = curr_tls_id;
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +0200[diff] [blame]230 our_size--;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]231 }
232
233 list_size -= 2;
234 p += 2;
235 }
236
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]237 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]238}
239
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]240MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]241static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
242 const unsigned char *buf,
243 size_t len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]244{
245 size_t list_size;
246 const unsigned char *p;
247
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]248 if (len == 0 || (size_t) (buf[0] + 1) != len) {
249 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
250 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
251 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
252 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]253 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]254 list_size = buf[0];
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]255
Manuel Pégourié-Gonnardc1b46d02015-09-16 11:18:32 +0200[diff] [blame]256 p = buf + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]257 while (list_size > 0) {
258 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
259 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]260 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
261 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]262 }
263
264 list_size--;
265 p++;
266 }
267
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]268 return 0;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]269}
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]270#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]271 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]272 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]273
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]274#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]275MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]276static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
277 const unsigned char *buf,
278 size_t len)
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]279{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]280 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]281
Manuel Pégourié-Gonnard58916762025-01-23 10:48:45 +0100[diff] [blame]282 if (ssl->handshake->psa_pake_ctx_is_ok != 1) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]283 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
284 return 0;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]285 }
286
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]287 if ((ret = mbedtls_psa_ecjpake_read_round(
288 &ssl->handshake->psa_pake_ctx, buf, len,
289 MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
290 psa_destroy_key(ssl->handshake->psa_pake_password);
291 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]292
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]293 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]294 mbedtls_ssl_send_alert_message(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]295 ssl,
296 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
297 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]298
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]299 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]300 }
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]301
302 /* Only mark the extension as OK when we're sure it is */
303 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
304
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]305 return 0;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]306}
307#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
308
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]309#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]310MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]311static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
312 const unsigned char *buf,
313 size_t len)
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]314{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]315 if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) {
316 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
317 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
318 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
319 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]320 }
321
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]322 ssl->session_negotiate->mfl_code = buf[0];
323
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]324 return 0;
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]325}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]326#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]327
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]328#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]329MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]330static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
331 const unsigned char *buf,
332 size_t len)
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]333{
334 size_t peer_cid_len;
335
336 /* CID extension only makes sense in DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]337 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
338 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
339 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
340 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
341 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]342 }
343
344 /*
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]345 * struct {
346 * opaque cid<0..2^8-1>;
347 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]348 */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]349
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]350 if (len < 1) {
351 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
352 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
353 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
354 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]355 }
356
357 peer_cid_len = *buf++;
358 len--;
359
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]360 if (len != peer_cid_len) {
361 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
362 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
363 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
364 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]365 }
366
367 /* Ignore CID if the user has disabled its use. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]368 if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]369 /* Leave ssl->handshake->cid_in_use in its default
370 * value of MBEDTLS_SSL_CID_DISABLED. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]371 MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled"));
372 return 0;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]373 }
374
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]375 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
376 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
377 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
378 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
379 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]380 }
381
Hanno Becker08556bf2019-05-03 12:43:44 +0100[diff] [blame]382 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]383 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]384 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]385
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]386 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
387 MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len);
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]388
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]389 return 0;
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]390}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]391#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]392
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]393#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]394MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]395static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
396 const unsigned char *buf,
397 size_t len)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]398{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]399 if (len != 0) {
400 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
401 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
402 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
403 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]404 }
405
406 ((void) buf);
407
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]408 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]409 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]410 }
411
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]412 return 0;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]413}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]414#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]415
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]416#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]417MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]418static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
419 const unsigned char *buf,
420 size_t len)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]421{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]422 if (len != 0) {
423 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
424 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
425 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
426 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]427 }
428
429 ((void) buf);
430
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]431 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]432 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]433 }
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]434
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]435 return 0;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]436}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]437#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]438
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]439#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]440MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]441static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
442 unsigned char *buf,
443 size_t len)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]444{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]445 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]446 mbedtls_ssl_session session;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]447
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]448 mbedtls_ssl_session_init(&session);
Manuel Pégourié-Gonnardbae389b2015-06-24 10:45:58 +0200[diff] [blame]449
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]450 if (ssl->conf->f_ticket_parse == NULL ||
451 ssl->conf->f_ticket_write == NULL) {
452 return 0;
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]453 }
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]454
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]455 /* Remember the client asked us to send a new ticket */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]456 ssl->handshake->new_session_ticket = 1;
457
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]458 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len));
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]459
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]460 if (len == 0) {
461 return 0;
462 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]463
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]464#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]465 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
466 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating"));
467 return 0;
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]468 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]469#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]470
471 /*
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]472 * Failures are ok: just ignore the ticket and proceed.
473 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]474 if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session,
475 buf, len)) != 0) {
476 mbedtls_ssl_session_free(&session);
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]477
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]478 if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
479 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
480 } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
481 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
482 } else {
483 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret);
484 }
Manuel Pégourié-Gonnardd59675d2015-05-19 15:28:00 +0200[diff] [blame]485
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]486 return 0;
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]487 }
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]488
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]489 /*
490 * Keep the session ID sent by the client, since we MUST send it back to
491 * inform them we're accepting the ticket (RFC 5077 section 3.4)
492 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]493 session.id_len = ssl->session_negotiate->id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]494 memcpy(&session.id, ssl->session_negotiate->id, session.id_len);
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]495
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]496 mbedtls_ssl_session_free(ssl->session_negotiate);
497 memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session));
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]498
499 /* Zeroize instead of free as we copied the content */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]500 mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session));
Manuel Pégourié-Gonnard69f17282015-05-18 14:35:08 +0200[diff] [blame]501
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]502 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket"));
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]503
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]504 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]505
Manuel Pégourié-Gonnard306827e2013-08-02 18:05:14 +0200[diff] [blame]506 /* Don't send a new ticket after all, this one is OK */
507 ssl->handshake->new_session_ticket = 0;
508
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]509 return 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]510}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]511#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]512
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]513#if defined(MBEDTLS_SSL_DTLS_SRTP)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]514MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]515static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
516 const unsigned char *buf,
517 size_t len)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]518{
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]519 mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]520 size_t i, j;
Johan Pascalf6417ec2020-09-22 15:15:19 +0200[diff] [blame]521 size_t profile_length;
522 uint16_t mki_length;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]523 /*! 2 bytes for profile length and 1 byte for mki len */
524 const size_t size_of_lengths = 3;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]525
526 /* If use_srtp is not configured, just ignore the extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]527 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
528 (ssl->conf->dtls_srtp_profile_list == NULL) ||
529 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
530 return 0;
Johan Pascal85269572020-08-25 10:01:54 +0200[diff] [blame]531 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]532
533 /* RFC5764 section 4.1.1
534 * uint8 SRTPProtectionProfile[2];
535 *
536 * struct {
537 * SRTPProtectionProfiles SRTPProtectionProfiles;
538 * opaque srtp_mki<0..255>;
539 * } UseSRTPData;
540
541 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]542 */
543
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]544 /*
545 * Min length is 5: at least one protection profile(2 bytes)
546 * and length(2 bytes) + srtp_mki length(1 byte)
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]547 * Check here that we have at least 2 bytes of protection profiles length
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]548 * and one of srtp_mki length
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]549 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]550 if (len < size_of_lengths) {
551 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
552 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
553 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]554 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]555
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]556 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]557
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]558 /* first 2 bytes are protection profile length(in bytes) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]559 profile_length = (buf[0] << 8) | buf[1];
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]560 buf += 2;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]561
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]562 /* The profile length cannot be bigger than input buffer size - lengths fields */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]563 if (profile_length > len - size_of_lengths ||
564 profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */
565 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
566 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
567 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ron Eldor313d7b52018-12-10 14:56:21 +0200[diff] [blame]568 }
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]569 /*
570 * parse the extension list values are defined in
571 * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
572 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]573 for (j = 0; j < profile_length; j += 2) {
Johan Pascal76fdf1d2020-10-22 23:31:00 +0200[diff] [blame]574 uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]575 client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]576
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]577 if (client_protection != MBEDTLS_TLS_SRTP_UNSET) {
578 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
579 mbedtls_ssl_get_srtp_profile_as_string(
580 client_protection)));
581 } else {
Johan Pascal85269572020-08-25 10:01:54 +0200[diff] [blame]582 continue;
583 }
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]584 /* check if suggested profile is in our list */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]585 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
586 if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) {
Ron Eldor3adb9922017-12-21 10:15:08 +0200[diff] [blame]587 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]588 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
589 mbedtls_ssl_get_srtp_profile_as_string(
590 client_protection)));
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]591 break;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]592 }
593 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]594 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]595 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]596 }
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]597 }
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]598 buf += profile_length; /* buf points to the mki length */
599 mki_length = *buf;
600 buf++;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]601
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]602 if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH ||
603 mki_length + profile_length + size_of_lengths != len) {
604 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
605 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
606 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]607 }
608
609 /* Parse the mki only if present and mki is supported locally */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]610 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
611 mki_length > 0) {
Johan Pascal042d4562020-08-25 12:14:02 +0200[diff] [blame]612 ssl->dtls_srtp_info.mki_len = mki_length;
613
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]614 memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length);
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]615
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]616 MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value,
617 ssl->dtls_srtp_info.mki_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]618 }
619
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]620 return 0;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]621}
622#endif /* MBEDTLS_SSL_DTLS_SRTP */
623
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]624/*
625 * Auxiliary functions for ServerHello parsing and related actions
626 */
627
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]628#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]629/*
Manuel Pégourié-Gonnard6458e3b2015-01-08 14:16:56 +0100[diff] [blame]630 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]631 */
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]632#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]633MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634static int ssl_check_key_curve(mbedtls_pk_context *pk,
635 uint16_t *curves_tls_id)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]636{
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]637 uint16_t *curr_tls_id = curves_tls_id;
Valerio Settif9362b72023-11-29 08:42:27 +0100[diff] [blame]638 mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk);
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]639 mbedtls_ecp_group_id curr_grp_id;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]640
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]641 while (*curr_tls_id != 0) {
642 curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
643 if (curr_grp_id == grp_id) {
644 return 0;
645 }
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]646 curr_tls_id++;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]647 }
648
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]649 return -1;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]650}
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]651#endif /* MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]652
653/*
654 * Try picking a certificate for this ciphersuite,
655 * return 0 on success and -1 on failure.
656 */
Gabor Mezei58535da2025-03-03 15:43:50 +0100[diff] [blame]657#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]658MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]659static int ssl_pick_cert(mbedtls_ssl_context *ssl,
660 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]661{
Glenn Strauss041a3762022-03-15 06:08:29 -0400[diff] [blame]662 mbedtls_ssl_key_cert *cur, *list;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]663 psa_algorithm_t pk_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]664 mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info);
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]665 psa_key_usage_t pk_usage =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]666 mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info);
Manuel Pégourié-Gonnarde6ef16f2015-05-11 19:54:43 +0200[diff] [blame]667 uint32_t flags;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]668
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]669#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]670 if (ssl->handshake->sni_key_cert != NULL) {
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]671 list = ssl->handshake->sni_key_cert;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]672 } else
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]673#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]674 list = ssl->conf->key_cert;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]675
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]676 int pk_alg_is_none = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]677 pk_alg_is_none = (pk_alg == PSA_ALG_NONE);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]678 if (pk_alg_is_none) {
679 return 0;
Manuel Pégourié-Gonnarde540b492015-07-07 12:44:38 +0200[diff] [blame]680 }
681
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]682 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate"));
683
684 if (list == NULL) {
685 MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
686 return -1;
687 }
688
689 for (cur = list; cur != NULL; cur = cur->next) {
Andrzej Kurek7ed01e82020-03-18 11:51:59 -0400[diff] [blame]690 flags = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]691 MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate",
692 cur->cert);
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]693
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]694 int key_type_matches = 0;
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]695#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]696 key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]697 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
698 mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]699#else
David Horstmann3a334c22022-10-25 10:53:44 +0100[diff] [blame]700 key_type_matches = (
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]701 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
Neil Armstrong0c9c10a2022-05-12 14:15:06 +0200[diff] [blame]702#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]703 if (!key_type_matches) {
704 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]705 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]706 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]707
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]708 /*
709 * This avoids sending the client a cert it'll reject based on
710 * keyUsage or other extensions.
711 *
712 * It also allows the user to provision different certificates for
713 * different uses based on keyUsage, eg if they want to avoid signing
714 * and decrypting with the same RSA key.
715 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]716 if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
Manuel Pégourié-Gonnard7a4aa4d2024-08-09 11:49:12 +0200[diff] [blame]717 MBEDTLS_SSL_IS_CLIENT,
718 MBEDTLS_SSL_VERSION_TLS1_2,
719 &flags) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]720 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
721 "(extended) key usage extension"));
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]722 continue;
723 }
724
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]725#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]726 if (pk_alg == MBEDTLS_PK_ECDSA &&
727 ssl_check_key_curve(&cur->cert->pk,
728 ssl->handshake->curves_tls_id) != 0) {
729 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve"));
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]730 continue;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]731 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]732#endif
Manuel Pégourié-Gonnard846ba472015-01-08 13:54:38 +0100[diff] [blame]733
734 /* If we get there, we got a winner */
735 break;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]736 }
737
Manuel Pégourié-Gonnard8f618a82015-05-10 21:13:36 +0200[diff] [blame]738 /* Do not update ssl->handshake->key_cert unless there is a match */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]739 if (cur != NULL) {
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]740 ssl->handshake->key_cert = cur;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]741 MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate",
742 ssl->handshake->key_cert->cert);
743 return 0;
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]744 }
745
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]746 return -1;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]747}
Gabor Mezei58535da2025-03-03 15:43:50 +0100[diff] [blame]748#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
749
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]750#endif /* MBEDTLS_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]751
752/*
753 * Check if a given ciphersuite is suitable for use with our config/keys/etc
754 * Sets ciphersuite_info only if the suite matches.
755 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]756MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]757static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
758 const mbedtls_ssl_ciphersuite_t **ciphersuite_info)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]759{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]760 const mbedtls_ssl_ciphersuite_t *suite_info;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]761
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]762#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]763 mbedtls_pk_type_t sig_type;
764#endif
765
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]766 suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
767 if (suite_info == NULL) {
768 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
769 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]770 }
771
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]772 MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)",
773 (unsigned int) suite_id, suite_info->name));
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]774
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]775 if (suite_info->min_tls_version > ssl->tls_version ||
776 suite_info->max_tls_version < ssl->tls_version) {
777 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version"));
778 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]779 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]780
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]781#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]782 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
783 (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) {
784 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake "
785 "not configured or ext missing"));
786 return 0;
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]787 }
788#endif
789
790
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]791#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]792 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]793 if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
794 (ssl->handshake->curves_tls_id == NULL ||
795 ssl->handshake->curves_tls_id[0] == 0)) {
796 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
797 "no common elliptic curve"));
798 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]799 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]800#endif
801
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]802#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]803 /* If the ciphersuite requires a pre-shared key and we don't
804 * have one, skip it now rather than failing later */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]805 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
806 ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
807 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key"));
808 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]809 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]810#endif
811
Gabor Mezei58535da2025-03-03 15:43:50 +0100[diff] [blame]812#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
813
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]814#if defined(MBEDTLS_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]815 /*
816 * Final check: if ciphersuite requires us to have a
817 * certificate/key of a particular type:
818 * - select the appropriate certificate if we have one, or
819 * - try the next ciphersuite if we don't
820 * This must be done last since we modify the key_cert list.
821 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]822 if (ssl_pick_cert(ssl, suite_info) != 0) {
823 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
824 "no suitable certificate"));
825 return 0;
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]826 }
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]827#endif
828
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]829 /* If the ciphersuite requires signing, check whether
830 * a suitable hash algorithm is present. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]831 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
832 if (sig_type != MBEDTLS_PK_NONE &&
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]833 mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]834 ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) {
835 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm "
836 "for signature algorithm %u", (unsigned) sig_type));
837 return 0;
Neil Armstrong9f1176a2022-06-24 18:19:19 +0200[diff] [blame]838 }
839
840#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
841
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]842 *ciphersuite_info = suite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]843 return 0;
Manuel Pégourié-Gonnard32525602013-11-30 17:50:32 +0100[diff] [blame]844}
845
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]846/* This function doesn't alert on errors that happen early during
847 ClientHello parsing because they might indicate that the client is
848 not talking SSL/TLS at all and would not understand our alert. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]849MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]850static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]851{
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]852 int ret, got_common_suite;
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]853 size_t i, j;
854 size_t ciph_offset, comp_offset, ext_offset;
855 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]856#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard9de64f52015-07-01 15:51:43 +0200[diff] [blame]857 size_t cookie_offset, cookie_len;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]858#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]859 unsigned char *buf, *p, *ext;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]860#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]861 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]862#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]863 int handshake_failure = 0;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]864 const int *ciphersuites;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]865 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]866
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]867 /* If there is no signature-algorithm extension present,
868 * we need to fall back to the default values for allowed
869 * signature-hash pairs. */
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]870#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]871 int sig_hash_alg_ext_present = 0;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]872#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]873
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]874 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]875
David Horstmanne0af39a2022-10-06 18:19:18 +0100[diff] [blame]876 int renegotiating;
877
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]878#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]879read_record_header:
880#endif
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]881 /*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]882 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]883 * otherwise read it ourselves manually in order to support SSLv2
884 * ClientHello, which doesn't use the same record layer format.
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]885 * Otherwise in a scenario of TLS 1.3/TLS 1.2 version negotiation, the
886 * ClientHello has been already fully fetched by the TLS 1.3 code and the
887 * flag ssl->keep_current_message is raised.
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]888 */
David Horstmanne0af39a2022-10-06 18:19:18 +0100[diff] [blame]889 renegotiating = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]890#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]891 renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]892#endif
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]893 if (!renegotiating && !ssl->keep_current_message) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]894 if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]895 /* No alert on a read error. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]896 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
897 return ret;
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]898 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]899 }
900
901 buf = ssl->in_hdr;
902
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]903 MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl));
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]904
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]905 /*
Mateusz Starzyk06b07fb2021-02-18 13:55:21 +0100[diff] [blame]906 * TLS Client Hello
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]907 *
908 * Record layer:
909 * 0 . 0 message type
910 * 1 . 2 protocol version
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]911 * 3 . 11 DTLS: epoch + record sequence number
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]912 * 3 . 4 message length
913 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]914 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message type: %d",
915 buf[0]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]916
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]917 if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
918 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
919 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]920 }
921
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]922 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d",
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]923 MBEDTLS_GET_UINT16_BE(ssl->in_len, 0)));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]924
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]925 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, protocol version: [%d:%d]",
926 buf[1], buf[2]));
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]927
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]928 /* For DTLS if this is the initial handshake, remember the client sequence
929 * number to use it in our next message (RFC 6347 4.2.1) */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]930#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]931 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]932#if defined(MBEDTLS_SSL_RENEGOTIATION)
933 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
Manuel Pégourié-Gonnard3a173f42015-01-22 13:30:33 +0000[diff] [blame]934#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]935 ) {
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]936 /* Epoch should be 0 for initial handshakes */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]937 if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
938 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
939 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]940 }
941
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]942 memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2,
943 sizeof(ssl->cur_out_ctr) - 2);
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]944
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]945#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]946 if (mbedtls_ssl_dtls_replay_check(ssl) != 0) {
947 MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding"));
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]948 ssl->next_record_offset = 0;
949 ssl->in_left = 0;
950 goto read_record_header;
951 }
952
953 /* No MAC to check yet, so we can update right now */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]954 mbedtls_ssl_dtls_replay_update(ssl);
Manuel Pégourié-Gonnardf03c7aa2014-09-24 14:54:06 +0200[diff] [blame]955#endif
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]956 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]957#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]958
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]959 msg_len = MBEDTLS_GET_UINT16_BE(ssl->in_len, 0);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]960
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]961#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]962 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]963 /* Set by mbedtls_ssl_read_record() */
Manuel Pégourié-Gonnardb89c4f32015-01-21 13:24:10 +0000[diff] [blame]964 msg_len = ssl->in_hslen;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]965 } else
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]966#endif
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]967 {
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]968 if (ssl->keep_current_message) {
969 ssl->keep_current_message = 0;
970 } else {
971 if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
972 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
973 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
974 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]975
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]976 if ((ret = mbedtls_ssl_fetch_input(ssl,
977 mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) {
978 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
979 return ret;
980 }
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]981
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]982 /* Done reading this record, get ready for the next one */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]983#if defined(MBEDTLS_SSL_PROTO_DTLS)
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]984 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
985 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl);
986 } else
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]987#endif
Ronald Cron6291b232023-03-08 15:51:25 +0100[diff] [blame]988 ssl->in_left = 0;
989 }
Manuel Pégourié-Gonnardd6b721c2014-03-24 12:13:54 +0100[diff] [blame]990 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]991
992 buf = ssl->in_msg;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]993
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]994 MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len);
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]995
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]996 ret = ssl->handshake->update_checksum(ssl, buf, msg_len);
997 if (0 != ret) {
998 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
999 return ret;
1000 }
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1001
1002 /*
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1003 * Handshake layer:
1004 * 0 . 0 handshake type
1005 * 1 . 3 handshake length
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1006 * 4 . 5 DTLS only: message sequence number
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1007 * 6 . 8 DTLS only: fragment offset
1008 * 9 . 11 DTLS only: fragment length
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1009 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1010 if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) {
1011 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1012 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1013 }
1014
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1015 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0]));
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1016
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1017 if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
1018 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1019 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1020 }
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1021
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1022#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1023 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1024 /*
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1025 * Copy the client's handshake message_seq on initial handshakes,
1026 * check sequence number on renego.
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1027 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1028#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1029 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]1030 /* This couldn't be done in ssl_prepare_handshake_record() */
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +0100[diff] [blame]1031 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1032 if (cli_msg_seq != ssl->handshake->in_msg_seq) {
1033 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
1034 "%u (expected %u)", cli_msg_seq,
1035 ssl->handshake->in_msg_seq));
1036 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard1aa586e2014-09-03 12:54:04 +0200[diff] [blame]1037 }
1038
1039 ssl->handshake->in_msg_seq++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1040 } else
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1041#endif
1042 {
Thomas Daubneyf9f0ba82023-05-23 17:34:33 +0100[diff] [blame]1043 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1044 ssl->handshake->out_msg_seq = cli_msg_seq;
1045 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
1046 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1047 {
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1048 /*
1049 * For now we don't support fragmentation, so make sure
1050 * fragment_offset == 0 and fragment_length == length
1051 */
1052 size_t fragment_offset, fragment_length, length;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1053 fragment_offset = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6);
1054 fragment_length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9);
1055 length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1);
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1056 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1057 4, ("fragment_offset=%u fragment_length=%u length=%u",
1058 (unsigned) fragment_offset, (unsigned) fragment_length,
1059 (unsigned) length));
1060 if (fragment_offset != 0 || length != fragment_length) {
1061 MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported"));
1062 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Andrzej Kurekcbe14ec2022-06-15 07:17:28 -0400[diff] [blame]1063 }
Manuel Pégourié-Gonnarde89bcf02014-02-18 18:50:02 +0100[diff] [blame]1064 }
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1065 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1066#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1067
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1068 buf += mbedtls_ssl_hs_hdr_len(ssl);
1069 msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1070
Manuel Pégourié-Gonnardce441b32014-02-18 17:40:52 +0100[diff] [blame]1071 /*
Wenxing Hou3b9de382023-12-14 16:22:01 +0800[diff] [blame]1072 * ClientHello layout:
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1073 * 0 . 1 protocol version
1074 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
Wenxing Hou3b9de382023-12-14 16:22:01 +0800[diff] [blame]1075 * 34 . 34 session id length (1 byte)
1076 * 35 . 34+x session id, where x = session id length from byte 34
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1077 * 35+x . 35+x DTLS only: cookie length (1 byte)
1078 * 36+x . .. DTLS only: cookie
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1079 * .. . .. ciphersuite list length (2 bytes)
1080 * .. . .. ciphersuite list
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1081 * .. . .. compression alg. list length (1 byte)
1082 * .. . .. compression alg. list
1083 * .. . .. extensions length (2 bytes, optional)
1084 * .. . .. extensions (optional)
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1085 */
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1086
1087 /*
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]1088 * Minimal length (with everything empty and extensions omitted) is
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1089 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1090 * read at least up to session id length without worrying.
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1091 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1092 if (msg_len < 38) {
1093 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1094 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1095 }
1096
1097 /*
1098 * Check and save the protocol version
1099 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1100 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1101
Agathiyan Bragadeesh8b52b882023-07-13 13:12:40 +0100[diff] [blame]1102 ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
1103 ssl->conf->transport);
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1104 ssl->session_negotiate->tls_version = ssl->tls_version;
Ronald Cron17ef8df2023-11-22 10:29:42 +0100[diff] [blame]1105 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1106
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1107 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
1108 MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2"));
1109 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1110 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1111 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1112 }
1113
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1114 /*
1115 * Save client random (inc. Unix time)
1116 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1117 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1118
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1119 memcpy(ssl->handshake->randbytes, buf + 2, 32);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1120
1121 /*
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1122 * Check the session ID length and save session ID
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1123 */
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1124 sess_len = buf[34];
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1125
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1126 if (sess_len > sizeof(ssl->session_negotiate->id) ||
1127 sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */
1128 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1129 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1130 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1131 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1132 }
1133
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1134 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1135
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1136 ssl->session_negotiate->id_len = sess_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1137 memset(ssl->session_negotiate->id, 0,
1138 sizeof(ssl->session_negotiate->id));
1139 memcpy(ssl->session_negotiate->id, buf + 35,
1140 ssl->session_negotiate->id_len);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1141
1142 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1143 * Check the cookie length and content
1144 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1145#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1146 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
Manuel Pégourié-Gonnard19d438f2014-09-09 17:08:52 +0200[diff] [blame]1147 cookie_offset = 35 + sess_len;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1148 cookie_len = buf[cookie_offset];
1149
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1150 if (cookie_offset + 1 + cookie_len + 2 > msg_len) {
1151 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1152 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1153 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1154 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1155 }
1156
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1157 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
1158 buf + cookie_offset + 1, cookie_len);
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1159
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1160#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1161 if (ssl->conf->f_cookie_check != NULL
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1162#if defined(MBEDTLS_SSL_RENEGOTIATION)
1163 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1164#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1165 ) {
1166 if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
1167 buf + cookie_offset + 1, cookie_len,
1168 ssl->cli_id, ssl->cli_id_len) != 0) {
1169 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed"));
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1170 ssl->handshake->cookie_verify_result = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1171 } else {
1172 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed"));
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]1173 ssl->handshake->cookie_verify_result = 0;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1174 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1175 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1176#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1177 {
1178 /* We know we didn't send a cookie, so it should be empty */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1179 if (cookie_len != 0) {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1180 /* This may be an attacker's probe, so don't send an alert */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1181 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1182 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1183 }
1184
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1185 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped"));
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1186 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1187
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1188 /*
1189 * Check the ciphersuitelist length (will be parsed later)
1190 */
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]1191 ciph_offset = cookie_offset + 1 + cookie_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1192 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1193#endif /* MBEDTLS_SSL_PROTO_DTLS */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1194 ciph_offset = 35 + sess_len;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1195
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]1196 ciph_len = MBEDTLS_GET_UINT16_BE(buf, ciph_offset);
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1197
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1198 if (ciph_len < 2 ||
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1199 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1200 (ciph_len % 2) != 0) {
1201 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1202 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1203 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1204 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1205 }
1206
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1207 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
1208 buf + ciph_offset + 2, ciph_len);
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1209
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1210 /*
Thomas Daubney20f89a92022-06-20 15:12:19 +0100[diff] [blame]1211 * Check the compression algorithm's length.
1212 * The list contents are ignored because implementing
1213 * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only
1214 * option supported by Mbed TLS.
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1215 */
1216 comp_offset = ciph_offset + 2 + ciph_len;
1217
1218 comp_len = buf[comp_offset];
1219
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1220 if (comp_len < 1 ||
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1221 comp_len > 16 ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1222 comp_len + comp_offset + 1 > msg_len) {
1223 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1224 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1225 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1226 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerec636f32012-09-09 19:17:02 +0000[diff] [blame]1227 }
1228
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1229 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression",
1230 buf + comp_offset + 1, comp_len);
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1231
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1232 /*
1233 * Check the extension length
1234 */
1235 ext_offset = comp_offset + 1 + comp_len;
1236 if (msg_len > ext_offset) {
1237 if (msg_len < ext_offset + 2) {
1238 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1239 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1240 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1241 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1242 }
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1243
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]1244 ext_len = MBEDTLS_GET_UINT16_BE(buf, ext_offset);
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1245
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1246 if (msg_len != ext_offset + 2 + ext_len) {
1247 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1248 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1249 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1250 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1251 }
1252 } else {
1253 ext_len = 0;
1254 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1255
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1256 ext = buf + ext_offset + 2;
1257 MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len);
1258
1259 while (ext_len != 0) {
1260 unsigned int ext_id;
1261 unsigned int ext_size;
1262 if (ext_len < 4) {
1263 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1264 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1265 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1266 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1267 }
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]1268 ext_id = MBEDTLS_GET_UINT16_BE(ext, 0);
1269 ext_size = MBEDTLS_GET_UINT16_BE(ext, 2);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1270
1271 if (ext_size + 4 > ext_len) {
1272 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1273 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1274 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1275 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1276 }
1277 switch (ext_id) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1278#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1279 case MBEDTLS_TLS_EXT_SERVERNAME:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1280 MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1281 ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4,
1282 ext + 4 + ext_size);
1283 if (ret != 0) {
1284 return ret;
1285 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1286 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1287#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +0000[diff] [blame]1288
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1289 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1290 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1291#if defined(MBEDTLS_SSL_RENEGOTIATION)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1292 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1293#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1294
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1295 ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size);
1296 if (ret != 0) {
1297 return ret;
1298 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1299 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1300
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1301#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1302 case MBEDTLS_TLS_EXT_SIG_ALG:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1303 MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
Ron Eldor73a38172017-10-03 15:58:26 +0300[diff] [blame]1304
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1305 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size);
1306 if (ret != 0) {
1307 return ret;
1308 }
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1309
1310 sig_hash_alg_ext_present = 1;
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1311 break;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1312#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1313
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]1314#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1315 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1316 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Jerry Yub47d0f82021-12-20 17:34:40 +0800[diff] [blame]1317 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1318 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1319
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1320 ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size);
1321 if (ret != 0) {
1322 return ret;
1323 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1324 break;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1325
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1326 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1327 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension"));
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1328 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1329
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1330 ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size);
1331 if (ret != 0) {
1332 return ret;
1333 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1334 break;
Valerio Setti60d3b912023-07-25 10:43:53 +0200[diff] [blame]1335#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1336 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]1337 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1338
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1339#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1340 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1341 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension"));
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1342
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1343 ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size);
1344 if (ret != 0) {
1345 return ret;
1346 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1347 break;
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]1348#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1349
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1350#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1351 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1352 MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension"));
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1353
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1354 ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size);
1355 if (ret != 0) {
1356 return ret;
1357 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1358 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1359#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard48f8d0d2013-07-17 10:25:37 +0200[diff] [blame]1360
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1361#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1362 case MBEDTLS_TLS_EXT_CID:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1363 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1364
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1365 ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size);
1366 if (ret != 0) {
1367 return ret;
1368 }
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1369 break;
Thomas Daubneye1c9a402021-06-15 11:26:43 +0100[diff] [blame]1370#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker89dcc882019-04-26 13:56:39 +0100[diff] [blame]1371
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1372#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1373 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1374 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1375
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1376 ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size);
1377 if (ret != 0) {
1378 return ret;
1379 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1380 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1381#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1382
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1383#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1384 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1385 MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1386
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1387 ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size);
1388 if (ret != 0) {
1389 return ret;
1390 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1391 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1392#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1393
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1394#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1395 case MBEDTLS_TLS_EXT_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1396 MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1397
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1398 ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size);
1399 if (ret != 0) {
1400 return ret;
1401 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1402 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1403#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1404
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1405#if defined(MBEDTLS_SSL_ALPN)
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1406 case MBEDTLS_TLS_EXT_ALPN:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1407 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1408
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1409 ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4,
1410 ext + 4 + ext_size);
1411 if (ret != 0) {
1412 return ret;
1413 }
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1414 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1415#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]1416
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1417#if defined(MBEDTLS_SSL_DTLS_SRTP)
1418 case MBEDTLS_TLS_EXT_USE_SRTP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1419 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
Johan Pascald576fdb2020-09-22 10:39:53 +0200[diff] [blame]1420
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1421 ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size);
1422 if (ret != 0) {
1423 return ret;
1424 }
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1425 break;
1426#endif /* MBEDTLS_SSL_DTLS_SRTP */
1427
Simon Butcher584a5472016-05-23 16:24:52 +0100[diff] [blame]1428 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1429 MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)",
1430 ext_id));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1431 }
Janos Follathc6dab2b2016-05-23 14:27:02 +0100[diff] [blame]1432
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1433 ext_len -= 4 + ext_size;
1434 ext += 4 + ext_size;
1435 }
1436
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1437#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1438
1439 /*
1440 * Try to fall back to default hash SHA1 if the client
1441 * hasn't provided any preferred signature-hash combinations.
1442 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1443 if (!sig_hash_alg_ext_present) {
Gabor Mezei86acf052022-05-10 13:29:02 +0200[diff] [blame]1444 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
1445 const uint16_t default_sig_algs[] = {
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1446#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1447 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA,
1448 MBEDTLS_SSL_HASH_SHA1),
Gabor Mezeic1051b62022-05-10 13:13:58 +0200[diff] [blame]1449#endif
1450#if defined(MBEDTLS_RSA_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1451 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA,
1452 MBEDTLS_SSL_HASH_SHA1),
Gabor Mezeic1051b62022-05-10 13:13:58 +0200[diff] [blame]1453#endif
Gabor Mezei86acf052022-05-10 13:29:02 +0200[diff] [blame]1454 MBEDTLS_TLS_SIG_NONE
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1455 };
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1456
Tom Cosgrove6ef9bb32023-03-08 14:19:51 +0000[diff] [blame]1457 MBEDTLS_STATIC_ASSERT(sizeof(default_sig_algs) / sizeof(default_sig_algs[0])
1458 <= MBEDTLS_RECEIVED_SIG_ALGS_SIZE,
1459 "default_sig_algs is too big");
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1460
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1461 memcpy(received_sig_algs, default_sig_algs, sizeof(default_sig_algs));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1462 }
1463
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]1464#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1465
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1466 /*
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1467 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1468 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1469 for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
1470 if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
1471 MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1472#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1473 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1474 MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
1475 "during renegotiation"));
1476 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1477 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1478 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1479 }
Manuel Pégourié-Gonnard69849f82015-03-10 11:54:02 +0000[diff] [blame]1480#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1481 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard8933a652014-03-20 17:29:27 +0100[diff] [blame]1482 break;
1483 }
1484 }
1485
1486 /*
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1487 * Renegotiation security checks
1488 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1489 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1490 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1491 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1492 handshake_failure = 1;
1493 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1494#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1495 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1496 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1497 renegotiation_info_seen == 0) {
1498 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1499 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1500 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1501 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1502 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1503 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1504 handshake_failure = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1505 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1506 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1507 renegotiation_info_seen == 1) {
1508 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)"));
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1509 handshake_failure = 1;
1510 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1511#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1512
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1513 if (handshake_failure == 1) {
1514 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1515 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1516 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1517 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1518
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1519 /*
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1520 * Server certification selection (after processing TLS extensions)
1521 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1522 if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
1523 MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
1524 return ret;
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1525 }
Glenn Strauss69894072022-01-24 12:58:00 -0500[diff] [blame]1526#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1527 ssl->handshake->sni_name = NULL;
1528 ssl->handshake->sni_name_len = 0;
1529#endif
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1530
1531 /*
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1532 * Search for a matching ciphersuite
Manuel Pégourié-Gonnard3ebb2cd2013-09-23 17:00:18 +0200[diff] [blame]1533 * (At the end because we need information from the EC-based extensions
Glenn Strauss2ed95272022-01-21 18:02:17 -0500[diff] [blame]1534 * and certificate from the SNI callback triggered by the SNI extension
1535 * or certificate from server certificate selection callback.)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1536 */
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1537 got_common_suite = 0;
Hanno Beckerd60b6c62021-04-29 12:04:11 +0100[diff] [blame]1538 ciphersuites = ssl->conf->ciphersuite_list;
Manuel Pégourié-Gonnard59b81d72013-11-30 17:46:04 +0100[diff] [blame]1539 ciphersuite_info = NULL;
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1540
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1541 if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) {
1542 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1543 for (i = 0; ciphersuites[i] != 0; i++) {
1544 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1545 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1546 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1547
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1548 got_common_suite = 1;
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1549
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1550 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1551 &ciphersuite_info)) != 0) {
1552 return ret;
1553 }
Manuel Pégourié-Gonnard011a8db2013-11-30 18:11:07 +0100[diff] [blame]1554
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1555 if (ciphersuite_info != NULL) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1556 goto have_ciphersuite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1557 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1558 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1559 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1560 } else {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1561 for (i = 0; ciphersuites[i] != 0; i++) {
1562 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1563 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1564 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1565 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1566
1567 got_common_suite = 1;
1568
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1569 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1570 &ciphersuite_info)) != 0) {
1571 return ret;
1572 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1573
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1574 if (ciphersuite_info != NULL) {
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1575 goto have_ciphersuite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1576 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1577 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1578 }
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]1579 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1580
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1581 if (got_common_suite) {
1582 MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
1583 "but none of them usable"));
1584 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1585 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1586 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1587 } else {
1588 MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
1589 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1590 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1591 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]1592 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1593
1594have_ciphersuite:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1595 MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
Manuel Pégourié-Gonnard607d6632015-01-26 11:17:20 +0000[diff] [blame]1596
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1597 ssl->session_negotiate->ciphersuite = ciphersuites[i];
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]1598 ssl->handshake->ciphersuite_info = ciphersuite_info;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1599
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1600 ssl->state++;
1601
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1602#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1603 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1604 mbedtls_ssl_recv_flight_completed(ssl);
1605 }
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1606#endif
1607
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1608 /* Debugging-only output for testsuite */
1609#if defined(MBEDTLS_DEBUG_C) && \
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]1610 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1611 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
1612 if (sig_alg != MBEDTLS_PK_NONE) {
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]1613 unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1614 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
1615 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u",
1616 sig_hash));
1617 } else {
1618 MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm "
1619 "%u - should not happen", (unsigned) sig_alg));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]1620 }
1621#endif
1622
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1623 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1624
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1625 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1626}
1627
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1628#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1629static void ssl_write_cid_ext(mbedtls_ssl_context *ssl,
1630 unsigned char *buf,
1631 size_t *olen)
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1632{
1633 unsigned char *p = buf;
1634 size_t ext_len;
1635 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1636
1637 *olen = 0;
1638
1639 /* Skip writing the extension if we don't want to use it or if
1640 * the client hasn't offered it. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1641 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) {
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1642 return;
1643 }
1644
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1645 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
1646 * which is at most 255, so the increment cannot overflow. */
1647 if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) {
1648 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1649 return;
1650 }
1651
1652 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension"));
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1653
1654 /*
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1655 * struct {
1656 * opaque cid<0..2^8-1>;
1657 * } ConnectionId;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1658 */
1659 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1660 p += 2;
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1661 ext_len = (size_t) ssl->own_cid_len + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1662 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1663 p += 2;
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1664
1665 *p++ = (uint8_t) ssl->own_cid_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1666 memcpy(p, ssl->own_cid, ssl->own_cid_len);
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1667
1668 *olen = ssl->own_cid_len + 5;
1669}
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1670#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]1671
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]1672#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1673static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
1674 unsigned char *buf,
1675 size_t *olen)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1676{
1677 unsigned char *p = buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1678 const mbedtls_ssl_ciphersuite_t *suite = NULL;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1679
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1680 /*
1681 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
1682 * from a client and then selects a stream or Authenticated Encryption
1683 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
1684 * encrypt-then-MAC response extension back to the client."
1685 */
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1686 suite = mbedtls_ssl_ciphersuite_from_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1687 ssl->session_negotiate->ciphersuite);
1688 if (suite == NULL) {
Ronald Cron862902d2022-03-24 14:15:28 +0100[diff] [blame]1689 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1690 } else {
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1691 mbedtls_ssl_mode_t ssl_mode =
Neil Armstrongab555e02022-04-04 11:07:59 +0200[diff] [blame]1692 mbedtls_ssl_get_mode_from_ciphersuite(
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1693 ssl->session_negotiate->encrypt_then_mac,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1694 suite);
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1695
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1696 if (ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM) {
Neil Armstrongfe635e42022-04-01 10:36:09 +0200[diff] [blame]1697 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1698 }
Ronald Cron862902d2022-03-24 14:15:28 +0100[diff] [blame]1699 }
1700
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1701 if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1702 *olen = 0;
1703 return;
1704 }
1705
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1706 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension"));
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1707
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1708 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1709 p += 2;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1710
1711 *p++ = 0x00;
1712 *p++ = 0x00;
1713
1714 *olen = 4;
1715}
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]1716#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1717
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1718#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1719static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
1720 unsigned char *buf,
1721 size_t *olen)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1722{
1723 unsigned char *p = buf;
1724
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1725 if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1726 *olen = 0;
1727 return;
1728 }
1729
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1730 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret "
1731 "extension"));
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1732
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1733 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1734 p += 2;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1735
1736 *p++ = 0x00;
1737 *p++ = 0x00;
1738
1739 *olen = 4;
1740}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1741#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1742
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1743#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1744static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
1745 unsigned char *buf,
1746 size_t *olen)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1747{
1748 unsigned char *p = buf;
1749
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1750 if (ssl->handshake->new_session_ticket == 0) {
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1751 *olen = 0;
1752 return;
1753 }
1754
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1755 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1756
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1757 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1758 p += 2;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1759
1760 *p++ = 0x00;
1761 *p++ = 0x00;
1762
1763 *olen = 4;
1764}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1765#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]1766
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1767static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
1768 unsigned char *buf,
1769 size_t *olen)
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1770{
1771 unsigned char *p = buf;
1772
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1773 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) {
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1774 *olen = 0;
1775 return;
1776 }
1777
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1778 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension"));
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1779
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1780 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1781 p += 2;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1782
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1783#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1784 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1785 *p++ = 0x00;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1786 *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1787 *p++ = ssl->verify_data_len * 2 & 0xFF;
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1788
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1789 memcpy(p, ssl->peer_verify_data, ssl->verify_data_len);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1790 p += ssl->verify_data_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1791 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1792 p += ssl->verify_data_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1793 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1794#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1795 {
1796 *p++ = 0x00;
1797 *p++ = 0x01;
1798 *p++ = 0x00;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1799 }
Manuel Pégourié-Gonnard19389752015-06-23 13:46:44 +0200[diff] [blame]1800
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]1801 *olen = (size_t) (p - buf);
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]1802}
1803
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1804#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1805static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
1806 unsigned char *buf,
1807 size_t *olen)
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1808{
1809 unsigned char *p = buf;
1810
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1811 if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1812 *olen = 0;
1813 return;
1814 }
1815
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1816 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension"));
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1817
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1818 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1819 p += 2;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1820
1821 *p++ = 0x00;
1822 *p++ = 1;
1823
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +0200[diff] [blame]1824 *p++ = ssl->session_negotiate->mfl_code;
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1825
1826 *olen = 5;
1827}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1828#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]1829
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]1830#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1831 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]1832 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1833static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
1834 unsigned char *buf,
1835 size_t *olen)
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1836{
1837 unsigned char *p = buf;
1838 ((void) ssl);
1839
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1840 if ((ssl->handshake->cli_exts &
1841 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) {
Paul Bakker677377f2013-10-28 12:54:26 +0100[diff] [blame]1842 *olen = 0;
1843 return;
1844 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1845
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1846 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension"));
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1847
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1848 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1849 p += 2;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1850
1851 *p++ = 0x00;
1852 *p++ = 2;
1853
1854 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1855 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1856
1857 *olen = 6;
1858}
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]1859#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]1860 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]1861 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1862
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1863#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1864static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
1865 unsigned char *buf,
1866 size_t *olen)
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1867{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1868 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1869 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]1870 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1871 size_t kkpp_len;
1872
1873 *olen = 0;
1874
1875 /* Skip costly computation if not needed */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1876 if (ssl->handshake->ciphersuite_info->key_exchange !=
1877 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1878 return;
1879 }
1880
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1881 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension"));
1882
1883 if (end - p < 4) {
1884 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1885 return;
1886 }
1887
1888 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1889 p += 2;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1890
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1891 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]1892 p + 2, (size_t) (end - p - 2), &kkpp_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1893 MBEDTLS_ECJPAKE_ROUND_ONE);
1894 if (ret != 0) {
1895 psa_destroy_key(ssl->handshake->psa_pake_password);
1896 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
1897 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
Valerio Settia9883642022-11-17 15:34:59 +0100[diff] [blame]1898 return;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]1899 }
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1900
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1901 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]1902 p += 2;
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]1903
1904 *olen = kkpp_len + 4;
1905}
1906#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1907
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1908#if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS)
1909static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
1910 unsigned char *buf,
1911 size_t *olen)
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1912{
Ron Eldor75870ec2018-12-06 17:31:55 +0200[diff] [blame]1913 size_t mki_len = 0, ext_len = 0;
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1914 uint16_t profile_value = 0;
Johan Pascal8f70fba2020-09-02 10:32:06 +0200[diff] [blame]1915 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1916
1917 *olen = 0;
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1918
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1919 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
1920 (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) {
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1921 return;
1922 }
1923
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1924 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension"));
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1925
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1926 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1927 mki_len = ssl->dtls_srtp_info.mki_len;
1928 }
1929
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]1930 /* The extension total size is 9 bytes :
1931 * - 2 bytes for the extension tag
1932 * - 2 bytes for the total size
1933 * - 2 bytes for the protection profile length
1934 * - 2 bytes for the protection profile
1935 * - 1 byte for the mki length
1936 * + the actual mki length
1937 * Check we have enough room in the output buffer */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1938 if ((size_t) (end - buf) < mki_len + 9) {
1939 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
Johan Pascal8f70fba2020-09-02 10:32:06 +0200[diff] [blame]1940 return;
1941 }
1942
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1943 /* extension */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1944 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0);
Ron Eldoref72faf2018-07-12 11:54:20 +0300[diff] [blame]1945 /*
1946 * total length 5 and mki value: only one profile(2 bytes)
1947 * and length(2 bytes) and srtp_mki )
1948 */
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1949 ext_len = 5 + mki_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1950 MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1951
1952 /* protection profile length: 2 */
1953 buf[4] = 0x00;
1954 buf[5] = 0x02;
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]1955 profile_value = mbedtls_ssl_check_srtp_profile_value(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1956 ssl->dtls_srtp_info.chosen_dtls_srtp_profile);
1957 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
1958 MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6);
1959 } else {
1960 MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile"));
Ron Eldor089c9fe2018-12-06 17:12:49 +0200[diff] [blame]1961 return;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1962 }
1963
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1964 buf[8] = mki_len & 0xFF;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1965 memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len);
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1966
Ron Eldor591f1622018-01-22 12:30:04 +0200[diff] [blame]1967 *olen = 9 + mki_len;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]1968}
1969#endif /* MBEDTLS_SSL_DTLS_SRTP */
1970
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1971#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1972MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1973static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1974{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]1975 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1976 unsigned char *p = ssl->out_msg + 4;
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]1977 unsigned char *cookie_len_byte;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1978
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1979 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1980
1981 /*
1982 * struct {
1983 * ProtocolVersion server_version;
1984 * opaque cookie<0..2^8-1>;
1985 * } HelloVerifyRequest;
1986 */
1987
Manuel Pégourié-Gonnardb35fe562014-08-09 17:00:46 +0200[diff] [blame]1988 /* The RFC is not clear on this point, but sending the actual negotiated
1989 * version looks like the most interoperable thing to do. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1990 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
1991 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]1992 p += 2;
1993
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1994 /* If we get here, f_cookie_check is not null */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1995 if (ssl->conf->f_cookie_write == NULL) {
1996 MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks"));
1997 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard7d38d212014-07-23 17:52:09 +0200[diff] [blame]1998 }
1999
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2000 /* Skip length byte until we know the length */
2001 cookie_len_byte = p++;
2002
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2003 if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie,
2004 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2005 ssl->cli_id, ssl->cli_id_len)) != 0) {
2006 MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret);
2007 return ret;
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2008 }
2009
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2010 *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1));
Manuel Pégourié-Gonnardd7f9bc52014-07-23 11:09:27 +0200[diff] [blame]2011
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2012 MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2013
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2014 ssl->out_msglen = (size_t) (p - ssl->out_msg);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2015 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2016 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2017
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2018 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2019
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2020 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
2021 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
2022 return ret;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2023 }
2024
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2025#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2026 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2027 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
2028 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
2029 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2030 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]2031#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]2032
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2033 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2034
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2035 return 0;
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2036}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2037#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2038
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2039static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl)
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2040{
2041 int ret;
Hanno Beckera5b1a392021-04-15 16:48:01 +0100[diff] [blame]2042 mbedtls_ssl_session session_tmp;
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2043 mbedtls_ssl_session * const session = ssl->session_negotiate;
2044
2045 /* Resume is 0 by default, see ssl_handshake_init().
2046 * It may be already set to 1 by ssl_parse_session_ticket_ext(). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2047 if (ssl->handshake->resume == 1) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2048 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2049 }
2050 if (session->id_len == 0) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2051 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2052 }
2053 if (ssl->conf->f_get_cache == NULL) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2054 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2055 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2056#if defined(MBEDTLS_SSL_RENEGOTIATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2057 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2058 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2059 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2060#endif
2061
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2062 mbedtls_ssl_session_init(&session_tmp);
Hanno Beckera5b1a392021-04-15 16:48:01 +0100[diff] [blame]2063
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2064 ret = ssl->conf->f_get_cache(ssl->conf->p_cache,
2065 session->id,
2066 session->id_len,
2067 &session_tmp);
2068 if (ret != 0) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2069 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2070 }
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2071
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2072 if (session->ciphersuite != session_tmp.ciphersuite) {
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2073 /* Mismatch between cached and negotiated session */
2074 goto exit;
2075 }
2076
2077 /* Move semantics */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2078 mbedtls_ssl_session_free(session);
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2079 *session = session_tmp;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2080 memset(&session_tmp, 0, sizeof(session_tmp));
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2081
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2082 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache"));
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2083 ssl->handshake->resume = 1;
2084
2085exit:
2086
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2087 mbedtls_ssl_session_free(&session_tmp);
Hanno Becker64ce9742021-04-15 08:19:40 +0100[diff] [blame]2088}
2089
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2090MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2091static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2092{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2093#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]2094 mbedtls_time_t t;
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2095#endif
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2096 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2097 size_t olen, ext_len = 0, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2098 unsigned char *buf, *p;
2099
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2100 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2101
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2102#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2103 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2104 ssl->handshake->cookie_verify_result != 0) {
2105 MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated"));
2106 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2107
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2108 return ssl_write_hello_verify_request(ssl);
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2109 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2110#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
Manuel Pégourié-Gonnard2c9ee812014-07-22 11:45:03 +0200[diff] [blame]2111
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2112 /*
2113 * 0 . 0 handshake type
2114 * 1 . 3 handshake length
2115 * 4 . 5 protocol version
2116 * 6 . 9 UNIX time()
2117 * 10 . 37 random bytes
2118 */
2119 buf = ssl->out_msg;
2120 p = buf + 4;
2121
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2122 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]2123 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2124
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2125 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]",
2126 buf[4], buf[5]));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2127
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2128#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2129 t = mbedtls_time(NULL);
2130 MBEDTLS_PUT_UINT32_BE(t, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2131 p += 4;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2132
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2133 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
2134 (long long) t));
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2135#else
Ben Taylor602b2962025-03-07 15:52:50 +0000[diff] [blame^]2136 if ((ret = psa_generate_random(ssl->conf->p_rng, p, 4)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2137 return ret;
2138 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]2139
2140 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2141#endif /* MBEDTLS_HAVE_TIME */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2142
Ben Taylor602b2962025-03-07 15:52:50 +0000[diff] [blame^]2143 if ((ret = psa_generate_random(p, 20)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2144 return ret;
2145 }
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2146 p += 20;
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2147
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2148#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2149 /*
2150 * RFC 8446
2151 * TLS 1.3 has a downgrade protection mechanism embedded in the server's
2152 * random value. TLS 1.3 servers which negotiate TLS 1.2 or below in
2153 * response to a ClientHello MUST set the last 8 bytes of their Random
2154 * value specially in their ServerHello.
2155 */
2156 if (mbedtls_ssl_conf_is_tls13_enabled(ssl->conf)) {
2157 static const unsigned char magic_tls12_downgrade_string[] =
2158 { 'D', 'O', 'W', 'N', 'G', 'R', 'D', 1 };
2159
2160 MBEDTLS_STATIC_ASSERT(
2161 sizeof(magic_tls12_downgrade_string) == 8,
2162 "magic_tls12_downgrade_string does not have the expected size");
2163
Ronald Cronfe01ec22023-04-06 09:56:53 +0200[diff] [blame]2164 memcpy(p, magic_tls12_downgrade_string,
2165 sizeof(magic_tls12_downgrade_string));
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2166 } else
2167#endif
2168 {
Ben Taylor602b2962025-03-07 15:52:50 +0000[diff] [blame^]2169
2170 if ((ret = psa_generate_random(p, 8)) != 0) {
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]2171 return ret;
2172 }
2173 }
2174 p += 8;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2175
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2176 memcpy(ssl->handshake->randbytes + 32, buf + 6, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2177
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2178 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2179
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2180 ssl_handle_id_based_session_resumption(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2181
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2182 if (ssl->handshake->resume == 0) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2183 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2184 * New session, create a new session id,
2185 * unless we're about to issue a session ticket
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2186 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2187 ssl->state++;
2188
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2189#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2190 ssl->session_negotiate->start = mbedtls_time(NULL);
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]2191#endif
2192
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2193#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2194 if (ssl->handshake->new_session_ticket != 0) {
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2195 ssl->session_negotiate->id_len = n = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2196 memset(ssl->session_negotiate->id, 0, 32);
2197 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2198#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2199 {
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2200 ssl->session_negotiate->id_len = n = 32;
Ben Taylor602b2962025-03-07 15:52:50 +0000[diff] [blame^]2201 if ((ret = psa_generate_random(ssl->session_negotiate->id,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2202 n)) != 0) {
2203 return ret;
2204 }
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2205 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2206 } else {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2207 /*
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2208 * Resuming a session
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2209 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2210 n = ssl->session_negotiate->id_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2211 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2212
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2213 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
2214 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
2215 return ret;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2216 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2217 }
2218
Manuel Pégourié-Gonnard3ffa3db2013-08-02 11:59:05 +0200[diff] [blame]2219 /*
2220 * 38 . 38 session id length
2221 * 39 . 38+n session id
2222 * 39+n . 40+n chosen ciphersuite
2223 * 41+n . 41+n chosen compression alg.
2224 * 42+n . 43+n extensions length
2225 * 44+n . 43+n+m extensions
2226 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2227 *p++ = (unsigned char) ssl->session_negotiate->id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2228 memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]2229 p += ssl->session_negotiate->id_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2230
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2231 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
2232 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n);
2233 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
2234 ssl->handshake->resume ? "a" : "no"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2235
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2236 MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2237 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2238 *p++ = MBEDTLS_BYTE_0(MBEDTLS_SSL_COMPRESS_NULL);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2239
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2240 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s",
2241 mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite)));
2242 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X",
2243 (unsigned int) MBEDTLS_SSL_COMPRESS_NULL));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2244
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2245 /*
2246 * First write extensions, then the total length
2247 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2248 ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnardf11a6d72013-07-17 11:17:14 +0200[diff] [blame]2249 ext_len += olen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2250
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2251#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2252 ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2253 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]2254#endif
Manuel Pégourié-Gonnard7bb78992013-07-17 13:50:08 +0200[diff] [blame]2255
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2256#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2257 ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen);
Hanno Becker51de2d32019-04-26 15:46:55 +0100[diff] [blame]2258 ext_len += olen;
2259#endif
2260
Neil Armstrong76b74072022-04-06 13:43:54 +0200[diff] [blame]2261#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2262 ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2263 ext_len += olen;
2264#endif
2265
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2266#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2267 ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2268 ext_len += olen;
2269#endif
2270
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2271#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2272 ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2273 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]2274#endif
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]2275
Valerio Setti7aeec542023-07-05 18:57:21 +0200[diff] [blame]2276#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
Valerio Settie9646ec2023-08-02 20:02:28 +0200[diff] [blame]2277 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]2278 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Leonid Rozenboim28752702022-04-21 18:00:52 -0700[diff] [blame]2279 const mbedtls_ssl_ciphersuite_t *suite =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2280 mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite);
2281 if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) {
2282 ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen);
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]2283 ext_len += olen;
2284 }
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2285#endif
2286
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]2287#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2288 ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen);
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]2289 ext_len += olen;
2290#endif
2291
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2292#if defined(MBEDTLS_SSL_ALPN)
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2293 unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2294 if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen))
2295 != 0) {
Paul Elliottf518f812022-07-11 12:36:20 +0100[diff] [blame]2296 return ret;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2297 }
Paul Elliottf518f812022-07-11 12:36:20 +0100[diff] [blame]2298
Manuel Pégourié-Gonnard89e35792014-04-07 12:10:30 +0200[diff] [blame]2299 ext_len += olen;
2300#endif
2301
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2302#if defined(MBEDTLS_SSL_DTLS_SRTP)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2303 ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen);
Johan Pascalc3ccd982020-10-28 17:18:18 +0100[diff] [blame]2304 ext_len += olen;
Johan Pascalb62bb512015-12-03 21:56:45 +0100[diff] [blame]2305#endif
2306
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2307 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
2308 ext_len));
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2309
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2310 if (ext_len > 0) {
2311 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
Joe Subbiani94180e72021-08-20 16:20:44 +0100[diff] [blame]2312 p += 2 + ext_len;
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]2313 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2314
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2315 ssl->out_msglen = (size_t) (p - buf);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2316 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2317 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2318
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2319 ret = mbedtls_ssl_write_handshake_msg(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2320
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2321 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2322
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2323 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2324}
2325
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2326#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2327MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2328static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2329{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2330 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2331 ssl->handshake->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2332
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2333 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2334
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2335 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2336 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2337 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2338 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2339 }
2340
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2341 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2342 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2343}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2344#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2345MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2346static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2347{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2348 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2349 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2350 ssl->handshake->ciphersuite_info;
irwirc9bc3002020-04-01 13:46:36 +0300[diff] [blame]2351 uint16_t dn_size, total_dn_size; /* excluding length bytes */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2352 size_t ct_len, sa_len; /* including length bytes */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2353 unsigned char *buf, *p;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2354 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2355 const mbedtls_x509_crt *crt;
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2356 int authmode;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2357
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2358 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2359
2360 ssl->state++;
2361
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2362#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2363 if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2364 authmode = ssl->handshake->sni_authmode;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2365 } else
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2366#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2367 authmode = ssl->conf->authmode;
Manuel Pégourié-Gonnardcdc26ae2015-06-19 12:16:31 +0200[diff] [blame]2368
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2369 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) ||
2370 authmode == MBEDTLS_SSL_VERIFY_NONE) {
2371 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2372 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2373 }
2374
2375 /*
2376 * 0 . 0 handshake type
2377 * 1 . 3 handshake length
2378 * 4 . 4 cert type count
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2379 * 5 .. m-1 cert types
2380 * m .. m+1 sig alg length (TLS 1.2 only)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]2381 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2382 * n .. n+1 length of all DNs
2383 * n+2 .. n+3 length of DN 1
2384 * n+4 .. ... Distinguished Name #1
2385 * ... .. ... length of DN 2, etc.
2386 */
2387 buf = ssl->out_msg;
2388 p = buf + 4;
2389
2390 /*
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2391 * Supported certificate types
2392 *
2393 * ClientCertificateType certificate_types<1..2^8-1>;
2394 * enum { (255) } ClientCertificateType;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2395 */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2396 ct_len = 0;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2397
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2398#if defined(MBEDTLS_RSA_C)
2399 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2400#endif
Valerio Setti45d56f32023-07-13 17:23:20 +0200[diff] [blame]2401#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2402 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2403#endif
2404
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]2405 p[0] = (unsigned char) ct_len++;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2406 p += ct_len;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2407
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2408 sa_len = 0;
Jerry Yue7541932022-01-28 10:21:24 +0800[diff] [blame]2409
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2410 /*
2411 * Add signature_algorithms for verify (TLS 1.2)
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2412 *
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2413 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2414 *
2415 * struct {
2416 * HashAlgorithm hash;
2417 * SignatureAlgorithm signature;
2418 * } SignatureAndHashAlgorithm;
2419 *
2420 * enum { (255) } HashAlgorithm;
2421 * enum { (255) } SignatureAlgorithm;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2422 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2423 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
2424 if (sig_alg == NULL) {
2425 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2426 }
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2427
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2428 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2429 unsigned char hash = MBEDTLS_BYTE_1(*sig_alg);
Jerry Yu6106fdc2022-01-12 16:36:14 +0800[diff] [blame]2430
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2431 if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2432 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2433 }
2434 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2435 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2436 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2437
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2438 /* Write elements at offsets starting from 1 (offset 0 is for the
2439 * length). Thus the offset of each element is the length of the
2440 * partial list including that element. */
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2441 sa_len += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2442 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, sa_len);
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2443
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2444 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2445
Paul Elliott96a0fd92022-11-08 17:09:56 +0000[diff] [blame]2446 /* Fill in list length. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2447 MBEDTLS_PUT_UINT16_BE(sa_len, p, 0);
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2448 sa_len += 2;
2449 p += sa_len;
2450
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]2451 /*
2452 * DistinguishedName certificate_authorities<0..2^16-1>;
2453 * opaque DistinguishedName<1..2^16-1>;
2454 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2455 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2456
Paul Bakkerbc3d9842012-11-26 16:12:02 +0100[diff] [blame]2457 total_dn_size = 0;
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2458
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2459 if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) {
Hanno Becker8bf74f32019-03-27 11:01:30 +0000[diff] [blame]2460 /* NOTE: If trusted certificates are provisioned
2461 * via a CA callback (configured through
2462 * `mbedtls_ssl_conf_ca_cb()`, then the
2463 * CertificateRequest is currently left empty. */
2464
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2465#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2466#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2467 if (ssl->handshake->dn_hints != NULL) {
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2468 crt = ssl->handshake->dn_hints;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2469 } else
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2470#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2471 if (ssl->conf->dn_hints != NULL) {
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2472 crt = ssl->conf->dn_hints;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2473 } else
Glenn Strauss999ef702022-03-11 01:37:23 -0500[diff] [blame]2474#endif
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2475#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2476 if (ssl->handshake->sni_ca_chain != NULL) {
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2477 crt = ssl->handshake->sni_ca_chain;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2478 } else
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2479#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2480 crt = ssl->conf->ca_chain;
Manuel Pégourié-Gonnardbc1babb2015-10-02 11:16:47 +0200[diff] [blame]2481
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2482 while (crt != NULL && crt->version != 0) {
irwirc9bc3002020-04-01 13:46:36 +0300[diff] [blame]2483 /* It follows from RFC 5280 A.1 that this length
2484 * can be represented in at most 11 bits. */
2485 dn_size = (uint16_t) crt->subject_raw.len;
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2486
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2487 if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) {
2488 MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short"));
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2489 break;
2490 }
2491
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2492 MBEDTLS_PUT_UINT16_BE(dn_size, p, 0);
Joe Subbiani1f6c3ae2021-08-20 11:44:44 +0100[diff] [blame]2493 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2494 memcpy(p, crt->subject_raw.p, dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2495 p += dn_size;
2496
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2497 MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2498
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2499 total_dn_size += (unsigned short) (2 + dn_size);
Janos Follath088ce432017-04-10 12:42:31 +0100[diff] [blame]2500 crt = crt->next;
Manuel Pégourié-Gonnardbc1babb2015-10-02 11:16:47 +0200[diff] [blame]2501 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2502 }
2503
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2504 ssl->out_msglen = (size_t) (p - buf);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2505 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2506 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2507 MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2508
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2509 ret = mbedtls_ssl_write_handshake_msg(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2510
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2511 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2512
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2513 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2514}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2515#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2516
Valerio Setti4d0e8462023-10-06 13:20:21 +0200[diff] [blame]2517#if (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2518 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED))
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2519MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2520static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2521{
2522 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2523 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2524 mbedtls_pk_context *pk;
2525 mbedtls_pk_type_t pk_type;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2526 psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2527 unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
2528 size_t key_len;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2529#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2530 uint16_t tls_id = 0;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2531 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2532 mbedtls_ecp_group_id grp_id;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2533 mbedtls_ecp_keypair *key;
2534#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2535
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2536 pk = mbedtls_ssl_own_key(ssl);
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2537
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2538 if (pk == NULL) {
2539 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2540 }
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2541
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2542 pk_type = mbedtls_pk_get_type(pk);
Valerio Settid0405092023-05-24 13:16:40 +0200[diff] [blame]2543
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2544 switch (pk_type) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2545 case MBEDTLS_PK_OPAQUE:
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2546#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2547 case MBEDTLS_PK_ECKEY:
2548 case MBEDTLS_PK_ECKEY_DH:
2549 case MBEDTLS_PK_ECDSA:
2550#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2551 if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
2552 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2553 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2554
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2555 /* Get the attributes of the key previously parsed by PK module in
2556 * order to extract its type and length (in bits). */
2557 status = psa_get_key_attributes(pk->priv_id, &key_attributes);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2558 if (status != PSA_SUCCESS) {
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2559 ret = PSA_TO_MBEDTLS_ERR(status);
2560 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2561 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2562 ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2563 ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2564
Gilles Peskinec6d2df82023-12-18 20:38:38 +0100[diff] [blame]2565#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2566 if (pk_type != MBEDTLS_PK_OPAQUE) {
Valerio Setti202bb712023-12-06 17:05:24 +0100[diff] [blame]2567 /* PK_ECKEY[_DH] and PK_ECDSA instead as parsed from the PK
2568 * module and only have ECDSA capabilities. Since we need
2569 * them for ECDH later, we export and then re-import them with
2570 * proper flags and algorithm. Of course We also set key's type
2571 * and bits that we just got above. */
2572 key_attributes = psa_key_attributes_init();
2573 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2574 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2575 psa_set_key_type(&key_attributes,
2576 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
2577 psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2578
Valerio Setti202bb712023-12-06 17:05:24 +0100[diff] [blame]2579 status = psa_export_key(pk->priv_id, buf, sizeof(buf), &key_len);
2580 if (status != PSA_SUCCESS) {
2581 ret = PSA_TO_MBEDTLS_ERR(status);
2582 goto exit;
2583 }
2584 status = psa_import_key(&key_attributes, buf, key_len,
2585 &ssl->handshake->xxdh_psa_privkey);
2586 if (status != PSA_SUCCESS) {
2587 ret = PSA_TO_MBEDTLS_ERR(status);
2588 goto exit;
2589 }
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2590
Valerio Setti202bb712023-12-06 17:05:24 +0100[diff] [blame]2591 /* Set this key as owned by the TLS library: it will be its duty
2592 * to clear it exit. */
2593 ssl->handshake->xxdh_psa_privkey_is_external = 0;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2594
Gilles Peskinec6d2df82023-12-18 20:38:38 +0100[diff] [blame]2595 ret = 0;
2596 break;
2597 }
2598#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
2599
2600 /* Opaque key is created by the user (externally from Mbed TLS)
2601 * so we assume it already has the right algorithm and flags
2602 * set. Just copy its ID as reference. */
2603 ssl->handshake->xxdh_psa_privkey = pk->priv_id;
2604 ssl->handshake->xxdh_psa_privkey_is_external = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2605 ret = 0;
2606 break;
Gilles Peskinec6d2df82023-12-18 20:38:38 +0100[diff] [blame]2607
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2608#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2609 case MBEDTLS_PK_ECKEY:
2610 case MBEDTLS_PK_ECKEY_DH:
2611 case MBEDTLS_PK_ECDSA:
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2612 key = mbedtls_pk_ec_rw(*pk);
Valerio Settif9362b72023-11-29 08:42:27 +0100[diff] [blame]2613 grp_id = mbedtls_pk_get_ec_group_id(pk);
Valerio Settid0405092023-05-24 13:16:40 +0200[diff] [blame]2614 if (grp_id == MBEDTLS_ECP_DP_NONE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2615 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2616 }
Valerio Setti97207782023-05-18 18:59:06 +0200[diff] [blame]2617 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2618 if (tls_id == 0) {
2619 /* This elliptic curve is not supported */
2620 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2621 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2622
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2623 /* If the above conversion to TLS ID was fine, then also this one will
2624 be, so there is no need to check the return value here */
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2625 mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2626 &ssl->handshake->xxdh_psa_bits);
Valerio Setti2b5d3de2023-01-09 11:04:52 +0100[diff] [blame]2627
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2628 ssl->handshake->xxdh_psa_type = key_type;
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2629
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2630 key_attributes = psa_key_attributes_init();
2631 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2632 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2633 psa_set_key_type(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2634 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2635 psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2636
Gilles Peskine84b9f1b2024-02-19 16:44:29 +0100[diff] [blame]2637 ret = mbedtls_ecp_write_key_ext(key, &key_len, buf, sizeof(buf));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2638 if (ret != 0) {
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2639 mbedtls_platform_zeroize(buf, sizeof(buf));
2640 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2641 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2642
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2643 status = psa_import_key(&key_attributes, buf, key_len,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2644 &ssl->handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2645 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2646 ret = PSA_TO_MBEDTLS_ERR(status);
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2647 mbedtls_platform_zeroize(buf, sizeof(buf));
2648 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2649 }
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2650
Valerio Setti6835b4a2023-06-22 09:06:31 +0200[diff] [blame]2651 mbedtls_platform_zeroize(buf, sizeof(buf));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2652 ret = 0;
2653 break;
Valerio Setti0813b6f2023-06-16 12:18:53 +0200[diff] [blame]2654#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2655 default:
Neil Armstrong104a7c12022-03-23 10:58:03 +0100[diff] [blame]2656 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2657 }
2658
Valerio Settibced8bc2023-12-06 10:40:47 +0100[diff] [blame]2659exit:
2660 psa_reset_key_attributes(&key_attributes);
2661 mbedtls_platform_zeroize(buf, sizeof(buf));
2662
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2663 return ret;
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]2664}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2665#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2666 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnard55389702013-12-12 11:14:16 +0100[diff] [blame]2667
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2668#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2669 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2670MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2671static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl,
2672 size_t *signature_len)
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2673{
Gilles Peskine0fd90dd2018-04-26 07:41:09 +0200[diff] [blame]2674 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
2675 * signature length which will be added in ssl_write_server_key_exchange
2676 * after the call to ssl_prepare_server_key_exchange.
2677 * ssl_write_server_key_exchange also takes care of incrementing
2678 * ssl->out_msglen. */
2679 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2680 size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
2681 - sig_start);
2682 int ret = ssl->conf->f_async_resume(ssl,
2683 sig_start, signature_len, sig_max_len);
2684 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
Gilles Peskinedf13d5c2018-04-25 20:39:48 +0200[diff] [blame]2685 ssl->handshake->async_in_progress = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2686 mbedtls_ssl_set_async_operation_data(ssl, NULL);
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2687 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2688 MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret);
2689 return ret;
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2690}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2691#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]2692 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]2693
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]2694/* Prepare the ServerKeyExchange message, up to and including
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]2695 * calculating the signature if any, but excluding formatting the
2696 * signature and sending the message. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2697MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2698static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
2699 size_t *signature_len)
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]2700{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2701 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]2702 ssl->handshake->ciphersuite_info;
2703
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2704#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2705#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine3ce9b902018-01-06 01:34:21 +0100[diff] [blame]2706 unsigned char *dig_signed = NULL;
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2707#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2708#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2709
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2710 (void) ciphersuite_info; /* unused in some configurations */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2711#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine22e695f2018-04-26 00:22:50 +0200[diff] [blame]2712 (void) signature_len;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2713#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2714
Gilles Peskine16fe8fc2021-06-22 09:45:56 +0200[diff] [blame]2715#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2716#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2717 size_t out_buf_len = ssl->out_buf_len - (size_t) (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2718#else
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2719 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (size_t) (ssl->out_msg - ssl->out_buf);
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2720#endif
Gilles Peskine16fe8fc2021-06-22 09:45:56 +0200[diff] [blame]2721#endif
Gilles Peskinef00f1522021-06-22 00:09:00 +0200[diff] [blame]2722
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2723 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2724
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2725 /*
2726 *
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2727 * Part 1: Provide key exchange parameters for chosen ciphersuite.
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2728 *
2729 */
2730
2731 /*
2732 * - ECJPAKE key exchanges
2733 */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2734#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2735 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2736 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2737 unsigned char *out_p = ssl->out_msg + ssl->out_msglen;
2738 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
2739 ssl->out_msglen;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2740 size_t output_offset = 0;
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]2741 size_t output_len = 0;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2742
Valerio Setti6f1b5742022-11-16 10:00:32 +0100[diff] [blame]2743 /*
2744 * The first 3 bytes are:
2745 * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
2746 * [1, 2] elliptic curve's TLS ID
2747 *
2748 * However since we only support secp256r1 for now, we hardcode its
2749 * TLS ID here
2750 */
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2751 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2752 MBEDTLS_ECP_DP_SECP256R1);
2753 if (tls_id == 0) {
2754 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Valerio Setti6f1b5742022-11-16 10:00:32 +0100[diff] [blame]2755 }
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2756 *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2757 MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1);
Valerio Setti819de862022-11-17 18:05:19 +0100[diff] [blame]2758 output_offset += 3;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2759
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2760 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
2761 out_p + output_offset,
2762 end_p - out_p - output_offset, &output_len,
2763 MBEDTLS_ECJPAKE_ROUND_TWO);
2764 if (ret != 0) {
2765 psa_destroy_key(ssl->handshake->psa_pake_password);
2766 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2767 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
2768 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2769 }
2770
Valerio Setti02c25b52022-11-15 14:08:42 +0100[diff] [blame]2771 output_offset += output_len;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]2772 ssl->out_msglen += output_offset;
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2773 }
2774#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2775
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2776 /*
Valerio Setti48659a12025-01-15 14:22:28 +0100[diff] [blame]2777 * For ECDHE key exchanges with PSK, parameters are prefixed by support
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2778 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
2779 * we use empty support identity hints here.
2780 **/
Valerio Setti48659a12025-01-15 14:22:28 +0100[diff] [blame]2781#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2782 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2783 ssl->out_msg[ssl->out_msglen++] = 0x00;
2784 ssl->out_msg[ssl->out_msglen++] = 0x00;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2785 }
Valerio Setti48659a12025-01-15 14:22:28 +0100[diff] [blame]2786#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2787
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]2788 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2789 * - ECDHE key exchanges
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2790 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2791#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2792 if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) {
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2793 /*
2794 * Ephemeral ECDH parameters:
2795 *
2796 * struct {
2797 * ECParameters curve_params;
2798 * ECPoint public;
2799 * } ServerECDHParams;
2800 */
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]2801 uint16_t *curr_tls_id = ssl->handshake->curves_tls_id;
Manuel Pégourié-Gonnard6402c352025-01-14 12:23:56 +0100[diff] [blame]2802 const uint16_t *group_list = ssl->conf->group_list;
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2803 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Simon Butcher600c5e62018-06-14 08:58:59 +0100[diff] [blame]2804 size_t len = 0;
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2805
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2806 /* Match our preference list against the offered curves */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2807 if ((group_list == NULL) || (curr_tls_id == NULL)) {
2808 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2809 }
2810 for (; *group_list != 0; group_list++) {
2811 for (curr_tls_id = ssl->handshake->curves_tls_id;
2812 *curr_tls_id != 0; curr_tls_id++) {
2813 if (*curr_tls_id == *group_list) {
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2814 goto curve_matching_done;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2815 }
2816 }
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2817 }
Manuel Pégourié-Gonnardde053902014-02-04 13:58:39 +0100[diff] [blame]2818
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2819curve_matching_done:
2820 if (*curr_tls_id == 0) {
2821 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE"));
2822 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2823 }
2824
2825 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s",
2826 mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id)));
Gergely Budai987bfb52014-01-19 21:48:42 +0100[diff] [blame]2827
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2828 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
2829 psa_key_attributes_t key_attributes;
2830 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2831 uint8_t *p = ssl->out_msg + ssl->out_msglen;
2832 const size_t header_size = 4; // curve_type(1), namedcurve(2),
2833 // data length(1)
2834 const size_t data_length_size = 1;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]2835 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]2836 size_t ec_bits = 0;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2837
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2838 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2839
Valerio Setti40d9ca92023-01-04 16:08:04 +0100[diff] [blame]2840 /* Convert EC's TLS ID to PSA key type. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2841 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id,
Przemek Stekielda4fba62023-06-02 14:52:28 +0200[diff] [blame]2842 &key_type,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2843 &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
2844 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse."));
2845 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Przemek Stekielb6ce0b62022-03-09 15:38:24 +0100[diff] [blame]2846 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2847 handshake->xxdh_psa_type = key_type;
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2848 handshake->xxdh_psa_bits = ec_bits;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2849
2850 key_attributes = psa_key_attributes_init();
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2851 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2852 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2853 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
Valerio Settiea59c432023-07-25 11:14:03 +0200[diff] [blame]2854 psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2855
2856 /*
2857 * ECParameters curve_params
2858 *
2859 * First byte is curve_type, always named_curve
2860 */
2861 *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
2862
2863 /*
2864 * Next two bytes are the namedcurve value
2865 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2866 MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0);
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2867 p += 2;
2868
2869 /* Generate ECDH private key. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2870 status = psa_generate_key(&key_attributes,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2871 &handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2872 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2873 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2874 MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
2875 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2876 }
2877
2878 /*
2879 * ECPoint public
2880 *
2881 * First byte is data length.
2882 * It will be filled later. p holds now the data length location.
2883 */
2884
2885 /* Export the public part of the ECDH private key from PSA.
2886 * Make one byte space for the length.
2887 */
2888 unsigned char *own_pubkey = p + data_length_size;
2889
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2890 size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN
2891 - (own_pubkey - ssl->out_msg));
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2892
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2893 status = psa_export_public_key(handshake->xxdh_psa_privkey,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2894 own_pubkey, own_pubkey_max_len,
2895 &len);
2896 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]2897 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2898 MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]2899 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
2900 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2901 return ret;
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]2902 }
2903
2904 /* Store the length of the exported public key. */
2905 *p = (uint8_t) len;
2906
2907 /* Determine full message length. */
2908 len += header_size;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2909
Jerry Yuc5aef882021-12-23 20:15:02 +0800[diff] [blame]2910#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2911 dig_signed = ssl->out_msg + ssl->out_msglen;
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2912#endif
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2913
Gilles Peskinef9f15ae2018-01-08 17:13:01 +0100[diff] [blame]2914 ssl->out_msglen += len;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2915 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2916#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2917
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2918 /*
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2919 *
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2920 * Part 2: For key exchanges involving the server signing the
Hanno Beckercf7ae7e2017-05-11 14:07:25 +0100[diff] [blame]2921 * exchange parameters, compute and add the signature here.
2922 *
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2923 */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]2924#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2925 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
2926 if (dig_signed == NULL) {
2927 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2928 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Elliott11420382022-05-13 17:43:47 +0100[diff] [blame]2929 }
2930
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]2931 size_t dig_signed_len = (size_t) (ssl->out_msg + ssl->out_msglen - dig_signed);
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]2932 size_t hashlen = 0;
Manuel Pégourié-Gonnard88579842023-03-28 11:20:23 +0200[diff] [blame]2933 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
Przemek Stekiel51669542022-09-13 12:57:05 +0200[diff] [blame]2934
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]2935 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]2936
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2937 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2938 * 2.1: Choose hash algorithm:
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]2939 * For TLS 1.2, obey signature-hash-algorithm extension
2940 * to choose appropriate hash.
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2941 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]2942
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2943 mbedtls_pk_type_t sig_alg =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2944 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2945
Dave Rodgmanc37ad442023-11-03 23:36:06 +0000[diff] [blame]2946 unsigned char sig_hash =
2947 (unsigned char) mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2948 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]2949
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2950 mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash);
Gabor Mezeia3d016c2022-05-10 12:44:09 +0200[diff] [blame]2951
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2952 /* For TLS 1.2, obey signature-hash-algorithm extension
2953 * (RFC 5246, Sec. 7.4.1.4.1). */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2954 if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) {
2955 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2956 /* (... because we choose a cipher suite
2957 * only if there is a matching hash.) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2958 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2959 }
2960
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2961 MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg));
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]2962
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2963 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2964 * 2.2: Compute the hash to be signed
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2965 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2966 if (md_alg != MBEDTLS_MD_NONE) {
2967 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
2968 dig_signed,
2969 dig_signed_len,
2970 md_alg);
2971 if (ret != 0) {
2972 return ret;
2973 }
2974 } else {
2975 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2976 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2977 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2978
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2979 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2980
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2981 /*
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]2982 * 2.3: Compute and add the signature
Manuel Pégourié-Gonnardabae74c2013-08-20 13:53:44 +0200[diff] [blame]2983 */
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]2984 /*
2985 * We need to specify signature and hash algorithm explicitly through
2986 * a prefix to the signature.
2987 *
2988 * struct {
2989 * HashAlgorithm hash;
2990 * SignatureAlgorithm signature;
2991 * } SignatureAndHashAlgorithm;
2992 *
2993 * struct {
2994 * SignatureAndHashAlgorithm algorithm;
2995 * opaque signature<0..2^16-1>;
2996 * } DigitallySigned;
2997 *
2998 */
Hanno Becker7e5437a2017-04-28 17:15:26 +0100[diff] [blame]2999
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3000 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg);
3001 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3002
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3003#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3004 if (ssl->conf->f_async_sign_start != NULL) {
3005 ret = ssl->conf->f_async_sign_start(ssl,
3006 mbedtls_ssl_own_cert(ssl),
3007 md_alg, hash, hashlen);
3008 switch (ret) {
3009 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3010 /* act as if f_async_sign was null */
3011 break;
3012 case 0:
3013 ssl->handshake->async_in_progress = 1;
3014 return ssl_resume_server_key_exchange(ssl, signature_len);
3015 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3016 ssl->handshake->async_in_progress = 1;
3017 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3018 default:
3019 MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret);
3020 return ret;
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3021 }
3022 }
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3023#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3024
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3025 if (mbedtls_ssl_own_key(ssl) == NULL) {
3026 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key"));
3027 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Gilles Peskine4bf9a282018-01-05 21:20:50 +0100[diff] [blame]3028 }
3029
Gilles Peskine0fd90dd2018-04-26 07:41:09 +0200[diff] [blame]3030 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3031 * signature length which will be added in ssl_write_server_key_exchange
3032 * after the call to ssl_prepare_server_key_exchange.
3033 * ssl_write_server_key_exchange also takes care of incrementing
3034 * ssl->out_msglen. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3035 if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl),
3036 md_alg, hash, hashlen,
3037 ssl->out_msg + ssl->out_msglen + 2,
3038 out_buf_len - ssl->out_msglen - 2,
Ben Taylor440cb2a2025-03-05 09:40:08 +0000[diff] [blame]3039 signature_len)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3040 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
3041 return ret;
Paul Bakker23f36802012-09-28 14:15:14 +0000[diff] [blame]3042 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3043 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3044#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3045
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3046 return 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3047}
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3048
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3049/* Prepare the ServerKeyExchange message and send it. For ciphersuites
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3050 * that do not include a ServerKeyExchange message, do nothing. Either
3051 * way, if successful, move on to the next step in the SSL state
3052 * machine. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3053MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3054static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3055{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3056 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3057 size_t signature_len = 0;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3058#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3059 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3060 ssl->handshake->ciphersuite_info;
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3061#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3062
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3063 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange"));
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3064
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3065#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3066 /* Extract static ECDH parameters and abort if ServerKeyExchange
3067 * is not needed. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3068 if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) {
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3069 /* For suites involving ECDH, extract DH parameters
3070 * from certificate at this point. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3071#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3072 if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) {
3073 ret = ssl_get_ecdh_params_from_cert(ssl);
3074 if (ret != 0) {
3075 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
3076 return ret;
Manuel Pégourié-Gonnardb64fb622022-06-10 09:34:20 +0200[diff] [blame]3077 }
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3078 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3079#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3080
3081 /* Key exchanges not involving ephemeral keys don't use
3082 * ServerKeyExchange, so end here. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3083 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3084 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3085 return 0;
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3086 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3087#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3088
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3089#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3090 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3091 /* If we have already prepared the message and there is an ongoing
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3092 * signature operation, resume signing. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3093 if (ssl->handshake->async_in_progress != 0) {
3094 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation"));
3095 ret = ssl_resume_server_key_exchange(ssl, &signature_len);
3096 } else
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3097#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]3098 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]3099 {
3100 /* ServerKeyExchange is needed. Prepare the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3101 ret = ssl_prepare_server_key_exchange(ssl, &signature_len);
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3102 }
3103
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3104 if (ret != 0) {
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]3105 /* If we're starting to write a new message, set ssl->out_msglen
3106 * to 0. But if we're resuming after an asynchronous message,
3107 * out_msglen is the amount of data written so far and mst be
3108 * preserved. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3109 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3110 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)"));
3111 } else {
Gilles Peskined3eb0612018-01-08 17:07:44 +0100[diff] [blame]3112 ssl->out_msglen = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3113 }
3114 return ret;
Gilles Peskineebd30ae2018-01-06 03:34:20 +0100[diff] [blame]3115 }
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3116
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3117 /* If there is a signature, write its length.
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]3118 * ssl_prepare_server_key_exchange already wrote the signature
3119 * itself at its proper place in the output buffer. */
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3120#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3121 if (signature_len != 0) {
3122 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len);
3123 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len);
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3124
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3125 MBEDTLS_SSL_DEBUG_BUF(3, "my signature",
3126 ssl->out_msg + ssl->out_msglen,
3127 signature_len);
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3128
3129 /* Skip over the already-written signature */
3130 ssl->out_msglen += signature_len;
3131 }
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3132#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
Gilles Peskine7ab013a2018-01-08 17:04:16 +0100[diff] [blame]3133
Gilles Peskine184a3fa2018-01-06 01:46:17 +0100[diff] [blame]3134 /* Add header and send. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3135 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3136 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3137
3138 ssl->state++;
3139
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3140 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3141 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3142 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3143 }
3144
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3145 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange"));
3146 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3147}
3148
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3149MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3150static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3151{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3152 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3153
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3154 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3155
3156 ssl->out_msglen = 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3157 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3158 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3159
3160 ssl->state++;
3161
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3162#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3163 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3164 mbedtls_ssl_send_flight_completed(ssl);
3165 }
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]3166#endif
3167
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3168 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3169 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3170 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3171 }
3172
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3173#if defined(MBEDTLS_SSL_PROTO_DTLS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3174 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3175 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
3176 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
3177 return ret;
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3178 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]3179#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3180
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3181 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3182
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3183 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3184}
3185
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3186#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3187MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3188static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
3189 const unsigned char *end)
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3190{
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]3191 int ret = 0;
irwir6527bd62019-09-21 18:51:25 +0300[diff] [blame]3192 uint16_t n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3193
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3194 if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
3195 MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key"));
3196 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3197 }
3198
3199 /*
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3200 * Receive client pre-shared key identity name
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3201 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3202 if (end - *p < 2) {
3203 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3204 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3205 }
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3206
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]3207 n = MBEDTLS_GET_UINT16_BE(*p, 0);
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3208 *p += 2;
3209
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3210 if (n == 0 || n > end - *p) {
3211 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3212 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3213 }
3214
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3215 if (ssl->conf->f_psk != NULL) {
3216 if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3217 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3218 }
3219 } else {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]3220 /* Identity is not a big secret since clients send it in the clear,
3221 * but treat it carefully anyway, just in case */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3222 if (n != ssl->conf->psk_identity_len ||
3223 mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3224 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Paul Bakker6db455e2013-09-18 17:29:31 +0200[diff] [blame]3225 }
3226 }
3227
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3228 if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
3229 MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n);
3230 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3231 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY);
3232 return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3233 }
3234
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3235 *p += n;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3236
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3237 return 0;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3238}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3239#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3240
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3241MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3242static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3243{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3244 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3245 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Manuel Pégourié-Gonnard2114d722014-09-10 13:59:41 +0000[diff] [blame]3246 unsigned char *p, *end;
Paul Bakker70df2fb2013-04-17 17:19:09 +0200[diff] [blame]3247
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3248 ciphersuite_info = ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3249
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3250 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3251
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3252 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3253 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3254 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3255 }
3256
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3257 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
Manuel Pégourié-Gonnard2114d722014-09-10 13:59:41 +0000[diff] [blame]3258 end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnardf8995832014-09-10 08:25:12 +0000[diff] [blame]3259
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3260 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3261 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3262 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3263 }
3264
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3265 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) {
3266 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3267 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3268 }
3269
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3270#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3271 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3272 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3273 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3274 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Neil Armstrong1f4b3962022-03-09 14:54:29 +0100[diff] [blame]3275 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3276 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3277 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3278 size_t data_len = (size_t) (*p++);
3279 size_t buf_len = (size_t) (end - p);
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3280 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
3281 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3282
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3283 MBEDTLS_SSL_DEBUG_MSG(3, ("Read the peer's public key."));
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3284
3285 /*
Przemek Stekiel338b61d2022-03-15 08:03:43 +0100[diff] [blame]3286 * We must have at least two bytes (1 for length, at least 1 for data)
3287 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3288 if (buf_len < 2) {
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3289 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length: %" MBEDTLS_PRINTF_SIZET,
3290 buf_len));
3291 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3292 }
3293
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3294 if (data_len < 1 || data_len > buf_len) {
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3295 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length: %" MBEDTLS_PRINTF_SIZET
3296 " > %" MBEDTLS_PRINTF_SIZET,
3297 data_len, buf_len));
3298 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3299 }
3300
3301 /* Store peer's ECDH public key. */
Gilles Peskinec8df8982023-10-02 14:58:16 +0200[diff] [blame]3302 if (data_len > sizeof(handshake->xxdh_psa_peerkey)) {
Gilles Peskine530c4232023-10-02 15:37:23 +0200[diff] [blame]3303 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %" MBEDTLS_PRINTF_SIZET
3304 " > %" MBEDTLS_PRINTF_SIZET,
3305 data_len,
3306 sizeof(handshake->xxdh_psa_peerkey)));
Gilles Peskinec8df8982023-10-02 14:58:16 +0200[diff] [blame]3307 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
3308 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3309 memcpy(handshake->xxdh_psa_peerkey, p, data_len);
3310 handshake->xxdh_psa_peerkey_len = data_len;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3311
3312 /* Compute ECDH shared secret. */
3313 status = psa_raw_key_agreement(
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3314 PSA_ALG_ECDH, handshake->xxdh_psa_privkey,
3315 handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3316 handshake->premaster, sizeof(handshake->premaster),
3317 &handshake->pmslen);
3318 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3319 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3320 MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3321 if (handshake->xxdh_psa_privkey_is_external == 0) {
3322 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3323 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3324 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3325 return ret;
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3326 }
3327
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3328 if (handshake->xxdh_psa_privkey_is_external == 0) {
3329 status = psa_destroy_key(handshake->xxdh_psa_privkey);
Neil Armstrong8113d252022-03-23 10:57:04 +0100[diff] [blame]3330
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3331 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3332 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3333 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
3334 return ret;
Neil Armstrong8113d252022-03-23 10:57:04 +0100[diff] [blame]3335 }
Przemek Stekielce1d7922022-03-14 16:16:25 +0100[diff] [blame]3336 }
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3337 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3338 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3339#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3340 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3341 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3342 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3343#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3344 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
3345 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3346 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3347 return ret;
Paul Bakkerfbb17802013-04-17 19:10:21 +0200[diff] [blame]3348 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3349
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3350 if (p != end) {
3351 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3352 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard969ccc62014-03-26 19:53:25 +0100[diff] [blame]3353 }
3354
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3355 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3356#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
Neil Armstrongd91526c2022-04-12 14:38:52 +0200[diff] [blame]3357#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3358 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3359 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3360 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
Michael Schuster7e390282024-05-27 20:07:05 +0200[diff] [blame]3361 size_t ecpoint_len;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3362
3363 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3364
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3365 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3366 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3367 psa_destroy_key(handshake->xxdh_psa_privkey);
3368 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3369 return ret;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3370 }
3371
3372 /* Keep a copy of the peer's public key */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3373 if (p >= end) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3374 psa_destroy_key(handshake->xxdh_psa_privkey);
3375 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3376 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Neil Armstrong3cae1672022-04-05 10:01:15 +0200[diff] [blame]3377 }
3378
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3379 ecpoint_len = *(p++);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3380 if ((size_t) (end - p) < ecpoint_len) {
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3381 psa_destroy_key(handshake->xxdh_psa_privkey);
3382 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3383 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3384 }
3385
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]3386 /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
3387 the sizes of the FFDH keys which are at least 2048 bits.
3388 The size of the array is thus greater than 256 bytes which is greater than any
3389 possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]3390#if !defined(PSA_WANT_ALG_FFDH)
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3391 if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
3392 psa_destroy_key(handshake->xxdh_psa_privkey);
3393 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3394 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3395 }
Przemek Stekiel615cbcd2023-07-06 11:08:39 +0200[diff] [blame]3396#else
Przemek Stekiel46b2d2b2023-07-07 09:34:17 +0200[diff] [blame]3397 MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
3398 "peer key buffer too small");
Przemek Stekiel24e50d32023-05-19 10:21:38 +0200[diff] [blame]3399#endif
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3400
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3401 memcpy(handshake->xxdh_psa_peerkey, p, ecpoint_len);
3402 handshake->xxdh_psa_peerkey_len = ecpoint_len;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3403 p += ecpoint_len;
3404
Neil Armstrong3bcef082022-03-23 18:16:54 +0100[diff] [blame]3405 /* As RFC 5489 section 2, the premaster secret is formed as follows:
Neil Armstrongfdf20cb2022-03-24 09:43:02 +0100[diff] [blame]3406 * - a uint16 containing the length (in octets) of the ECDH computation
3407 * - the octet string produced by the ECDH computation
3408 * - a uint16 containing the length (in octets) of the PSK
3409 * - the PSK itself
3410 */
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3411 unsigned char *psm = ssl->handshake->premaster;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3412 const unsigned char * const psm_end =
3413 psm + sizeof(ssl->handshake->premaster);
Neil Armstrong2d63da92022-03-23 18:17:31 +0100[diff] [blame]3414 /* uint16 to store length (in octets) of the ECDH computation */
3415 const size_t zlen_size = 2;
Neil Armstrong549a3e42022-03-23 18:16:24 +0100[diff] [blame]3416 size_t zlen = 0;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3417
3418 /* Compute ECDH shared secret. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3419 status = psa_raw_key_agreement(PSA_ALG_ECDH,
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3420 handshake->xxdh_psa_privkey,
3421 handshake->xxdh_psa_peerkey,
3422 handshake->xxdh_psa_peerkey_len,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3423 psm + zlen_size,
3424 psm_end - (psm + zlen_size),
3425 &zlen);
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3426
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]3427 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
3428 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3429
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3430 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3431 return PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3432 } else if (destruction_status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]3433 return PSA_TO_MBEDTLS_ERR(destruction_status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3434 }
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3435
Neil Armstrong3bcef082022-03-23 18:16:54 +0100[diff] [blame]3436 /* Write the ECDH computation length before the ECDH computation */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3437 MBEDTLS_PUT_UINT16_BE(zlen, psm, 0);
Neil Armstrong2d63da92022-03-23 18:17:31 +0100[diff] [blame]3438 psm += zlen_size + zlen;
Neil Armstrong039db292022-03-09 11:38:34 +0100[diff] [blame]3439
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3440 } else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3441#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3442#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3443 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3444 if ((ret = mbedtls_psa_ecjpake_read_round(
Dave Rodgmane4a6f5a2023-11-04 12:20:09 +0000[diff] [blame]3445 &ssl->handshake->psa_pake_ctx, p, (size_t) (end - p),
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3446 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
3447 psa_destroy_key(ssl->handshake->psa_pake_password);
3448 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3449
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3450 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
3451 return ret;
Neil Armstrongca7d5062022-05-31 14:43:23 +0200[diff] [blame]3452 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3453 } else
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3454#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3455 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3456 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3457 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3458 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3459
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3460 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3461 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3462 return ret;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]3463 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3464
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3465 ssl->state++;
3466
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3467 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3468
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3469 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3470}
3471
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3472#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3473MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3474static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3475{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3476 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3477 ssl->handshake->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3478
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3479 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3480
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3481 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3482 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3483 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3484 return 0;
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3485 }
3486
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3487 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3488 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3489}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3490#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3491MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3492static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3493{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3494 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]3495 size_t i, sig_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3496 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3497 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3498 size_t hashlen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3499 mbedtls_pk_type_t pk_alg;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3500 mbedtls_md_type_t md_alg;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3501 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
Hanno Beckere694c3e2017-12-27 21:34:08 +0000[diff] [blame]3502 ssl->handshake->ciphersuite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3503 mbedtls_pk_context *peer_pk;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3504
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3505 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3506
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3507 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3508 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3509 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3510 return 0;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3511 }
3512
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3513#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3514 if (ssl->session_negotiate->peer_cert == NULL) {
3515 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3516 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3517 return 0;
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3518 }
3519#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3520 if (ssl->session_negotiate->peer_cert_digest == NULL) {
3521 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3522 ssl->state++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3523 return 0;
Hanno Becker2a831a42019-02-07 13:17:25 +0000[diff] [blame]3524 }
3525#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3526
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3527 /* Read the message without adding it to the checksum */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3528 ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */);
3529 if (0 != ret) {
3530 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret);
3531 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3532 }
3533
3534 ssl->state++;
3535
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3536 /* Process the message contents */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3537 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
3538 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) {
3539 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
3540 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3541 }
3542
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3543 i = mbedtls_ssl_hs_hdr_len(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3544
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]3545#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3546 peer_pk = &ssl->handshake->peer_pubkey;
3547#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3548 if (ssl->session_negotiate->peer_cert == NULL) {
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]3549 /* Should never happen */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3550 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Hanno Beckera1ab9be2019-02-06 18:31:04 +0000[diff] [blame]3551 }
3552 peer_pk = &ssl->session_negotiate->peer_cert->pk;
3553#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3554
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]3555 /*
3556 * struct {
3557 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
3558 * opaque signature<0..2^16-1>;
3559 * } DigitallySigned;
3560 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3561 if (i + 2 > ssl->in_hslen) {
3562 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
3563 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3564 }
Manuel Pégourié-Gonnard5ee96542014-09-10 14:27:21 +0000[diff] [blame]3565
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3566 /*
3567 * Hash
3568 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3569 md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]);
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3570
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3571 if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) {
3572 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
3573 " for verify message"));
3574 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3575 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3576
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3577#if !defined(MBEDTLS_MD_SHA1)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3578 if (MBEDTLS_MD_SHA1 == md_alg) {
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3579 hash_start += 16;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3580 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3581#endif
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3582
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3583 /* Info from md_alg will be used instead */
3584 hashlen = 0;
Manuel Pégourié-Gonnard0b032002013-08-17 13:01:41 +0200[diff] [blame]3585
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3586 i++;
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]3587
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3588 /*
3589 * Signature
3590 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3591 if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i]))
3592 == MBEDTLS_PK_NONE) {
3593 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
3594 " for verify message"));
3595 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +0200[diff] [blame]3596 }
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]3597
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3598 /*
3599 * Check the certificate's key type matches the signature alg
3600 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3601 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
3602 MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
3603 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron8457c122022-03-07 11:32:54 +0100[diff] [blame]3604 }
3605
3606 i++;
3607
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3608 if (i + 2 > ssl->in_hslen) {
3609 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
3610 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Manuel Pégourié-Gonnard5ee96542014-09-10 14:27:21 +0000[diff] [blame]3611 }
3612
Dave Rodgmana3d0f612023-11-03 23:34:02 +0000[diff] [blame]3613 sig_len = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i);
Manuel Pégourié-Gonnard4528f3f2014-09-10 14:17:23 +0000[diff] [blame]3614 i += 2;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3615
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3616 if (i + sig_len != ssl->in_hslen) {
3617 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
3618 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3619 }
3620
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3621 /* Calculate hash and verify signature */
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]3622 {
3623 size_t dummy_hlen;
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]3624 ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
3625 if (0 != ret) {
3626 MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
3627 return ret;
3628 }
Manuel Pégourié-Gonnardde718b92019-05-03 11:43:28 +0200[diff] [blame]3629 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3630
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3631 if ((ret = mbedtls_pk_verify(peer_pk,
3632 md_alg, hash_start, hashlen,
3633 ssl->in_msg + i, sig_len)) != 0) {
3634 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
3635 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3636 }
3637
Manuel Pégourié-Gonnardb8b07aa2023-02-06 00:34:21 +0100[diff] [blame]3638 ret = mbedtls_ssl_update_handshake_status(ssl);
3639 if (0 != ret) {
3640 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
3641 return ret;
3642 }
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3643
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3644 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3645
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3646 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3647}
Gilles Peskineeccd8882020-03-10 12:19:08 +0100[diff] [blame]3648#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3649
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3650#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]3651MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3652static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl)
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3653{
Janos Follath865b3eb2019-12-16 11:46:15 +0000[diff] [blame]3654 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]3655 size_t tlen;
Manuel Pégourié-Gonnardb0394be2015-05-19 11:40:30 +0200[diff] [blame]3656 uint32_t lifetime;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3657
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3658 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3659
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3660 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3661 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3662
3663 /*
3664 * struct {
3665 * uint32 ticket_lifetime_hint;
3666 * opaque ticket<0..2^16-1>;
3667 * } NewSessionTicket;
3668 *
3669 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
3670 * 8 . 9 ticket_len (n)
3671 * 10 . 9+n ticket content
3672 */
Manuel Pégourié-Gonnard164d8942013-09-23 22:01:39 +0200[diff] [blame]3673
Ronald Cron3c0072b2023-11-22 10:00:14 +0100[diff] [blame]3674#if defined(MBEDTLS_HAVE_TIME)
3675 ssl->session_negotiate->ticket_creation_time = mbedtls_ms_time();
3676#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3677 if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
3678 ssl->session_negotiate,
3679 ssl->out_msg + 10,
3680 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
3681 &tlen, &lifetime)) != 0) {
3682 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret);
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +0200[diff] [blame]3683 tlen = 0;
3684 }
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3685
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3686 MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4);
3687 MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8);
Manuel Pégourié-Gonnard609bc812013-08-01 15:08:40 +0200[diff] [blame]3688 ssl->out_msglen = 10 + tlen;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3689
Manuel Pégourié-Gonnard145dfcb2014-02-26 14:23:33 +0100[diff] [blame]3690 /*
3691 * Morally equivalent to updating ssl->state, but NewSessionTicket and
3692 * ChangeCipherSpec share the same state.
3693 */
3694 ssl->handshake->new_session_ticket = 0;
3695
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3696 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3697 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3698 return ret;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3699 }
3700
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3701 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3702
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3703 return 0;
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3704}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3705#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3706
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3707/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3708 * SSL handshake -- server side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3709 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3710int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3711{
3712 int ret = 0;
3713
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3714 MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state));
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3715
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3716 switch (ssl->state) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3717 case MBEDTLS_SSL_HELLO_REQUEST:
3718 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3719 break;
3720
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3721 /*
3722 * <== ClientHello
3723 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3724 case MBEDTLS_SSL_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3725 ret = ssl_parse_client_hello(ssl);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3726 break;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3727
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3728#if defined(MBEDTLS_SSL_PROTO_DTLS)
3729 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3730 return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED;
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3731#endif
3732
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3733 /*
3734 * ==> ServerHello
3735 * Certificate
3736 * ( ServerKeyExchange )
3737 * ( CertificateRequest )
3738 * ServerHelloDone
3739 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3740 case MBEDTLS_SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3741 ret = ssl_write_server_hello(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3742 break;
3743
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3744 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3745 ret = mbedtls_ssl_write_certificate(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3746 break;
3747
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3748 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3749 ret = ssl_write_server_key_exchange(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3750 break;
3751
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3752 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3753 ret = ssl_write_certificate_request(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3754 break;
3755
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3756 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3757 ret = ssl_write_server_hello_done(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3758 break;
3759
3760 /*
3761 * <== ( Certificate/Alert )
3762 * ClientKeyExchange
3763 * ( CertificateVerify )
3764 * ChangeCipherSpec
3765 * Finished
3766 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3767 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3768 ret = mbedtls_ssl_parse_certificate(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3769 break;
3770
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3771 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3772 ret = ssl_parse_client_key_exchange(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3773 break;
3774
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3775 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3776 ret = ssl_parse_certificate_verify(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3777 break;
3778
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3779 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3780 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3781 break;
3782
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3783 case MBEDTLS_SSL_CLIENT_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3784 ret = mbedtls_ssl_parse_finished(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3785 break;
3786
3787 /*
Manuel Pégourié-Gonnard7a358b82013-08-01 11:47:56 +0200[diff] [blame]3788 * ==> ( NewSessionTicket )
3789 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3790 * Finished
3791 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3792 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3793#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3794 if (ssl->handshake->new_session_ticket != 0) {
3795 ret = ssl_write_new_session_ticket(ssl);
3796 } else
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]3797#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3798 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3799 break;
3800
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3801 case MBEDTLS_SSL_SERVER_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3802 ret = mbedtls_ssl_write_finished(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3803 break;
3804
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3805 case MBEDTLS_SSL_FLUSH_BUFFERS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3806 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3807 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3808 break;
3809
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3810 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3811 mbedtls_ssl_handshake_wrapup(ssl);
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3812 break;
3813
3814 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3815 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
3816 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3817 }
3818
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3819 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3820}
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]3821
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3822void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order)
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]3823{
TRodziewicz3946f792021-06-14 12:11:18 +0200[diff] [blame]3824 conf->respect_cli_pref = order;
TRodziewicz8476f2f2021-06-02 14:34:47 +0200[diff] [blame]3825}
3826
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]3827#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */