1 /*
2 * TLS server-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 #include "common.h"
21
22 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
23
24 #include "mbedtls/platform.h"
25
26 #include "mbedtls/ssl.h"
27 #include "ssl_misc.h"
28 #include "mbedtls/debug.h"
29 #include "mbedtls/error.h"
30 #include "mbedtls/platform_util.h"
31 #include "constant_time_internal.h"
32 #include "mbedtls/constant_time.h"
33 #include "hash_info.h"
34
35 #include <string.h>
36
37 #if defined(MBEDTLS_USE_PSA_CRYPTO)
38 #define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
39 psa_to_ssl_errors, \
40 psa_generic_status_to_mbedtls)
41 #endif
42
43 #if defined(MBEDTLS_ECP_C)
44 #include "mbedtls/ecp.h"
45 #endif
46
47 #if defined(MBEDTLS_HAVE_TIME)
48 #include "mbedtls/platform_time.h"
49 #endif
50
51 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context * ssl,const unsigned char * info,size_t ilen)52 int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
53 const unsigned char *info,
54 size_t ilen)
55 {
56 if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) {
57 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
58 }
59
60 mbedtls_free(ssl->cli_id);
61
62 if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) {
63 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
64 }
65
66 memcpy(ssl->cli_id, info, ilen);
67 ssl->cli_id_len = ilen;
68
69 return 0;
70 }
71
mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config * conf,mbedtls_ssl_cookie_write_t * f_cookie_write,mbedtls_ssl_cookie_check_t * f_cookie_check,void * p_cookie)72 void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf,
73 mbedtls_ssl_cookie_write_t *f_cookie_write,
74 mbedtls_ssl_cookie_check_t *f_cookie_check,
75 void *p_cookie)
76 {
77 conf->f_cookie_write = f_cookie_write;
78 conf->f_cookie_check = f_cookie_check;
79 conf->p_cookie = p_cookie;
80 }
81 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
82
83 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
84 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_has_psk_or_cb(mbedtls_ssl_config const * conf)85 static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf)
86 {
87 if (conf->f_psk != NULL) {
88 return 1;
89 }
90
91 if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) {
92 return 0;
93 }
94
95
96 #if defined(MBEDTLS_USE_PSA_CRYPTO)
97 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
98 return 1;
99 }
100 #endif /* MBEDTLS_USE_PSA_CRYPTO */
101
102 if (conf->psk != NULL && conf->psk_len != 0) {
103 return 1;
104 }
105
106 return 0;
107 }
108 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
109
110 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_renegotiation_info(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)111 static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
112 const unsigned char *buf,
113 size_t len)
114 {
115 #if defined(MBEDTLS_SSL_RENEGOTIATION)
116 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
117 /* Check verify-data in constant-time. The length OTOH is no secret */
118 if (len != 1 + ssl->verify_data_len ||
119 buf[0] != ssl->verify_data_len ||
120 mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data,
121 ssl->verify_data_len) != 0) {
122 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
123 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
124 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
125 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
126 }
127 } else
128 #endif /* MBEDTLS_SSL_RENEGOTIATION */
129 {
130 if (len != 1 || buf[0] != 0x0) {
131 MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info"));
132 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
133 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
134 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
135 }
136
137 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
138 }
139
140 return 0;
141 }
142
143 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
144 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
145 /*
146 * Function for parsing a supported groups (TLS 1.3) or supported elliptic
147 * curves (TLS 1.2) extension.
148 *
149 * The "extension_data" field of a supported groups extension contains a
150 * "NamedGroupList" value (TLS 1.3 RFC8446):
151 * enum {
152 * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
153 * x25519(0x001D), x448(0x001E),
154 * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
155 * ffdhe6144(0x0103), ffdhe8192(0x0104),
156 * ffdhe_private_use(0x01FC..0x01FF),
157 * ecdhe_private_use(0xFE00..0xFEFF),
158 * (0xFFFF)
159 * } NamedGroup;
160 * struct {
161 * NamedGroup named_group_list<2..2^16-1>;
162 * } NamedGroupList;
163 *
164 * The "extension_data" field of a supported elliptic curves extension contains
165 * a "NamedCurveList" value (TLS 1.2 RFC 8422):
166 * enum {
167 * deprecated(1..22),
168 * secp256r1 (23), secp384r1 (24), secp521r1 (25),
169 * x25519(29), x448(30),
170 * reserved (0xFE00..0xFEFF),
171 * deprecated(0xFF01..0xFF02),
172 * (0xFFFF)
173 * } NamedCurve;
174 * struct {
175 * NamedCurve named_curve_list<2..2^16-1>
176 * } NamedCurveList;
177 *
178 * The TLS 1.3 supported groups extension was defined to be a compatible
179 * generalization of the TLS 1.2 supported elliptic curves extension. They both
180 * share the same extension identifier.
181 *
182 * DHE groups are not supported yet.
183 */
184 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_supported_groups_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)185 static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
186 const unsigned char *buf,
187 size_t len)
188 {
189 size_t list_size, our_size;
190 const unsigned char *p;
191 uint16_t *curves_tls_id;
192
193 if (len < 2) {
194 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
195 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
196 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
197 return MBEDTLS_ERR_SSL_DECODE_ERROR;
198 }
199 list_size = ((buf[0] << 8) | (buf[1]));
200 if (list_size + 2 != len ||
201 list_size % 2 != 0) {
202 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
203 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
204 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
205 return MBEDTLS_ERR_SSL_DECODE_ERROR;
206 }
207
208 /* Should never happen unless client duplicates the extension */
209 if (ssl->handshake->curves_tls_id != NULL) {
210 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
211 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
212 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
213 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
214 }
215
216 /* Don't allow our peer to make us allocate too much memory,
217 * and leave room for a final 0 */
218 our_size = list_size / 2 + 1;
219 if (our_size > MBEDTLS_ECP_DP_MAX) {
220 our_size = MBEDTLS_ECP_DP_MAX;
221 }
222
223 if ((curves_tls_id = mbedtls_calloc(our_size,
224 sizeof(*curves_tls_id))) == NULL) {
225 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
226 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
227 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
228 }
229
230 ssl->handshake->curves_tls_id = curves_tls_id;
231
232 p = buf + 2;
233 while (list_size > 0 && our_size > 1) {
234 uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0);
235
236 if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) !=
237 MBEDTLS_ECP_DP_NONE) {
238 *curves_tls_id++ = curr_tls_id;
239 our_size--;
240 }
241
242 list_size -= 2;
243 p += 2;
244 }
245
246 return 0;
247 }
248
249 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_supported_point_formats(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)250 static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
251 const unsigned char *buf,
252 size_t len)
253 {
254 size_t list_size;
255 const unsigned char *p;
256
257 if (len == 0 || (size_t) (buf[0] + 1) != len) {
258 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
259 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
260 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
261 return MBEDTLS_ERR_SSL_DECODE_ERROR;
262 }
263 list_size = buf[0];
264
265 p = buf + 1;
266 while (list_size > 0) {
267 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
268 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
269 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
270 (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C))
271 ssl->handshake->ecdh_ctx.point_format = p[0];
272 #endif /* !MBEDTLS_USE_PSA_CRYPTO &&
273 ( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */
274 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
275 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
276 mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
277 p[0]);
278 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
279 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
280 return 0;
281 }
282
283 list_size--;
284 p++;
285 }
286
287 return 0;
288 }
289 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
290 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
291
292 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
293 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_ecjpake_kkpp(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)294 static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
295 const unsigned char *buf,
296 size_t len)
297 {
298 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
299
300 #if defined(MBEDTLS_USE_PSA_CRYPTO)
301 if (ssl->handshake->psa_pake_ctx_is_ok != 1)
302 #else
303 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
304 #endif /* MBEDTLS_USE_PSA_CRYPTO */
305 {
306 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
307 return 0;
308 }
309
310 #if defined(MBEDTLS_USE_PSA_CRYPTO)
311 if ((ret = mbedtls_psa_ecjpake_read_round(
312 &ssl->handshake->psa_pake_ctx, buf, len,
313 MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
314 psa_destroy_key(ssl->handshake->psa_pake_password);
315 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
316
317 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
318 mbedtls_ssl_send_alert_message(
319 ssl,
320 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
321 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
322
323 return ret;
324 }
325 #else
326 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
327 buf, len)) != 0) {
328 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
329 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
330 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
331 return ret;
332 }
333 #endif /* MBEDTLS_USE_PSA_CRYPTO */
334
335 /* Only mark the extension as OK when we're sure it is */
336 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
337
338 return 0;
339 }
340 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
341
342 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
343 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_max_fragment_length_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)344 static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
345 const unsigned char *buf,
346 size_t len)
347 {
348 if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) {
349 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
350 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
351 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
352 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
353 }
354
355 ssl->session_negotiate->mfl_code = buf[0];
356
357 return 0;
358 }
359 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
360
361 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
362 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_cid_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)363 static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
364 const unsigned char *buf,
365 size_t len)
366 {
367 size_t peer_cid_len;
368
369 /* CID extension only makes sense in DTLS */
370 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
371 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
372 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
373 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
374 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
375 }
376
377 /*
378 * struct {
379 * opaque cid<0..2^8-1>;
380 * } ConnectionId;
381 */
382
383 if (len < 1) {
384 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
385 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
386 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
387 return MBEDTLS_ERR_SSL_DECODE_ERROR;
388 }
389
390 peer_cid_len = *buf++;
391 len--;
392
393 if (len != peer_cid_len) {
394 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
395 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
396 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
397 return MBEDTLS_ERR_SSL_DECODE_ERROR;
398 }
399
400 /* Ignore CID if the user has disabled its use. */
401 if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
402 /* Leave ssl->handshake->cid_in_use in its default
403 * value of MBEDTLS_SSL_CID_DISABLED. */
404 MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled"));
405 return 0;
406 }
407
408 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
409 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
410 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
411 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
412 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
413 }
414
415 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
416 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
417 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
418
419 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
420 MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len);
421
422 return 0;
423 }
424 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
425
426 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
427 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)428 static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
429 const unsigned char *buf,
430 size_t len)
431 {
432 if (len != 0) {
433 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
434 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
435 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
436 return MBEDTLS_ERR_SSL_DECODE_ERROR;
437 }
438
439 ((void) buf);
440
441 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) {
442 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
443 }
444
445 return 0;
446 }
447 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
448
449 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
450 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_extended_ms_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)451 static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
452 const unsigned char *buf,
453 size_t len)
454 {
455 if (len != 0) {
456 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
457 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
458 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
459 return MBEDTLS_ERR_SSL_DECODE_ERROR;
460 }
461
462 ((void) buf);
463
464 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
465 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
466 }
467
468 return 0;
469 }
470 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
471
472 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
473 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_session_ticket_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t len)474 static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
475 unsigned char *buf,
476 size_t len)
477 {
478 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
479 mbedtls_ssl_session session;
480
481 mbedtls_ssl_session_init(&session);
482
483 if (ssl->conf->f_ticket_parse == NULL ||
484 ssl->conf->f_ticket_write == NULL) {
485 return 0;
486 }
487
488 /* Remember the client asked us to send a new ticket */
489 ssl->handshake->new_session_ticket = 1;
490
491 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len));
492
493 if (len == 0) {
494 return 0;
495 }
496
497 #if defined(MBEDTLS_SSL_RENEGOTIATION)
498 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
499 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating"));
500 return 0;
501 }
502 #endif /* MBEDTLS_SSL_RENEGOTIATION */
503
504 /*
505 * Failures are ok: just ignore the ticket and proceed.
506 */
507 if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session,
508 buf, len)) != 0) {
509 mbedtls_ssl_session_free(&session);
510
511 if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
512 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
513 } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
514 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
515 } else {
516 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret);
517 }
518
519 return 0;
520 }
521
522 /*
523 * Keep the session ID sent by the client, since we MUST send it back to
524 * inform them we're accepting the ticket (RFC 5077 section 3.4)
525 */
526 session.id_len = ssl->session_negotiate->id_len;
527 memcpy(&session.id, ssl->session_negotiate->id, session.id_len);
528
529 mbedtls_ssl_session_free(ssl->session_negotiate);
530 memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session));
531
532 /* Zeroize instead of free as we copied the content */
533 mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session));
534
535 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket"));
536
537 ssl->handshake->resume = 1;
538
539 /* Don't send a new ticket after all, this one is OK */
540 ssl->handshake->new_session_ticket = 0;
541
542 return 0;
543 }
544 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
545
546 #if defined(MBEDTLS_SSL_DTLS_SRTP)
547 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_use_srtp_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)548 static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
549 const unsigned char *buf,
550 size_t len)
551 {
552 mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET;
553 size_t i, j;
554 size_t profile_length;
555 uint16_t mki_length;
556 /*! 2 bytes for profile length and 1 byte for mki len */
557 const size_t size_of_lengths = 3;
558
559 /* If use_srtp is not configured, just ignore the extension */
560 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
561 (ssl->conf->dtls_srtp_profile_list == NULL) ||
562 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
563 return 0;
564 }
565
566 /* RFC5764 section 4.1.1
567 * uint8 SRTPProtectionProfile[2];
568 *
569 * struct {
570 * SRTPProtectionProfiles SRTPProtectionProfiles;
571 * opaque srtp_mki<0..255>;
572 * } UseSRTPData;
573
574 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
575 */
576
577 /*
578 * Min length is 5: at least one protection profile(2 bytes)
579 * and length(2 bytes) + srtp_mki length(1 byte)
580 * Check here that we have at least 2 bytes of protection profiles length
581 * and one of srtp_mki length
582 */
583 if (len < size_of_lengths) {
584 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
585 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
586 return MBEDTLS_ERR_SSL_DECODE_ERROR;
587 }
588
589 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
590
591 /* first 2 bytes are protection profile length(in bytes) */
592 profile_length = (buf[0] << 8) | buf[1];
593 buf += 2;
594
595 /* The profile length cannot be bigger than input buffer size - lengths fields */
596 if (profile_length > len - size_of_lengths ||
597 profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */
598 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
599 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
600 return MBEDTLS_ERR_SSL_DECODE_ERROR;
601 }
602 /*
603 * parse the extension list values are defined in
604 * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
605 */
606 for (j = 0; j < profile_length; j += 2) {
607 uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1];
608 client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value);
609
610 if (client_protection != MBEDTLS_TLS_SRTP_UNSET) {
611 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
612 mbedtls_ssl_get_srtp_profile_as_string(
613 client_protection)));
614 } else {
615 continue;
616 }
617 /* check if suggested profile is in our list */
618 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
619 if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) {
620 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
621 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
622 mbedtls_ssl_get_srtp_profile_as_string(
623 client_protection)));
624 break;
625 }
626 }
627 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) {
628 break;
629 }
630 }
631 buf += profile_length; /* buf points to the mki length */
632 mki_length = *buf;
633 buf++;
634
635 if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH ||
636 mki_length + profile_length + size_of_lengths != len) {
637 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
638 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
639 return MBEDTLS_ERR_SSL_DECODE_ERROR;
640 }
641
642 /* Parse the mki only if present and mki is supported locally */
643 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
644 mki_length > 0) {
645 ssl->dtls_srtp_info.mki_len = mki_length;
646
647 memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length);
648
649 MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value,
650 ssl->dtls_srtp_info.mki_len);
651 }
652
653 return 0;
654 }
655 #endif /* MBEDTLS_SSL_DTLS_SRTP */
656
657 /*
658 * Auxiliary functions for ServerHello parsing and related actions
659 */
660
661 #if defined(MBEDTLS_X509_CRT_PARSE_C)
662 /*
663 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
664 */
665 #if defined(MBEDTLS_ECDSA_C)
666 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_key_curve(mbedtls_pk_context * pk,uint16_t * curves_tls_id)667 static int ssl_check_key_curve(mbedtls_pk_context *pk,
668 uint16_t *curves_tls_id)
669 {
670 uint16_t *curr_tls_id = curves_tls_id;
671 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec(*pk)->grp.id;
672 mbedtls_ecp_group_id curr_grp_id;
673
674 while (*curr_tls_id != 0) {
675 curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
676 if (curr_grp_id == grp_id) {
677 return 0;
678 }
679 curr_tls_id++;
680 }
681
682 return -1;
683 }
684 #endif /* MBEDTLS_ECDSA_C */
685
686 /*
687 * Try picking a certificate for this ciphersuite,
688 * return 0 on success and -1 on failure.
689 */
690 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_pick_cert(mbedtls_ssl_context * ssl,const mbedtls_ssl_ciphersuite_t * ciphersuite_info)691 static int ssl_pick_cert(mbedtls_ssl_context *ssl,
692 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
693 {
694 mbedtls_ssl_key_cert *cur, *list;
695 #if defined(MBEDTLS_USE_PSA_CRYPTO)
696 psa_algorithm_t pk_alg =
697 mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info);
698 psa_key_usage_t pk_usage =
699 mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info);
700 #else
701 mbedtls_pk_type_t pk_alg =
702 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
703 #endif /* MBEDTLS_USE_PSA_CRYPTO */
704 uint32_t flags;
705
706 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
707 if (ssl->handshake->sni_key_cert != NULL) {
708 list = ssl->handshake->sni_key_cert;
709 } else
710 #endif
711 list = ssl->conf->key_cert;
712
713 int pk_alg_is_none = 0;
714 #if defined(MBEDTLS_USE_PSA_CRYPTO)
715 pk_alg_is_none = (pk_alg == PSA_ALG_NONE);
716 #else
717 pk_alg_is_none = (pk_alg == MBEDTLS_PK_NONE);
718 #endif /* MBEDTLS_USE_PSA_CRYPTO */
719 if (pk_alg_is_none) {
720 return 0;
721 }
722
723 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate"));
724
725 if (list == NULL) {
726 MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
727 return -1;
728 }
729
730 for (cur = list; cur != NULL; cur = cur->next) {
731 flags = 0;
732 MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate",
733 cur->cert);
734
735 int key_type_matches = 0;
736 #if defined(MBEDTLS_USE_PSA_CRYPTO)
737 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
738 key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
739 ssl->conf->f_async_decrypt_start != NULL ||
740 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
741 mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
742 #else
743 key_type_matches = (
744 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
745 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
746 #else
747 key_type_matches = mbedtls_pk_can_do(&cur->cert->pk, pk_alg);
748 #endif /* MBEDTLS_USE_PSA_CRYPTO */
749 if (!key_type_matches) {
750 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
751 continue;
752 }
753
754 /*
755 * This avoids sending the client a cert it'll reject based on
756 * keyUsage or other extensions.
757 *
758 * It also allows the user to provision different certificates for
759 * different uses based on keyUsage, eg if they want to avoid signing
760 * and decrypting with the same RSA key.
761 */
762 if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
763 MBEDTLS_SSL_IS_SERVER, &flags) != 0) {
764 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
765 "(extended) key usage extension"));
766 continue;
767 }
768
769 #if defined(MBEDTLS_ECDSA_C)
770 if (pk_alg == MBEDTLS_PK_ECDSA &&
771 ssl_check_key_curve(&cur->cert->pk,
772 ssl->handshake->curves_tls_id) != 0) {
773 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve"));
774 continue;
775 }
776 #endif
777
778 /* If we get there, we got a winner */
779 break;
780 }
781
782 /* Do not update ssl->handshake->key_cert unless there is a match */
783 if (cur != NULL) {
784 ssl->handshake->key_cert = cur;
785 MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate",
786 ssl->handshake->key_cert->cert);
787 return 0;
788 }
789
790 return -1;
791 }
792 #endif /* MBEDTLS_X509_CRT_PARSE_C */
793
794 /*
795 * Check if a given ciphersuite is suitable for use with our config/keys/etc
796 * Sets ciphersuite_info only if the suite matches.
797 */
798 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_ciphersuite_match(mbedtls_ssl_context * ssl,int suite_id,const mbedtls_ssl_ciphersuite_t ** ciphersuite_info)799 static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
800 const mbedtls_ssl_ciphersuite_t **ciphersuite_info)
801 {
802 const mbedtls_ssl_ciphersuite_t *suite_info;
803
804 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
805 mbedtls_pk_type_t sig_type;
806 #endif
807
808 suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
809 if (suite_info == NULL) {
810 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
811 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
812 }
813
814 MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)",
815 (unsigned int) suite_id, suite_info->name));
816
817 if (suite_info->min_tls_version > ssl->tls_version ||
818 suite_info->max_tls_version < ssl->tls_version) {
819 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version"));
820 return 0;
821 }
822
823 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
824 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
825 (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) {
826 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake "
827 "not configured or ext missing"));
828 return 0;
829 }
830 #endif
831
832
833 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
834 if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
835 (ssl->handshake->curves_tls_id == NULL ||
836 ssl->handshake->curves_tls_id[0] == 0)) {
837 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
838 "no common elliptic curve"));
839 return 0;
840 }
841 #endif
842
843 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
844 /* If the ciphersuite requires a pre-shared key and we don't
845 * have one, skip it now rather than failing later */
846 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
847 ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
848 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key"));
849 return 0;
850 }
851 #endif
852
853 #if defined(MBEDTLS_X509_CRT_PARSE_C)
854 /*
855 * Final check: if ciphersuite requires us to have a
856 * certificate/key of a particular type:
857 * - select the appropriate certificate if we have one, or
858 * - try the next ciphersuite if we don't
859 * This must be done last since we modify the key_cert list.
860 */
861 if (ssl_pick_cert(ssl, suite_info) != 0) {
862 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
863 "no suitable certificate"));
864 return 0;
865 }
866 #endif
867
868 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
869 /* If the ciphersuite requires signing, check whether
870 * a suitable hash algorithm is present. */
871 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
872 if (sig_type != MBEDTLS_PK_NONE &&
873 mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
874 ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) {
875 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm "
876 "for signature algorithm %u", (unsigned) sig_type));
877 return 0;
878 }
879
880 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
881
882 *ciphersuite_info = suite_info;
883 return 0;
884 }
885
886 /* This function doesn't alert on errors that happen early during
887 ClientHello parsing because they might indicate that the client is
888 not talking SSL/TLS at all and would not understand our alert. */
889 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_client_hello(mbedtls_ssl_context * ssl)890 static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
891 {
892 int ret, got_common_suite;
893 size_t i, j;
894 size_t ciph_offset, comp_offset, ext_offset;
895 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
896 #if defined(MBEDTLS_SSL_PROTO_DTLS)
897 size_t cookie_offset, cookie_len;
898 #endif
899 unsigned char *buf, *p, *ext;
900 #if defined(MBEDTLS_SSL_RENEGOTIATION)
901 int renegotiation_info_seen = 0;
902 #endif
903 int handshake_failure = 0;
904 const int *ciphersuites;
905 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
906
907 /* If there is no signature-algorithm extension present,
908 * we need to fall back to the default values for allowed
909 * signature-hash pairs. */
910 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
911 int sig_hash_alg_ext_present = 0;
912 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
913
914 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
915
916 int renegotiating;
917
918 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
919 read_record_header:
920 #endif
921 /*
922 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
923 * otherwise read it ourselves manually in order to support SSLv2
924 * ClientHello, which doesn't use the same record layer format.
925 */
926 renegotiating = 0;
927 #if defined(MBEDTLS_SSL_RENEGOTIATION)
928 renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE);
929 #endif
930 if (!renegotiating) {
931 if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) {
932 /* No alert on a read error. */
933 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
934 return ret;
935 }
936 }
937
938 buf = ssl->in_hdr;
939
940 MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl));
941
942 /*
943 * TLS Client Hello
944 *
945 * Record layer:
946 * 0 . 0 message type
947 * 1 . 2 protocol version
948 * 3 . 11 DTLS: epoch + record sequence number
949 * 3 . 4 message length
950 */
951 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message type: %d",
952 buf[0]));
953
954 if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
955 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
956 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
957 }
958
959 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d",
960 (ssl->in_len[0] << 8) | ssl->in_len[1]));
961
962 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, protocol version: [%d:%d]",
963 buf[1], buf[2]));
964
965 /* For DTLS if this is the initial handshake, remember the client sequence
966 * number to use it in our next message (RFC 6347 4.2.1) */
967 #if defined(MBEDTLS_SSL_PROTO_DTLS)
968 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
969 #if defined(MBEDTLS_SSL_RENEGOTIATION)
970 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
971 #endif
972 ) {
973 /* Epoch should be 0 for initial handshakes */
974 if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
975 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
976 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
977 }
978
979 memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2,
980 sizeof(ssl->cur_out_ctr) - 2);
981
982 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
983 if (mbedtls_ssl_dtls_replay_check(ssl) != 0) {
984 MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding"));
985 ssl->next_record_offset = 0;
986 ssl->in_left = 0;
987 goto read_record_header;
988 }
989
990 /* No MAC to check yet, so we can update right now */
991 mbedtls_ssl_dtls_replay_update(ssl);
992 #endif
993 }
994 #endif /* MBEDTLS_SSL_PROTO_DTLS */
995
996 msg_len = (ssl->in_len[0] << 8) | ssl->in_len[1];
997
998 #if defined(MBEDTLS_SSL_RENEGOTIATION)
999 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
1000 /* Set by mbedtls_ssl_read_record() */
1001 msg_len = ssl->in_hslen;
1002 } else
1003 #endif
1004 {
1005 if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
1006 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1007 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1008 }
1009
1010 if ((ret = mbedtls_ssl_fetch_input(ssl,
1011 mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) {
1012 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
1013 return ret;
1014 }
1015
1016 /* Done reading this record, get ready for the next one */
1017 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1018 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1019 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl);
1020 } else
1021 #endif
1022 ssl->in_left = 0;
1023 }
1024
1025 buf = ssl->in_msg;
1026
1027 MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len);
1028
1029 ret = ssl->handshake->update_checksum(ssl, buf, msg_len);
1030 if (0 != ret) {
1031 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
1032 return ret;
1033 }
1034
1035 /*
1036 * Handshake layer:
1037 * 0 . 0 handshake type
1038 * 1 . 3 handshake length
1039 * 4 . 5 DTLS only: message sequence number
1040 * 6 . 8 DTLS only: fragment offset
1041 * 9 . 11 DTLS only: fragment length
1042 */
1043 if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) {
1044 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1045 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1046 }
1047
1048 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0]));
1049
1050 if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
1051 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1052 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
1053 }
1054 {
1055 size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1);
1056 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u",
1057 (unsigned) handshake_len));
1058
1059 /* The record layer has a record size limit of 2^14 - 1 and
1060 * fragmentation is not supported, so buf[1] should be zero. */
1061 if (buf[1] != 0) {
1062 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0",
1063 (unsigned) buf[1]));
1064 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1065 }
1066
1067 /* We don't support fragmentation of ClientHello (yet?) */
1068 if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) {
1069 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u",
1070 (unsigned) msg_len,
1071 (unsigned) mbedtls_ssl_hs_hdr_len(ssl),
1072 (unsigned) handshake_len));
1073 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1074 }
1075 }
1076
1077 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1078 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1079 /*
1080 * Copy the client's handshake message_seq on initial handshakes,
1081 * check sequence number on renego.
1082 */
1083 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1084 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1085 /* This couldn't be done in ssl_prepare_handshake_record() */
1086 unsigned int cli_msg_seq = (ssl->in_msg[4] << 8) |
1087 ssl->in_msg[5];
1088
1089 if (cli_msg_seq != ssl->handshake->in_msg_seq) {
1090 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
1091 "%u (expected %u)", cli_msg_seq,
1092 ssl->handshake->in_msg_seq));
1093 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1094 }
1095
1096 ssl->handshake->in_msg_seq++;
1097 } else
1098 #endif
1099 {
1100 unsigned int cli_msg_seq = (ssl->in_msg[4] << 8) |
1101 ssl->in_msg[5];
1102 ssl->handshake->out_msg_seq = cli_msg_seq;
1103 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
1104 }
1105 {
1106 /*
1107 * For now we don't support fragmentation, so make sure
1108 * fragment_offset == 0 and fragment_length == length
1109 */
1110 size_t fragment_offset, fragment_length, length;
1111 fragment_offset = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6);
1112 fragment_length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9);
1113 length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1);
1114 MBEDTLS_SSL_DEBUG_MSG(
1115 4, ("fragment_offset=%u fragment_length=%u length=%u",
1116 (unsigned) fragment_offset, (unsigned) fragment_length,
1117 (unsigned) length));
1118 if (fragment_offset != 0 || length != fragment_length) {
1119 MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported"));
1120 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1121 }
1122 }
1123 }
1124 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1125
1126 buf += mbedtls_ssl_hs_hdr_len(ssl);
1127 msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
1128
1129 /*
1130 * ClientHello layer:
1131 * 0 . 1 protocol version
1132 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
1133 * 34 . 35 session id length (1 byte)
1134 * 35 . 34+x session id
1135 * 35+x . 35+x DTLS only: cookie length (1 byte)
1136 * 36+x . .. DTLS only: cookie
1137 * .. . .. ciphersuite list length (2 bytes)
1138 * .. . .. ciphersuite list
1139 * .. . .. compression alg. list length (1 byte)
1140 * .. . .. compression alg. list
1141 * .. . .. extensions length (2 bytes, optional)
1142 * .. . .. extensions (optional)
1143 */
1144
1145 /*
1146 * Minimal length (with everything empty and extensions omitted) is
1147 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1148 * read at least up to session id length without worrying.
1149 */
1150 if (msg_len < 38) {
1151 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1152 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1153 }
1154
1155 /*
1156 * Check and save the protocol version
1157 */
1158 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2);
1159
1160 ssl->tls_version = mbedtls_ssl_read_version(buf, ssl->conf->transport);
1161 ssl->session_negotiate->tls_version = ssl->tls_version;
1162
1163 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
1164 MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2"));
1165 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1166 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1167 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1168 }
1169
1170 /*
1171 * Save client random (inc. Unix time)
1172 */
1173 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32);
1174
1175 memcpy(ssl->handshake->randbytes, buf + 2, 32);
1176
1177 /*
1178 * Check the session ID length and save session ID
1179 */
1180 sess_len = buf[34];
1181
1182 if (sess_len > sizeof(ssl->session_negotiate->id) ||
1183 sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */
1184 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1185 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1186 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1187 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1188 }
1189
1190 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len);
1191
1192 ssl->session_negotiate->id_len = sess_len;
1193 memset(ssl->session_negotiate->id, 0,
1194 sizeof(ssl->session_negotiate->id));
1195 memcpy(ssl->session_negotiate->id, buf + 35,
1196 ssl->session_negotiate->id_len);
1197
1198 /*
1199 * Check the cookie length and content
1200 */
1201 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1202 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1203 cookie_offset = 35 + sess_len;
1204 cookie_len = buf[cookie_offset];
1205
1206 if (cookie_offset + 1 + cookie_len + 2 > msg_len) {
1207 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1208 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1209 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1210 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1211 }
1212
1213 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
1214 buf + cookie_offset + 1, cookie_len);
1215
1216 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
1217 if (ssl->conf->f_cookie_check != NULL
1218 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1219 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
1220 #endif
1221 ) {
1222 if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
1223 buf + cookie_offset + 1, cookie_len,
1224 ssl->cli_id, ssl->cli_id_len) != 0) {
1225 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed"));
1226 ssl->handshake->cookie_verify_result = 1;
1227 } else {
1228 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed"));
1229 ssl->handshake->cookie_verify_result = 0;
1230 }
1231 } else
1232 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
1233 {
1234 /* We know we didn't send a cookie, so it should be empty */
1235 if (cookie_len != 0) {
1236 /* This may be an attacker's probe, so don't send an alert */
1237 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1238 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1239 }
1240
1241 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped"));
1242 }
1243
1244 /*
1245 * Check the ciphersuitelist length (will be parsed later)
1246 */
1247 ciph_offset = cookie_offset + 1 + cookie_len;
1248 } else
1249 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1250 ciph_offset = 35 + sess_len;
1251
1252 ciph_len = (buf[ciph_offset + 0] << 8)
1253 | (buf[ciph_offset + 1]);
1254
1255 if (ciph_len < 2 ||
1256 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
1257 (ciph_len % 2) != 0) {
1258 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1259 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1260 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1261 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1262 }
1263
1264 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
1265 buf + ciph_offset + 2, ciph_len);
1266
1267 /*
1268 * Check the compression algorithm's length.
1269 * The list contents are ignored because implementing
1270 * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only
1271 * option supported by Mbed TLS.
1272 */
1273 comp_offset = ciph_offset + 2 + ciph_len;
1274
1275 comp_len = buf[comp_offset];
1276
1277 if (comp_len < 1 ||
1278 comp_len > 16 ||
1279 comp_len + comp_offset + 1 > msg_len) {
1280 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1281 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1282 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1283 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1284 }
1285
1286 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression",
1287 buf + comp_offset + 1, comp_len);
1288
1289 /*
1290 * Check the extension length
1291 */
1292 ext_offset = comp_offset + 1 + comp_len;
1293 if (msg_len > ext_offset) {
1294 if (msg_len < ext_offset + 2) {
1295 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1296 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1297 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1298 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1299 }
1300
1301 ext_len = (buf[ext_offset + 0] << 8)
1302 | (buf[ext_offset + 1]);
1303
1304 if (msg_len != ext_offset + 2 + ext_len) {
1305 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1306 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1307 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1308 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1309 }
1310 } else {
1311 ext_len = 0;
1312 }
1313
1314 ext = buf + ext_offset + 2;
1315 MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len);
1316
1317 while (ext_len != 0) {
1318 unsigned int ext_id;
1319 unsigned int ext_size;
1320 if (ext_len < 4) {
1321 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1322 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1323 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1324 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1325 }
1326 ext_id = ((ext[0] << 8) | (ext[1]));
1327 ext_size = ((ext[2] << 8) | (ext[3]));
1328
1329 if (ext_size + 4 > ext_len) {
1330 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1331 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1332 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1333 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1334 }
1335 switch (ext_id) {
1336 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1337 case MBEDTLS_TLS_EXT_SERVERNAME:
1338 MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1339 ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4,
1340 ext + 4 + ext_size);
1341 if (ret != 0) {
1342 return ret;
1343 }
1344 break;
1345 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1346
1347 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1348 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
1349 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1350 renegotiation_info_seen = 1;
1351 #endif
1352
1353 ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size);
1354 if (ret != 0) {
1355 return ret;
1356 }
1357 break;
1358
1359 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1360 case MBEDTLS_TLS_EXT_SIG_ALG:
1361 MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
1362
1363 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size);
1364 if (ret != 0) {
1365 return ret;
1366 }
1367
1368 sig_hash_alg_ext_present = 1;
1369 break;
1370 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1371
1372 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1373 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1374 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
1375 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
1376
1377 ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size);
1378 if (ret != 0) {
1379 return ret;
1380 }
1381 break;
1382
1383 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1384 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension"));
1385 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
1386
1387 ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size);
1388 if (ret != 0) {
1389 return ret;
1390 }
1391 break;
1392 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1393 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1394
1395 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1396 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1397 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension"));
1398
1399 ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size);
1400 if (ret != 0) {
1401 return ret;
1402 }
1403 break;
1404 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1405
1406 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1407 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1408 MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension"));
1409
1410 ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size);
1411 if (ret != 0) {
1412 return ret;
1413 }
1414 break;
1415 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1416
1417 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1418 case MBEDTLS_TLS_EXT_CID:
1419 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
1420
1421 ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size);
1422 if (ret != 0) {
1423 return ret;
1424 }
1425 break;
1426 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1427
1428 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1429 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1430 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension"));
1431
1432 ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size);
1433 if (ret != 0) {
1434 return ret;
1435 }
1436 break;
1437 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1438
1439 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1440 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1441 MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension"));
1442
1443 ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size);
1444 if (ret != 0) {
1445 return ret;
1446 }
1447 break;
1448 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1449
1450 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1451 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1452 MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension"));
1453
1454 ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size);
1455 if (ret != 0) {
1456 return ret;
1457 }
1458 break;
1459 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1460
1461 #if defined(MBEDTLS_SSL_ALPN)
1462 case MBEDTLS_TLS_EXT_ALPN:
1463 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
1464
1465 ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4,
1466 ext + 4 + ext_size);
1467 if (ret != 0) {
1468 return ret;
1469 }
1470 break;
1471 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1472
1473 #if defined(MBEDTLS_SSL_DTLS_SRTP)
1474 case MBEDTLS_TLS_EXT_USE_SRTP:
1475 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
1476
1477 ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size);
1478 if (ret != 0) {
1479 return ret;
1480 }
1481 break;
1482 #endif /* MBEDTLS_SSL_DTLS_SRTP */
1483
1484 default:
1485 MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)",
1486 ext_id));
1487 }
1488
1489 ext_len -= 4 + ext_size;
1490 ext += 4 + ext_size;
1491 }
1492
1493 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1494
1495 /*
1496 * Try to fall back to default hash SHA1 if the client
1497 * hasn't provided any preferred signature-hash combinations.
1498 */
1499 if (!sig_hash_alg_ext_present) {
1500 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
1501 const uint16_t default_sig_algs[] = {
1502 #if defined(MBEDTLS_ECDSA_C)
1503 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA,
1504 MBEDTLS_SSL_HASH_SHA1),
1505 #endif
1506 #if defined(MBEDTLS_RSA_C)
1507 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA,
1508 MBEDTLS_SSL_HASH_SHA1),
1509 #endif
1510 MBEDTLS_TLS_SIG_NONE
1511 };
1512
1513 MBEDTLS_STATIC_ASSERT(sizeof(default_sig_algs) / sizeof(default_sig_algs[0])
1514 <= MBEDTLS_RECEIVED_SIG_ALGS_SIZE,
1515 "default_sig_algs is too big");
1516
1517 memcpy(received_sig_algs, default_sig_algs, sizeof(default_sig_algs));
1518 }
1519
1520 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1521
1522 /*
1523 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1524 */
1525 for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
1526 if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
1527 MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
1528 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1529 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1530 MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
1531 "during renegotiation"));
1532 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1533 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1534 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1535 }
1536 #endif
1537 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1538 break;
1539 }
1540 }
1541
1542 /*
1543 * Renegotiation security checks
1544 */
1545 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1546 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1547 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
1548 handshake_failure = 1;
1549 }
1550 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1551 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1552 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1553 renegotiation_info_seen == 0) {
1554 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)"));
1555 handshake_failure = 1;
1556 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1557 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1558 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1559 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
1560 handshake_failure = 1;
1561 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1562 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1563 renegotiation_info_seen == 1) {
1564 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)"));
1565 handshake_failure = 1;
1566 }
1567 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1568
1569 if (handshake_failure == 1) {
1570 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1571 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1572 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1573 }
1574
1575 /*
1576 * Server certification selection (after processing TLS extensions)
1577 */
1578 if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
1579 MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
1580 return ret;
1581 }
1582 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1583 ssl->handshake->sni_name = NULL;
1584 ssl->handshake->sni_name_len = 0;
1585 #endif
1586
1587 /*
1588 * Search for a matching ciphersuite
1589 * (At the end because we need information from the EC-based extensions
1590 * and certificate from the SNI callback triggered by the SNI extension
1591 * or certificate from server certificate selection callback.)
1592 */
1593 got_common_suite = 0;
1594 ciphersuites = ssl->conf->ciphersuite_list;
1595 ciphersuite_info = NULL;
1596
1597 if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) {
1598 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1599 for (i = 0; ciphersuites[i] != 0; i++) {
1600 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
1601 continue;
1602 }
1603
1604 got_common_suite = 1;
1605
1606 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1607 &ciphersuite_info)) != 0) {
1608 return ret;
1609 }
1610
1611 if (ciphersuite_info != NULL) {
1612 goto have_ciphersuite;
1613 }
1614 }
1615 }
1616 } else {
1617 for (i = 0; ciphersuites[i] != 0; i++) {
1618 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1619 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
1620 continue;
1621 }
1622
1623 got_common_suite = 1;
1624
1625 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1626 &ciphersuite_info)) != 0) {
1627 return ret;
1628 }
1629
1630 if (ciphersuite_info != NULL) {
1631 goto have_ciphersuite;
1632 }
1633 }
1634 }
1635 }
1636
1637 if (got_common_suite) {
1638 MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
1639 "but none of them usable"));
1640 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1641 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1642 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1643 } else {
1644 MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
1645 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1646 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1647 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1648 }
1649
1650 have_ciphersuite:
1651 MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
1652
1653 ssl->session_negotiate->ciphersuite = ciphersuites[i];
1654 ssl->handshake->ciphersuite_info = ciphersuite_info;
1655
1656 ssl->state++;
1657
1658 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1659 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1660 mbedtls_ssl_recv_flight_completed(ssl);
1661 }
1662 #endif
1663
1664 /* Debugging-only output for testsuite */
1665 #if defined(MBEDTLS_DEBUG_C) && \
1666 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1667 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
1668 if (sig_alg != MBEDTLS_PK_NONE) {
1669 unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
1670 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
1671 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u",
1672 sig_hash));
1673 } else {
1674 MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm "
1675 "%u - should not happen", (unsigned) sig_alg));
1676 }
1677 #endif
1678
1679 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
1680
1681 return 0;
1682 }
1683
1684 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
ssl_write_cid_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1685 static void ssl_write_cid_ext(mbedtls_ssl_context *ssl,
1686 unsigned char *buf,
1687 size_t *olen)
1688 {
1689 unsigned char *p = buf;
1690 size_t ext_len;
1691 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1692
1693 *olen = 0;
1694
1695 /* Skip writing the extension if we don't want to use it or if
1696 * the client hasn't offered it. */
1697 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) {
1698 return;
1699 }
1700
1701 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
1702 * which is at most 255, so the increment cannot overflow. */
1703 if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) {
1704 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1705 return;
1706 }
1707
1708 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension"));
1709
1710 /*
1711 * struct {
1712 * opaque cid<0..2^8-1>;
1713 * } ConnectionId;
1714 */
1715 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
1716 p += 2;
1717 ext_len = (size_t) ssl->own_cid_len + 1;
1718 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
1719 p += 2;
1720
1721 *p++ = (uint8_t) ssl->own_cid_len;
1722 memcpy(p, ssl->own_cid, ssl->own_cid_len);
1723
1724 *olen = ssl->own_cid_len + 5;
1725 }
1726 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1727
1728 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1729 static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
1730 unsigned char *buf,
1731 size_t *olen)
1732 {
1733 unsigned char *p = buf;
1734 const mbedtls_ssl_ciphersuite_t *suite = NULL;
1735
1736 /*
1737 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
1738 * from a client and then selects a stream or Authenticated Encryption
1739 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
1740 * encrypt-then-MAC response extension back to the client."
1741 */
1742 suite = mbedtls_ssl_ciphersuite_from_id(
1743 ssl->session_negotiate->ciphersuite);
1744 if (suite == NULL) {
1745 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
1746 } else {
1747 mbedtls_ssl_mode_t ssl_mode =
1748 mbedtls_ssl_get_mode_from_ciphersuite(
1749 ssl->session_negotiate->encrypt_then_mac,
1750 suite);
1751
1752 if (ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM) {
1753 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
1754 }
1755 }
1756
1757 if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
1758 *olen = 0;
1759 return;
1760 }
1761
1762 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension"));
1763
1764 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
1765 p += 2;
1766
1767 *p++ = 0x00;
1768 *p++ = 0x00;
1769
1770 *olen = 4;
1771 }
1772 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
1773
1774 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
ssl_write_extended_ms_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1775 static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
1776 unsigned char *buf,
1777 size_t *olen)
1778 {
1779 unsigned char *p = buf;
1780
1781 if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
1782 *olen = 0;
1783 return;
1784 }
1785
1786 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret "
1787 "extension"));
1788
1789 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
1790 p += 2;
1791
1792 *p++ = 0x00;
1793 *p++ = 0x00;
1794
1795 *olen = 4;
1796 }
1797 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1798
1799 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
ssl_write_session_ticket_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1800 static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
1801 unsigned char *buf,
1802 size_t *olen)
1803 {
1804 unsigned char *p = buf;
1805
1806 if (ssl->handshake->new_session_ticket == 0) {
1807 *olen = 0;
1808 return;
1809 }
1810
1811 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension"));
1812
1813 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
1814 p += 2;
1815
1816 *p++ = 0x00;
1817 *p++ = 0x00;
1818
1819 *olen = 4;
1820 }
1821 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1822
ssl_write_renegotiation_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1823 static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
1824 unsigned char *buf,
1825 size_t *olen)
1826 {
1827 unsigned char *p = buf;
1828
1829 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) {
1830 *olen = 0;
1831 return;
1832 }
1833
1834 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension"));
1835
1836 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
1837 p += 2;
1838
1839 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1840 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
1841 *p++ = 0x00;
1842 *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF;
1843 *p++ = ssl->verify_data_len * 2 & 0xFF;
1844
1845 memcpy(p, ssl->peer_verify_data, ssl->verify_data_len);
1846 p += ssl->verify_data_len;
1847 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
1848 p += ssl->verify_data_len;
1849 } else
1850 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1851 {
1852 *p++ = 0x00;
1853 *p++ = 0x01;
1854 *p++ = 0x00;
1855 }
1856
1857 *olen = p - buf;
1858 }
1859
1860 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
ssl_write_max_fragment_length_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1861 static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
1862 unsigned char *buf,
1863 size_t *olen)
1864 {
1865 unsigned char *p = buf;
1866
1867 if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
1868 *olen = 0;
1869 return;
1870 }
1871
1872 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension"));
1873
1874 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
1875 p += 2;
1876
1877 *p++ = 0x00;
1878 *p++ = 1;
1879
1880 *p++ = ssl->session_negotiate->mfl_code;
1881
1882 *olen = 5;
1883 }
1884 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1885
1886 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1887 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_write_supported_point_formats_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1888 static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
1889 unsigned char *buf,
1890 size_t *olen)
1891 {
1892 unsigned char *p = buf;
1893 ((void) ssl);
1894
1895 if ((ssl->handshake->cli_exts &
1896 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) {
1897 *olen = 0;
1898 return;
1899 }
1900
1901 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension"));
1902
1903 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
1904 p += 2;
1905
1906 *p++ = 0x00;
1907 *p++ = 2;
1908
1909 *p++ = 1;
1910 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
1911
1912 *olen = 6;
1913 }
1914 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1915
1916 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1917 static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
1918 unsigned char *buf,
1919 size_t *olen)
1920 {
1921 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1922 unsigned char *p = buf;
1923 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1924 size_t kkpp_len;
1925
1926 *olen = 0;
1927
1928 /* Skip costly computation if not needed */
1929 if (ssl->handshake->ciphersuite_info->key_exchange !=
1930 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
1931 return;
1932 }
1933
1934 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension"));
1935
1936 if (end - p < 4) {
1937 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1938 return;
1939 }
1940
1941 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
1942 p += 2;
1943
1944 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1945 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
1946 p + 2, end - p - 2, &kkpp_len,
1947 MBEDTLS_ECJPAKE_ROUND_ONE);
1948 if (ret != 0) {
1949 psa_destroy_key(ssl->handshake->psa_pake_password);
1950 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
1951 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
1952 return;
1953 }
1954 #else
1955 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
1956 p + 2, end - p - 2, &kkpp_len,
1957 ssl->conf->f_rng, ssl->conf->p_rng);
1958 if (ret != 0) {
1959 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret);
1960 return;
1961 }
1962 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1963
1964 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
1965 p += 2;
1966
1967 *olen = kkpp_len + 4;
1968 }
1969 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1970
1971 #if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS)
ssl_write_use_srtp_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1972 static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
1973 unsigned char *buf,
1974 size_t *olen)
1975 {
1976 size_t mki_len = 0, ext_len = 0;
1977 uint16_t profile_value = 0;
1978 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1979
1980 *olen = 0;
1981
1982 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
1983 (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) {
1984 return;
1985 }
1986
1987 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension"));
1988
1989 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
1990 mki_len = ssl->dtls_srtp_info.mki_len;
1991 }
1992
1993 /* The extension total size is 9 bytes :
1994 * - 2 bytes for the extension tag
1995 * - 2 bytes for the total size
1996 * - 2 bytes for the protection profile length
1997 * - 2 bytes for the protection profile
1998 * - 1 byte for the mki length
1999 * + the actual mki length
2000 * Check we have enough room in the output buffer */
2001 if ((size_t) (end - buf) < mki_len + 9) {
2002 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
2003 return;
2004 }
2005
2006 /* extension */
2007 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0);
2008 /*
2009 * total length 5 and mki value: only one profile(2 bytes)
2010 * and length(2 bytes) and srtp_mki )
2011 */
2012 ext_len = 5 + mki_len;
2013 MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2);
2014
2015 /* protection profile length: 2 */
2016 buf[4] = 0x00;
2017 buf[5] = 0x02;
2018 profile_value = mbedtls_ssl_check_srtp_profile_value(
2019 ssl->dtls_srtp_info.chosen_dtls_srtp_profile);
2020 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
2021 MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6);
2022 } else {
2023 MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile"));
2024 return;
2025 }
2026
2027 buf[8] = mki_len & 0xFF;
2028 memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len);
2029
2030 *olen = 9 + mki_len;
2031 }
2032 #endif /* MBEDTLS_SSL_DTLS_SRTP */
2033
2034 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2035 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_hello_verify_request(mbedtls_ssl_context * ssl)2036 static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
2037 {
2038 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2039 unsigned char *p = ssl->out_msg + 4;
2040 unsigned char *cookie_len_byte;
2041
2042 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request"));
2043
2044 /*
2045 * struct {
2046 * ProtocolVersion server_version;
2047 * opaque cookie<0..2^8-1>;
2048 * } HelloVerifyRequest;
2049 */
2050
2051 /* The RFC is not clear on this point, but sending the actual negotiated
2052 * version looks like the most interoperable thing to do. */
2053 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
2054 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
2055 p += 2;
2056
2057 /* If we get here, f_cookie_check is not null */
2058 if (ssl->conf->f_cookie_write == NULL) {
2059 MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks"));
2060 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2061 }
2062
2063 /* Skip length byte until we know the length */
2064 cookie_len_byte = p++;
2065
2066 if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie,
2067 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2068 ssl->cli_id, ssl->cli_id_len)) != 0) {
2069 MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret);
2070 return ret;
2071 }
2072
2073 *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1));
2074
2075 MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte);
2076
2077 ssl->out_msglen = p - ssl->out_msg;
2078 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2079 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
2080
2081 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
2082
2083 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
2084 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
2085 return ret;
2086 }
2087
2088 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2089 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2090 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
2091 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
2092 return ret;
2093 }
2094 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2095
2096 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request"));
2097
2098 return 0;
2099 }
2100 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2101
ssl_handle_id_based_session_resumption(mbedtls_ssl_context * ssl)2102 static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl)
2103 {
2104 int ret;
2105 mbedtls_ssl_session session_tmp;
2106 mbedtls_ssl_session * const session = ssl->session_negotiate;
2107
2108 /* Resume is 0 by default, see ssl_handshake_init().
2109 * It may be already set to 1 by ssl_parse_session_ticket_ext(). */
2110 if (ssl->handshake->resume == 1) {
2111 return;
2112 }
2113 if (session->id_len == 0) {
2114 return;
2115 }
2116 if (ssl->conf->f_get_cache == NULL) {
2117 return;
2118 }
2119 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2120 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
2121 return;
2122 }
2123 #endif
2124
2125 mbedtls_ssl_session_init(&session_tmp);
2126
2127 ret = ssl->conf->f_get_cache(ssl->conf->p_cache,
2128 session->id,
2129 session->id_len,
2130 &session_tmp);
2131 if (ret != 0) {
2132 goto exit;
2133 }
2134
2135 if (session->ciphersuite != session_tmp.ciphersuite) {
2136 /* Mismatch between cached and negotiated session */
2137 goto exit;
2138 }
2139
2140 /* Move semantics */
2141 mbedtls_ssl_session_free(session);
2142 *session = session_tmp;
2143 memset(&session_tmp, 0, sizeof(session_tmp));
2144
2145 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache"));
2146 ssl->handshake->resume = 1;
2147
2148 exit:
2149
2150 mbedtls_ssl_session_free(&session_tmp);
2151 }
2152
2153 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_server_hello(mbedtls_ssl_context * ssl)2154 static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
2155 {
2156 #if defined(MBEDTLS_HAVE_TIME)
2157 mbedtls_time_t t;
2158 #endif
2159 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2160 size_t olen, ext_len = 0, n;
2161 unsigned char *buf, *p;
2162
2163 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
2164
2165 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2166 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2167 ssl->handshake->cookie_verify_result != 0) {
2168 MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated"));
2169 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
2170
2171 return ssl_write_hello_verify_request(ssl);
2172 }
2173 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2174
2175 if (ssl->conf->f_rng == NULL) {
2176 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
2177 return MBEDTLS_ERR_SSL_NO_RNG;
2178 }
2179
2180 /*
2181 * 0 . 0 handshake type
2182 * 1 . 3 handshake length
2183 * 4 . 5 protocol version
2184 * 6 . 9 UNIX time()
2185 * 10 . 37 random bytes
2186 */
2187 buf = ssl->out_msg;
2188 p = buf + 4;
2189
2190 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
2191 p += 2;
2192
2193 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]",
2194 buf[4], buf[5]));
2195
2196 #if defined(MBEDTLS_HAVE_TIME)
2197 t = mbedtls_time(NULL);
2198 MBEDTLS_PUT_UINT32_BE(t, p, 0);
2199 p += 4;
2200
2201 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
2202 (long long) t));
2203 #else
2204 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) {
2205 return ret;
2206 }
2207
2208 p += 4;
2209 #endif /* MBEDTLS_HAVE_TIME */
2210
2211 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 28)) != 0) {
2212 return ret;
2213 }
2214
2215 p += 28;
2216
2217 memcpy(ssl->handshake->randbytes + 32, buf + 6, 32);
2218
2219 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32);
2220
2221 ssl_handle_id_based_session_resumption(ssl);
2222
2223 if (ssl->handshake->resume == 0) {
2224 /*
2225 * New session, create a new session id,
2226 * unless we're about to issue a session ticket
2227 */
2228 ssl->state++;
2229
2230 #if defined(MBEDTLS_HAVE_TIME)
2231 ssl->session_negotiate->start = mbedtls_time(NULL);
2232 #endif
2233
2234 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2235 if (ssl->handshake->new_session_ticket != 0) {
2236 ssl->session_negotiate->id_len = n = 0;
2237 memset(ssl->session_negotiate->id, 0, 32);
2238 } else
2239 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2240 {
2241 ssl->session_negotiate->id_len = n = 32;
2242 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id,
2243 n)) != 0) {
2244 return ret;
2245 }
2246 }
2247 } else {
2248 /*
2249 * Resuming a session
2250 */
2251 n = ssl->session_negotiate->id_len;
2252 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
2253
2254 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
2255 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
2256 return ret;
2257 }
2258 }
2259
2260 /*
2261 * 38 . 38 session id length
2262 * 39 . 38+n session id
2263 * 39+n . 40+n chosen ciphersuite
2264 * 41+n . 41+n chosen compression alg.
2265 * 42+n . 43+n extensions length
2266 * 44+n . 43+n+m extensions
2267 */
2268 *p++ = (unsigned char) ssl->session_negotiate->id_len;
2269 memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
2270 p += ssl->session_negotiate->id_len;
2271
2272 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
2273 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n);
2274 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
2275 ssl->handshake->resume ? "a" : "no"));
2276
2277 MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
2278 p += 2;
2279 *p++ = MBEDTLS_BYTE_0(MBEDTLS_SSL_COMPRESS_NULL);
2280
2281 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s",
2282 mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite)));
2283 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X",
2284 (unsigned int) MBEDTLS_SSL_COMPRESS_NULL));
2285
2286 /*
2287 * First write extensions, then the total length
2288 */
2289 ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen);
2290 ext_len += olen;
2291
2292 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2293 ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen);
2294 ext_len += olen;
2295 #endif
2296
2297 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2298 ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen);
2299 ext_len += olen;
2300 #endif
2301
2302 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2303 ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen);
2304 ext_len += olen;
2305 #endif
2306
2307 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2308 ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen);
2309 ext_len += olen;
2310 #endif
2311
2312 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2313 ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen);
2314 ext_len += olen;
2315 #endif
2316
2317 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2318 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2319 const mbedtls_ssl_ciphersuite_t *suite =
2320 mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite);
2321 if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) {
2322 ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen);
2323 ext_len += olen;
2324 }
2325 #endif
2326
2327 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2328 ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen);
2329 ext_len += olen;
2330 #endif
2331
2332 #if defined(MBEDTLS_SSL_ALPN)
2333 unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
2334 if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen))
2335 != 0) {
2336 return ret;
2337 }
2338
2339 ext_len += olen;
2340 #endif
2341
2342 #if defined(MBEDTLS_SSL_DTLS_SRTP)
2343 ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen);
2344 ext_len += olen;
2345 #endif
2346
2347 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
2348 ext_len));
2349
2350 if (ext_len > 0) {
2351 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
2352 p += 2 + ext_len;
2353 }
2354
2355 ssl->out_msglen = p - buf;
2356 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2357 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
2358
2359 ret = mbedtls_ssl_write_handshake_msg(ssl);
2360
2361 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
2362
2363 return ret;
2364 }
2365
2366 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2367 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_certificate_request(mbedtls_ssl_context * ssl)2368 static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
2369 {
2370 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2371 ssl->handshake->ciphersuite_info;
2372
2373 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
2374
2375 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2376 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2377 ssl->state++;
2378 return 0;
2379 }
2380
2381 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2382 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2383 }
2384 #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
2385 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_certificate_request(mbedtls_ssl_context * ssl)2386 static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
2387 {
2388 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2389 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2390 ssl->handshake->ciphersuite_info;
2391 uint16_t dn_size, total_dn_size; /* excluding length bytes */
2392 size_t ct_len, sa_len; /* including length bytes */
2393 unsigned char *buf, *p;
2394 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2395 const mbedtls_x509_crt *crt;
2396 int authmode;
2397
2398 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
2399
2400 ssl->state++;
2401
2402 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2403 if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
2404 authmode = ssl->handshake->sni_authmode;
2405 } else
2406 #endif
2407 authmode = ssl->conf->authmode;
2408
2409 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) ||
2410 authmode == MBEDTLS_SSL_VERIFY_NONE) {
2411 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2412 return 0;
2413 }
2414
2415 /*
2416 * 0 . 0 handshake type
2417 * 1 . 3 handshake length
2418 * 4 . 4 cert type count
2419 * 5 .. m-1 cert types
2420 * m .. m+1 sig alg length (TLS 1.2 only)
2421 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
2422 * n .. n+1 length of all DNs
2423 * n+2 .. n+3 length of DN 1
2424 * n+4 .. ... Distinguished Name #1
2425 * ... .. ... length of DN 2, etc.
2426 */
2427 buf = ssl->out_msg;
2428 p = buf + 4;
2429
2430 /*
2431 * Supported certificate types
2432 *
2433 * ClientCertificateType certificate_types<1..2^8-1>;
2434 * enum { (255) } ClientCertificateType;
2435 */
2436 ct_len = 0;
2437
2438 #if defined(MBEDTLS_RSA_C)
2439 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
2440 #endif
2441 #if defined(MBEDTLS_ECDSA_C)
2442 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
2443 #endif
2444
2445 p[0] = (unsigned char) ct_len++;
2446 p += ct_len;
2447
2448 sa_len = 0;
2449
2450 /*
2451 * Add signature_algorithms for verify (TLS 1.2)
2452 *
2453 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2454 *
2455 * struct {
2456 * HashAlgorithm hash;
2457 * SignatureAlgorithm signature;
2458 * } SignatureAndHashAlgorithm;
2459 *
2460 * enum { (255) } HashAlgorithm;
2461 * enum { (255) } SignatureAlgorithm;
2462 */
2463 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
2464 if (sig_alg == NULL) {
2465 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2466 }
2467
2468 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2469 unsigned char hash = MBEDTLS_BYTE_1(*sig_alg);
2470
2471 if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) {
2472 continue;
2473 }
2474 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
2475 continue;
2476 }
2477
2478 /* Write elements at offsets starting from 1 (offset 0 is for the
2479 * length). Thus the offset of each element is the length of the
2480 * partial list including that element. */
2481 sa_len += 2;
2482 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, sa_len);
2483
2484 }
2485
2486 /* Fill in list length. */
2487 MBEDTLS_PUT_UINT16_BE(sa_len, p, 0);
2488 sa_len += 2;
2489 p += sa_len;
2490
2491 /*
2492 * DistinguishedName certificate_authorities<0..2^16-1>;
2493 * opaque DistinguishedName<1..2^16-1>;
2494 */
2495 p += 2;
2496
2497 total_dn_size = 0;
2498
2499 if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) {
2500 /* NOTE: If trusted certificates are provisioned
2501 * via a CA callback (configured through
2502 * `mbedtls_ssl_conf_ca_cb()`, then the
2503 * CertificateRequest is currently left empty. */
2504
2505 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2506 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2507 if (ssl->handshake->dn_hints != NULL) {
2508 crt = ssl->handshake->dn_hints;
2509 } else
2510 #endif
2511 if (ssl->conf->dn_hints != NULL) {
2512 crt = ssl->conf->dn_hints;
2513 } else
2514 #endif
2515 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2516 if (ssl->handshake->sni_ca_chain != NULL) {
2517 crt = ssl->handshake->sni_ca_chain;
2518 } else
2519 #endif
2520 crt = ssl->conf->ca_chain;
2521
2522 while (crt != NULL && crt->version != 0) {
2523 /* It follows from RFC 5280 A.1 that this length
2524 * can be represented in at most 11 bits. */
2525 dn_size = (uint16_t) crt->subject_raw.len;
2526
2527 if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) {
2528 MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short"));
2529 break;
2530 }
2531
2532 MBEDTLS_PUT_UINT16_BE(dn_size, p, 0);
2533 p += 2;
2534 memcpy(p, crt->subject_raw.p, dn_size);
2535 p += dn_size;
2536
2537 MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size);
2538
2539 total_dn_size += 2 + dn_size;
2540 crt = crt->next;
2541 }
2542 }
2543
2544 ssl->out_msglen = p - buf;
2545 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2546 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
2547 MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len);
2548
2549 ret = mbedtls_ssl_write_handshake_msg(ssl);
2550
2551 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
2552
2553 return ret;
2554 }
2555 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
2556
2557 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
2558 (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2559 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED))
2560 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_ecdh_params_from_cert(mbedtls_ssl_context * ssl)2561 static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
2562 {
2563 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2564 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2565 unsigned char buf[
2566 PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
2567 psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
2568 uint16_t tls_id = 0;
2569 psa_ecc_family_t ecc_family;
2570 size_t key_len;
2571 mbedtls_pk_context *pk;
2572 mbedtls_ecp_keypair *key;
2573
2574 pk = mbedtls_ssl_own_key(ssl);
2575
2576 if (pk == NULL) {
2577 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2578 }
2579
2580 switch (mbedtls_pk_get_type(pk)) {
2581 case MBEDTLS_PK_OPAQUE:
2582 if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
2583 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2584 }
2585
2586 ssl->handshake->ecdh_psa_privkey =
2587 *((mbedtls_svc_key_id_t *) pk->pk_ctx);
2588
2589 /* Key should not be destroyed in the TLS library */
2590 ssl->handshake->ecdh_psa_privkey_is_external = 1;
2591
2592 status = psa_get_key_attributes(ssl->handshake->ecdh_psa_privkey,
2593 &key_attributes);
2594 if (status != PSA_SUCCESS) {
2595 ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
2596 return PSA_TO_MBEDTLS_ERR(status);
2597 }
2598
2599 ssl->handshake->ecdh_psa_type = psa_get_key_type(&key_attributes);
2600 ssl->handshake->ecdh_bits = psa_get_key_bits(&key_attributes);
2601
2602 psa_reset_key_attributes(&key_attributes);
2603
2604 ret = 0;
2605 break;
2606 case MBEDTLS_PK_ECKEY:
2607 case MBEDTLS_PK_ECKEY_DH:
2608 case MBEDTLS_PK_ECDSA:
2609 key = mbedtls_pk_ec(*pk);
2610 if (key == NULL) {
2611 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2612 }
2613
2614 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(key->grp.id);
2615 if (tls_id == 0) {
2616 /* This elliptic curve is not supported */
2617 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2618 }
2619
2620 /* If the above conversion to TLS ID was fine, then also this one will
2621 be, so there is no need to check the return value here */
2622 mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &ecc_family,
2623 &ssl->handshake->ecdh_bits);
2624
2625 ssl->handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ecc_family);
2626
2627 key_attributes = psa_key_attributes_init();
2628 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2629 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2630 psa_set_key_type(&key_attributes,
2631 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->ecdh_psa_type));
2632 psa_set_key_bits(&key_attributes, ssl->handshake->ecdh_bits);
2633
2634 key_len = PSA_BITS_TO_BYTES(key->grp.pbits);
2635 ret = mbedtls_ecp_write_key(key, buf, key_len);
2636 if (ret != 0) {
2637 goto cleanup;
2638 }
2639
2640 status = psa_import_key(&key_attributes, buf, key_len,
2641 &ssl->handshake->ecdh_psa_privkey);
2642 if (status != PSA_SUCCESS) {
2643 ret = PSA_TO_MBEDTLS_ERR(status);
2644 goto cleanup;
2645 }
2646
2647 ret = 0;
2648 break;
2649 default:
2650 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2651 }
2652
2653 cleanup:
2654 mbedtls_platform_zeroize(buf, sizeof(buf));
2655
2656 return ret;
2657 }
2658 #elif defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2659 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2660 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_ecdh_params_from_cert(mbedtls_ssl_context * ssl)2661 static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
2662 {
2663 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2664
2665 const mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
2666 if (private_key == NULL) {
2667 MBEDTLS_SSL_DEBUG_MSG(1, ("got no server private key"));
2668 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
2669 }
2670
2671 if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_ECKEY)) {
2672 MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
2673 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2674 }
2675
2676 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx,
2677 mbedtls_pk_ec(*mbedtls_ssl_own_key(ssl)),
2678 MBEDTLS_ECDH_OURS)) != 0) {
2679 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
2680 return ret;
2681 }
2682
2683 return 0;
2684 }
2685 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2686 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2687
2688 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
2689 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
2690 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_resume_server_key_exchange(mbedtls_ssl_context * ssl,size_t * signature_len)2691 static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl,
2692 size_t *signature_len)
2693 {
2694 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
2695 * signature length which will be added in ssl_write_server_key_exchange
2696 * after the call to ssl_prepare_server_key_exchange.
2697 * ssl_write_server_key_exchange also takes care of incrementing
2698 * ssl->out_msglen. */
2699 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
2700 size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
2701 - sig_start);
2702 int ret = ssl->conf->f_async_resume(ssl,
2703 sig_start, signature_len, sig_max_len);
2704 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
2705 ssl->handshake->async_in_progress = 0;
2706 mbedtls_ssl_set_async_operation_data(ssl, NULL);
2707 }
2708 MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret);
2709 return ret;
2710 }
2711 #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
2712 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
2713
2714 /* Prepare the ServerKeyExchange message, up to and including
2715 * calculating the signature if any, but excluding formatting the
2716 * signature and sending the message. */
2717 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_prepare_server_key_exchange(mbedtls_ssl_context * ssl,size_t * signature_len)2718 static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
2719 size_t *signature_len)
2720 {
2721 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2722 ssl->handshake->ciphersuite_info;
2723
2724 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
2725 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
2726 unsigned char *dig_signed = NULL;
2727 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
2728 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
2729
2730 (void) ciphersuite_info; /* unused in some configurations */
2731 #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
2732 (void) signature_len;
2733 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
2734
2735 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
2736 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
2737 size_t out_buf_len = ssl->out_buf_len - (ssl->out_msg - ssl->out_buf);
2738 #else
2739 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (ssl->out_msg - ssl->out_buf);
2740 #endif
2741 #endif
2742
2743 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
2744
2745 /*
2746 *
2747 * Part 1: Provide key exchange parameters for chosen ciphersuite.
2748 *
2749 */
2750
2751 /*
2752 * - ECJPAKE key exchanges
2753 */
2754 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2755 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
2756 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2757 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2758 unsigned char *out_p = ssl->out_msg + ssl->out_msglen;
2759 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
2760 ssl->out_msglen;
2761 size_t output_offset = 0;
2762 size_t output_len = 0;
2763
2764 /*
2765 * The first 3 bytes are:
2766 * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
2767 * [1, 2] elliptic curve's TLS ID
2768 *
2769 * However since we only support secp256r1 for now, we hardcode its
2770 * TLS ID here
2771 */
2772 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
2773 MBEDTLS_ECP_DP_SECP256R1);
2774 if (tls_id == 0) {
2775 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2776 }
2777 *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE;
2778 MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1);
2779 output_offset += 3;
2780
2781 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
2782 out_p + output_offset,
2783 end_p - out_p - output_offset, &output_len,
2784 MBEDTLS_ECJPAKE_ROUND_TWO);
2785 if (ret != 0) {
2786 psa_destroy_key(ssl->handshake->psa_pake_password);
2787 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2788 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
2789 return ret;
2790 }
2791
2792 output_offset += output_len;
2793 ssl->out_msglen += output_offset;
2794 #else
2795 size_t len = 0;
2796
2797 ret = mbedtls_ecjpake_write_round_two(
2798 &ssl->handshake->ecjpake_ctx,
2799 ssl->out_msg + ssl->out_msglen,
2800 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
2801 ssl->conf->f_rng, ssl->conf->p_rng);
2802 if (ret != 0) {
2803 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
2804 return ret;
2805 }
2806
2807 ssl->out_msglen += len;
2808 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2809 }
2810 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2811
2812 /*
2813 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
2814 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
2815 * we use empty support identity hints here.
2816 **/
2817 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2818 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2819 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2820 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
2821 ssl->out_msg[ssl->out_msglen++] = 0x00;
2822 ssl->out_msg[ssl->out_msglen++] = 0x00;
2823 }
2824 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2825 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2826
2827 /*
2828 * - DHE key exchanges
2829 */
2830 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
2831 if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) {
2832 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2833 size_t len = 0;
2834
2835 if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) {
2836 MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set"));
2837 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2838 }
2839
2840 /*
2841 * Ephemeral DH parameters:
2842 *
2843 * struct {
2844 * opaque dh_p<1..2^16-1>;
2845 * opaque dh_g<1..2^16-1>;
2846 * opaque dh_Ys<1..2^16-1>;
2847 * } ServerDHParams;
2848 */
2849 if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx,
2850 &ssl->conf->dhm_P,
2851 &ssl->conf->dhm_G)) != 0) {
2852 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret);
2853 return ret;
2854 }
2855
2856 if ((ret = mbedtls_dhm_make_params(
2857 &ssl->handshake->dhm_ctx,
2858 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
2859 ssl->out_msg + ssl->out_msglen, &len,
2860 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2861 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret);
2862 return ret;
2863 }
2864
2865 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
2866 dig_signed = ssl->out_msg + ssl->out_msglen;
2867 #endif
2868
2869 ssl->out_msglen += len;
2870
2871 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
2872 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
2873 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
2874 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
2875 }
2876 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */
2877
2878 /*
2879 * - ECDHE key exchanges
2880 */
2881 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
2882 if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) {
2883 /*
2884 * Ephemeral ECDH parameters:
2885 *
2886 * struct {
2887 * ECParameters curve_params;
2888 * ECPoint public;
2889 * } ServerECDHParams;
2890 */
2891 uint16_t *curr_tls_id = ssl->handshake->curves_tls_id;
2892 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
2893 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2894 size_t len = 0;
2895
2896 /* Match our preference list against the offered curves */
2897 if ((group_list == NULL) || (curr_tls_id == NULL)) {
2898 return MBEDTLS_ERR_SSL_BAD_CONFIG;
2899 }
2900 for (; *group_list != 0; group_list++) {
2901 for (curr_tls_id = ssl->handshake->curves_tls_id;
2902 *curr_tls_id != 0; curr_tls_id++) {
2903 if (*curr_tls_id == *group_list) {
2904 goto curve_matching_done;
2905 }
2906 }
2907 }
2908
2909 curve_matching_done:
2910 if (*curr_tls_id == 0) {
2911 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE"));
2912 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2913 }
2914
2915 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s",
2916 mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id)));
2917
2918 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2919 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
2920 psa_key_attributes_t key_attributes;
2921 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2922 uint8_t *p = ssl->out_msg + ssl->out_msglen;
2923 const size_t header_size = 4; // curve_type(1), namedcurve(2),
2924 // data length(1)
2925 const size_t data_length_size = 1;
2926 psa_ecc_family_t ec_psa_family = 0;
2927 size_t ec_bits = 0;
2928
2929 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
2930
2931 /* Convert EC's TLS ID to PSA key type. */
2932 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id,
2933 &ec_psa_family,
2934 &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
2935 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse."));
2936 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2937 }
2938 handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ec_psa_family);
2939 handshake->ecdh_bits = ec_bits;
2940
2941 key_attributes = psa_key_attributes_init();
2942 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2943 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2944 psa_set_key_type(&key_attributes, handshake->ecdh_psa_type);
2945 psa_set_key_bits(&key_attributes, handshake->ecdh_bits);
2946
2947 /*
2948 * ECParameters curve_params
2949 *
2950 * First byte is curve_type, always named_curve
2951 */
2952 *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
2953
2954 /*
2955 * Next two bytes are the namedcurve value
2956 */
2957 MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0);
2958 p += 2;
2959
2960 /* Generate ECDH private key. */
2961 status = psa_generate_key(&key_attributes,
2962 &handshake->ecdh_psa_privkey);
2963 if (status != PSA_SUCCESS) {
2964 ret = PSA_TO_MBEDTLS_ERR(status);
2965 MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
2966 return ret;
2967 }
2968
2969 /*
2970 * ECPoint public
2971 *
2972 * First byte is data length.
2973 * It will be filled later. p holds now the data length location.
2974 */
2975
2976 /* Export the public part of the ECDH private key from PSA.
2977 * Make one byte space for the length.
2978 */
2979 unsigned char *own_pubkey = p + data_length_size;
2980
2981 size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN
2982 - (own_pubkey - ssl->out_msg));
2983
2984 status = psa_export_public_key(handshake->ecdh_psa_privkey,
2985 own_pubkey, own_pubkey_max_len,
2986 &len);
2987 if (status != PSA_SUCCESS) {
2988 ret = PSA_TO_MBEDTLS_ERR(status);
2989 MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
2990 (void) psa_destroy_key(handshake->ecdh_psa_privkey);
2991 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
2992 return ret;
2993 }
2994
2995 /* Store the length of the exported public key. */
2996 *p = (uint8_t) len;
2997
2998 /* Determine full message length. */
2999 len += header_size;
3000 #else
3001 mbedtls_ecp_group_id curr_grp_id =
3002 mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
3003
3004 if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx,
3005 curr_grp_id)) != 0) {
3006 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret);
3007 return ret;
3008 }
3009
3010 if ((ret = mbedtls_ecdh_make_params(
3011 &ssl->handshake->ecdh_ctx, &len,
3012 ssl->out_msg + ssl->out_msglen,
3013 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
3014 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3015 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret);
3016 return ret;
3017 }
3018
3019 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3020 MBEDTLS_DEBUG_ECDH_Q);
3021 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3022
3023 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3024 dig_signed = ssl->out_msg + ssl->out_msglen;
3025 #endif
3026
3027 ssl->out_msglen += len;
3028 }
3029 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
3030
3031 /*
3032 *
3033 * Part 2: For key exchanges involving the server signing the
3034 * exchange parameters, compute and add the signature here.
3035 *
3036 */
3037 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3038 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
3039 if (dig_signed == NULL) {
3040 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3041 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3042 }
3043
3044 size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
3045 size_t hashlen = 0;
3046 unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
3047
3048 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3049
3050 /*
3051 * 2.1: Choose hash algorithm:
3052 * For TLS 1.2, obey signature-hash-algorithm extension
3053 * to choose appropriate hash.
3054 */
3055
3056 mbedtls_pk_type_t sig_alg =
3057 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
3058
3059 unsigned int sig_hash =
3060 mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
3061 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
3062
3063 mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash);
3064
3065 /* For TLS 1.2, obey signature-hash-algorithm extension
3066 * (RFC 5246, Sec. 7.4.1.4.1). */
3067 if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) {
3068 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3069 /* (... because we choose a cipher suite
3070 * only if there is a matching hash.) */
3071 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3072 }
3073
3074 MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg));
3075
3076 /*
3077 * 2.2: Compute the hash to be signed
3078 */
3079 if (md_alg != MBEDTLS_MD_NONE) {
3080 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
3081 dig_signed,
3082 dig_signed_len,
3083 md_alg);
3084 if (ret != 0) {
3085 return ret;
3086 }
3087 } else {
3088 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3089 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3090 }
3091
3092 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
3093
3094 /*
3095 * 2.3: Compute and add the signature
3096 */
3097 /*
3098 * We need to specify signature and hash algorithm explicitly through
3099 * a prefix to the signature.
3100 *
3101 * struct {
3102 * HashAlgorithm hash;
3103 * SignatureAlgorithm signature;
3104 * } SignatureAndHashAlgorithm;
3105 *
3106 * struct {
3107 * SignatureAndHashAlgorithm algorithm;
3108 * opaque signature<0..2^16-1>;
3109 * } DigitallySigned;
3110 *
3111 */
3112
3113 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg);
3114 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg);
3115
3116 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3117 if (ssl->conf->f_async_sign_start != NULL) {
3118 ret = ssl->conf->f_async_sign_start(ssl,
3119 mbedtls_ssl_own_cert(ssl),
3120 md_alg, hash, hashlen);
3121 switch (ret) {
3122 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3123 /* act as if f_async_sign was null */
3124 break;
3125 case 0:
3126 ssl->handshake->async_in_progress = 1;
3127 return ssl_resume_server_key_exchange(ssl, signature_len);
3128 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3129 ssl->handshake->async_in_progress = 1;
3130 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3131 default:
3132 MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret);
3133 return ret;
3134 }
3135 }
3136 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3137
3138 if (mbedtls_ssl_own_key(ssl) == NULL) {
3139 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key"));
3140 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
3141 }
3142
3143 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3144 * signature length which will be added in ssl_write_server_key_exchange
3145 * after the call to ssl_prepare_server_key_exchange.
3146 * ssl_write_server_key_exchange also takes care of incrementing
3147 * ssl->out_msglen. */
3148 if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl),
3149 md_alg, hash, hashlen,
3150 ssl->out_msg + ssl->out_msglen + 2,
3151 out_buf_len - ssl->out_msglen - 2,
3152 signature_len,
3153 ssl->conf->f_rng,
3154 ssl->conf->p_rng)) != 0) {
3155 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
3156 return ret;
3157 }
3158 }
3159 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
3160
3161 return 0;
3162 }
3163
3164 /* Prepare the ServerKeyExchange message and send it. For ciphersuites
3165 * that do not include a ServerKeyExchange message, do nothing. Either
3166 * way, if successful, move on to the next step in the SSL state
3167 * machine. */
3168 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_server_key_exchange(mbedtls_ssl_context * ssl)3169 static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
3170 {
3171 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3172 size_t signature_len = 0;
3173 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
3174 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3175 ssl->handshake->ciphersuite_info;
3176 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
3177
3178 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange"));
3179
3180 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
3181 /* Extract static ECDH parameters and abort if ServerKeyExchange
3182 * is not needed. */
3183 if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) {
3184 /* For suites involving ECDH, extract DH parameters
3185 * from certificate at this point. */
3186 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
3187 if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) {
3188 ret = ssl_get_ecdh_params_from_cert(ssl);
3189 if (ret != 0) {
3190 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
3191 return ret;
3192 }
3193 }
3194 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
3195
3196 /* Key exchanges not involving ephemeral keys don't use
3197 * ServerKeyExchange, so end here. */
3198 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
3199 ssl->state++;
3200 return 0;
3201 }
3202 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
3203
3204 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
3205 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3206 /* If we have already prepared the message and there is an ongoing
3207 * signature operation, resume signing. */
3208 if (ssl->handshake->async_in_progress != 0) {
3209 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation"));
3210 ret = ssl_resume_server_key_exchange(ssl, &signature_len);
3211 } else
3212 #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
3213 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
3214 {
3215 /* ServerKeyExchange is needed. Prepare the message. */
3216 ret = ssl_prepare_server_key_exchange(ssl, &signature_len);
3217 }
3218
3219 if (ret != 0) {
3220 /* If we're starting to write a new message, set ssl->out_msglen
3221 * to 0. But if we're resuming after an asynchronous message,
3222 * out_msglen is the amount of data written so far and mst be
3223 * preserved. */
3224 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3225 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)"));
3226 } else {
3227 ssl->out_msglen = 0;
3228 }
3229 return ret;
3230 }
3231
3232 /* If there is a signature, write its length.
3233 * ssl_prepare_server_key_exchange already wrote the signature
3234 * itself at its proper place in the output buffer. */
3235 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3236 if (signature_len != 0) {
3237 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len);
3238 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len);
3239
3240 MBEDTLS_SSL_DEBUG_BUF(3, "my signature",
3241 ssl->out_msg + ssl->out_msglen,
3242 signature_len);
3243
3244 /* Skip over the already-written signature */
3245 ssl->out_msglen += signature_len;
3246 }
3247 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
3248
3249 /* Add header and send. */
3250 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3251 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
3252
3253 ssl->state++;
3254
3255 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3256 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3257 return ret;
3258 }
3259
3260 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange"));
3261 return 0;
3262 }
3263
3264 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_server_hello_done(mbedtls_ssl_context * ssl)3265 static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
3266 {
3267 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3268
3269 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done"));
3270
3271 ssl->out_msglen = 4;
3272 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3273 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
3274
3275 ssl->state++;
3276
3277 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3278 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3279 mbedtls_ssl_send_flight_completed(ssl);
3280 }
3281 #endif
3282
3283 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3284 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3285 return ret;
3286 }
3287
3288 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3289 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3290 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
3291 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
3292 return ret;
3293 }
3294 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3295
3296 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done"));
3297
3298 return 0;
3299 }
3300
3301 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3302 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3303 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_client_dh_public(mbedtls_ssl_context * ssl,unsigned char ** p,const unsigned char * end)3304 static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p,
3305 const unsigned char *end)
3306 {
3307 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3308 size_t n;
3309
3310 /*
3311 * Receive G^Y mod P, premaster = (G^Y)^X mod P
3312 */
3313 if (*p + 2 > end) {
3314 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3315 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3316 }
3317
3318 n = ((*p)[0] << 8) | (*p)[1];
3319 *p += 2;
3320
3321 if (*p + n > end) {
3322 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3323 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3324 }
3325
3326 if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) {
3327 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret);
3328 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3329 }
3330
3331 *p += n;
3332
3333 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
3334
3335 return ret;
3336 }
3337 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3338 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3339
3340 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3341 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3342
3343 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3344 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_resume_decrypt_pms(mbedtls_ssl_context * ssl,unsigned char * peer_pms,size_t * peer_pmslen,size_t peer_pmssize)3345 static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
3346 unsigned char *peer_pms,
3347 size_t *peer_pmslen,
3348 size_t peer_pmssize)
3349 {
3350 int ret = ssl->conf->f_async_resume(ssl,
3351 peer_pms, peer_pmslen, peer_pmssize);
3352 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3353 ssl->handshake->async_in_progress = 0;
3354 mbedtls_ssl_set_async_operation_data(ssl, NULL);
3355 }
3356 MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
3357 return ret;
3358 }
3359 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3360
3361 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_decrypt_encrypted_pms(mbedtls_ssl_context * ssl,const unsigned char * p,const unsigned char * end,unsigned char * peer_pms,size_t * peer_pmslen,size_t peer_pmssize)3362 static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
3363 const unsigned char *p,
3364 const unsigned char *end,
3365 unsigned char *peer_pms,
3366 size_t *peer_pmslen,
3367 size_t peer_pmssize)
3368 {
3369 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3370
3371 mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl);
3372 if (own_cert == NULL) {
3373 MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate"));
3374 return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
3375 }
3376 mbedtls_pk_context *public_key = &own_cert->pk;
3377 mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
3378 size_t len = mbedtls_pk_get_len(public_key);
3379
3380 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3381 /* If we have already started decoding the message and there is an ongoing
3382 * decryption operation, resume signing. */
3383 if (ssl->handshake->async_in_progress != 0) {
3384 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
3385 return ssl_resume_decrypt_pms(ssl,
3386 peer_pms, peer_pmslen, peer_pmssize);
3387 }
3388 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3389
3390 /*
3391 * Prepare to decrypt the premaster using own private RSA key
3392 */
3393 if (p + 2 > end) {
3394 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3395 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3396 }
3397 if (*p++ != MBEDTLS_BYTE_1(len) ||
3398 *p++ != MBEDTLS_BYTE_0(len)) {
3399 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3400 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3401 }
3402
3403 if (p + len != end) {
3404 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3405 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3406 }
3407
3408 /*
3409 * Decrypt the premaster secret
3410 */
3411 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3412 if (ssl->conf->f_async_decrypt_start != NULL) {
3413 ret = ssl->conf->f_async_decrypt_start(ssl,
3414 mbedtls_ssl_own_cert(ssl),
3415 p, len);
3416 switch (ret) {
3417 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3418 /* act as if f_async_decrypt_start was null */
3419 break;
3420 case 0:
3421 ssl->handshake->async_in_progress = 1;
3422 return ssl_resume_decrypt_pms(ssl,
3423 peer_pms,
3424 peer_pmslen,
3425 peer_pmssize);
3426 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3427 ssl->handshake->async_in_progress = 1;
3428 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3429 default:
3430 MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
3431 return ret;
3432 }
3433 }
3434 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3435
3436 if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
3437 MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
3438 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
3439 }
3440
3441 ret = mbedtls_pk_decrypt(private_key, p, len,
3442 peer_pms, peer_pmslen, peer_pmssize,
3443 ssl->conf->f_rng, ssl->conf->p_rng);
3444 return ret;
3445 }
3446
3447 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_encrypted_pms(mbedtls_ssl_context * ssl,const unsigned char * p,const unsigned char * end,size_t pms_offset)3448 static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
3449 const unsigned char *p,
3450 const unsigned char *end,
3451 size_t pms_offset)
3452 {
3453 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3454 unsigned char *pms = ssl->handshake->premaster + pms_offset;
3455 unsigned char ver[2];
3456 unsigned char fake_pms[48], peer_pms[48];
3457 unsigned char mask;
3458 size_t i, peer_pmslen;
3459 unsigned int diff;
3460
3461 /* In case of a failure in decryption, the decryption may write less than
3462 * 2 bytes of output, but we always read the first two bytes. It doesn't
3463 * matter in the end because diff will be nonzero in that case due to
3464 * ret being nonzero, and we only care whether diff is 0.
3465 * But do initialize peer_pms and peer_pmslen for robustness anyway. This
3466 * also makes memory analyzers happy (don't access uninitialized memory,
3467 * even if it's an unsigned char). */
3468 peer_pms[0] = peer_pms[1] = ~0;
3469 peer_pmslen = 0;
3470
3471 ret = ssl_decrypt_encrypted_pms(ssl, p, end,
3472 peer_pms,
3473 &peer_pmslen,
3474 sizeof(peer_pms));
3475
3476 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3477 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3478 return ret;
3479 }
3480 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3481
3482 mbedtls_ssl_write_version(ver, ssl->conf->transport,
3483 ssl->session_negotiate->tls_version);
3484
3485 /* Avoid data-dependent branches while checking for invalid
3486 * padding, to protect against timing-based Bleichenbacher-type
3487 * attacks. */
3488 diff = (unsigned int) ret;
3489 diff |= peer_pmslen ^ 48;
3490 diff |= peer_pms[0] ^ ver[0];
3491 diff |= peer_pms[1] ^ ver[1];
3492
3493 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
3494 mask = mbedtls_ct_uint_mask(diff);
3495
3496 /*
3497 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3498 * must not cause the connection to end immediately; instead, send a
3499 * bad_record_mac later in the handshake.
3500 * To protect against timing-based variants of the attack, we must
3501 * not have any branch that depends on whether the decryption was
3502 * successful. In particular, always generate the fake premaster secret,
3503 * regardless of whether it will ultimately influence the output or not.
3504 */
3505 ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
3506 if (ret != 0) {
3507 /* It's ok to abort on an RNG failure, since this does not reveal
3508 * anything about the RSA decryption. */
3509 return ret;
3510 }
3511
3512 #if defined(MBEDTLS_SSL_DEBUG_ALL)
3513 if (diff != 0) {
3514 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3515 }
3516 #endif
3517
3518 if (sizeof(ssl->handshake->premaster) < pms_offset ||
3519 sizeof(ssl->handshake->premaster) - pms_offset < 48) {
3520 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3521 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3522 }
3523 ssl->handshake->pmslen = 48;
3524
3525 /* Set pms to either the true or the fake PMS, without
3526 * data-dependent branches. */
3527 for (i = 0; i < ssl->handshake->pmslen; i++) {
3528 pms[i] = (mask & fake_pms[i]) | ((~mask) & peer_pms[i]);
3529 }
3530
3531 return 0;
3532 }
3533 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
3534 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3535
3536 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
3537 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_client_psk_identity(mbedtls_ssl_context * ssl,unsigned char ** p,const unsigned char * end)3538 static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
3539 const unsigned char *end)
3540 {
3541 int ret = 0;
3542 uint16_t n;
3543
3544 if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
3545 MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key"));
3546 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
3547 }
3548
3549 /*
3550 * Receive client pre-shared key identity name
3551 */
3552 if (end - *p < 2) {
3553 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3554 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3555 }
3556
3557 n = ((*p)[0] << 8) | (*p)[1];
3558 *p += 2;
3559
3560 if (n == 0 || n > end - *p) {
3561 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3562 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3563 }
3564
3565 if (ssl->conf->f_psk != NULL) {
3566 if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) {
3567 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3568 }
3569 } else {
3570 /* Identity is not a big secret since clients send it in the clear,
3571 * but treat it carefully anyway, just in case */
3572 if (n != ssl->conf->psk_identity_len ||
3573 mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) {
3574 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3575 }
3576 }
3577
3578 if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
3579 MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n);
3580 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3581 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY);
3582 return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3583 }
3584
3585 *p += n;
3586
3587 return 0;
3588 }
3589 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
3590
3591 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_client_key_exchange(mbedtls_ssl_context * ssl)3592 static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
3593 {
3594 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3595 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
3596 unsigned char *p, *end;
3597
3598 ciphersuite_info = ssl->handshake->ciphersuite_info;
3599
3600 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
3601
3602 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
3603 (defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3604 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED))
3605 if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3606 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) &&
3607 (ssl->handshake->async_in_progress != 0)) {
3608 /* We've already read a record and there is an asynchronous
3609 * operation in progress to decrypt it. So skip reading the
3610 * record. */
3611 MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
3612 } else
3613 #endif
3614 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3615 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3616 return ret;
3617 }
3618
3619 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
3620 end = ssl->in_msg + ssl->in_hslen;
3621
3622 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3623 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3624 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
3625 }
3626
3627 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) {
3628 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3629 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
3630 }
3631
3632 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3633 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
3634 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3635 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
3636 return ret;
3637 }
3638
3639 if (p != end) {
3640 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3641 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3642 }
3643
3644 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3645 ssl->handshake->premaster,
3646 MBEDTLS_PREMASTER_SIZE,
3647 &ssl->handshake->pmslen,
3648 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3649 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3650 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3651 }
3652
3653 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3654 } else
3655 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3656 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3657 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3658 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3659 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3660 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3661 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3662 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3663 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
3664 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3665 size_t data_len = (size_t) (*p++);
3666 size_t buf_len = (size_t) (end - p);
3667 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
3668 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3669
3670 MBEDTLS_SSL_DEBUG_MSG(1, ("Read the peer's public key."));
3671
3672 /*
3673 * We must have at least two bytes (1 for length, at least 1 for data)
3674 */
3675 if (buf_len < 2) {
3676 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length"));
3677 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
3678 }
3679
3680 if (data_len < 1 || data_len > buf_len) {
3681 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length"));
3682 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
3683 }
3684
3685 /* Store peer's ECDH public key. */
3686 memcpy(handshake->ecdh_psa_peerkey, p, data_len);
3687 handshake->ecdh_psa_peerkey_len = data_len;
3688
3689 /* Compute ECDH shared secret. */
3690 status = psa_raw_key_agreement(
3691 PSA_ALG_ECDH, handshake->ecdh_psa_privkey,
3692 handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len,
3693 handshake->premaster, sizeof(handshake->premaster),
3694 &handshake->pmslen);
3695 if (status != PSA_SUCCESS) {
3696 ret = PSA_TO_MBEDTLS_ERR(status);
3697 MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
3698 if (handshake->ecdh_psa_privkey_is_external == 0) {
3699 (void) psa_destroy_key(handshake->ecdh_psa_privkey);
3700 }
3701 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3702 return ret;
3703 }
3704
3705 if (handshake->ecdh_psa_privkey_is_external == 0) {
3706 status = psa_destroy_key(handshake->ecdh_psa_privkey);
3707
3708 if (status != PSA_SUCCESS) {
3709 ret = PSA_TO_MBEDTLS_ERR(status);
3710 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
3711 return ret;
3712 }
3713 }
3714 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3715 #else
3716 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
3717 p, end - p)) != 0) {
3718 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
3719 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3720 }
3721
3722 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3723 MBEDTLS_DEBUG_ECDH_QP);
3724
3725 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
3726 &ssl->handshake->pmslen,
3727 ssl->handshake->premaster,
3728 MBEDTLS_MPI_MAX_SIZE,
3729 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3730 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
3731 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3732 }
3733
3734 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3735 MBEDTLS_DEBUG_ECDH_Z);
3736 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3737 } else
3738 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3739 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3740 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3741 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3742 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3743 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
3744 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3745 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3746 return ret;
3747 }
3748
3749 if (p != end) {
3750 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3751 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3752 }
3753
3754 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
3755 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3756 ciphersuite_info->key_exchange)) != 0) {
3757 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3758 return ret;
3759 }
3760 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
3761 } else
3762 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
3763 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3764 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
3765 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3766 if (ssl->handshake->async_in_progress != 0) {
3767 /* There is an asynchronous operation in progress to
3768 * decrypt the encrypted premaster secret, so skip
3769 * directly to resuming this operation. */
3770 MBEDTLS_SSL_DEBUG_MSG(3, ("PSK identity already parsed"));
3771 /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
3772 * won't actually use it, but maintain p anyway for robustness. */
3773 p += ssl->conf->psk_identity_len + 2;
3774 } else
3775 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3776 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3777 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3778 return ret;
3779 }
3780
3781 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) {
3782 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_encrypted_pms"), ret);
3783 return ret;
3784 }
3785
3786 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
3787 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3788 ciphersuite_info->key_exchange)) != 0) {
3789 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3790 return ret;
3791 }
3792 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
3793 } else
3794 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3795 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3796 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
3797 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3798 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3799 return ret;
3800 }
3801 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3802 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
3803 return ret;
3804 }
3805
3806 if (p != end) {
3807 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3808 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3809 }
3810
3811 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3812 unsigned char *pms = ssl->handshake->premaster;
3813 unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
3814 size_t pms_len;
3815
3816 /* Write length only when we know the actual value */
3817 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3818 pms + 2, pms_end - (pms + 2), &pms_len,
3819 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3820 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3821 return ret;
3822 }
3823 MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
3824 pms += 2 + pms_len;
3825
3826 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3827 #else
3828 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3829 ciphersuite_info->key_exchange)) != 0) {
3830 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3831 return ret;
3832 }
3833 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3834 } else
3835 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3836 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3837 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
3838 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3839 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3840 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
3841 uint8_t ecpoint_len;
3842
3843 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3844
3845 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3846 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3847 psa_destroy_key(handshake->ecdh_psa_privkey);
3848 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3849 return ret;
3850 }
3851
3852 /* Keep a copy of the peer's public key */
3853 if (p >= end) {
3854 psa_destroy_key(handshake->ecdh_psa_privkey);
3855 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3856 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3857 }
3858
3859 ecpoint_len = *(p++);
3860 if ((size_t) (end - p) < ecpoint_len) {
3861 psa_destroy_key(handshake->ecdh_psa_privkey);
3862 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3863 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3864 }
3865
3866 if (ecpoint_len > sizeof(handshake->ecdh_psa_peerkey)) {
3867 psa_destroy_key(handshake->ecdh_psa_privkey);
3868 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3869 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
3870 }
3871
3872 memcpy(handshake->ecdh_psa_peerkey, p, ecpoint_len);
3873 handshake->ecdh_psa_peerkey_len = ecpoint_len;
3874 p += ecpoint_len;
3875
3876 /* As RFC 5489 section 2, the premaster secret is formed as follows:
3877 * - a uint16 containing the length (in octets) of the ECDH computation
3878 * - the octet string produced by the ECDH computation
3879 * - a uint16 containing the length (in octets) of the PSK
3880 * - the PSK itself
3881 */
3882 unsigned char *psm = ssl->handshake->premaster;
3883 const unsigned char * const psm_end =
3884 psm + sizeof(ssl->handshake->premaster);
3885 /* uint16 to store length (in octets) of the ECDH computation */
3886 const size_t zlen_size = 2;
3887 size_t zlen = 0;
3888
3889 /* Compute ECDH shared secret. */
3890 status = psa_raw_key_agreement(PSA_ALG_ECDH,
3891 handshake->ecdh_psa_privkey,
3892 handshake->ecdh_psa_peerkey,
3893 handshake->ecdh_psa_peerkey_len,
3894 psm + zlen_size,
3895 psm_end - (psm + zlen_size),
3896 &zlen);
3897
3898 destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey);
3899 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3900
3901 if (status != PSA_SUCCESS) {
3902 return PSA_TO_MBEDTLS_ERR(status);
3903 } else if (destruction_status != PSA_SUCCESS) {
3904 return PSA_TO_MBEDTLS_ERR(destruction_status);
3905 }
3906
3907 /* Write the ECDH computation length before the ECDH computation */
3908 MBEDTLS_PUT_UINT16_BE(zlen, psm, 0);
3909 psm += zlen_size + zlen;
3910
3911 #else /* MBEDTLS_USE_PSA_CRYPTO */
3912 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3913 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3914 return ret;
3915 }
3916
3917 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
3918 p, end - p)) != 0) {
3919 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
3920 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3921 }
3922
3923 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3924 MBEDTLS_DEBUG_ECDH_QP);
3925
3926 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3927 ciphersuite_info->key_exchange)) != 0) {
3928 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3929 return ret;
3930 }
3931 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3932 } else
3933 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3934 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3935 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
3936 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
3937 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
3938 return ret;
3939 }
3940 } else
3941 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3942 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3943 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
3944 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3945 if ((ret = mbedtls_psa_ecjpake_read_round(
3946 &ssl->handshake->psa_pake_ctx, p, end - p,
3947 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
3948 psa_destroy_key(ssl->handshake->psa_pake_password);
3949 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
3950
3951 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
3952 return ret;
3953 }
3954 #else
3955 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
3956 p, end - p);
3957 if (ret != 0) {
3958 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
3959 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3960 }
3961
3962 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
3963 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3964 ssl->conf->f_rng, ssl->conf->p_rng);
3965 if (ret != 0) {
3966 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
3967 return ret;
3968 }
3969 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3970 } else
3971 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
3972 {
3973 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3974 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3975 }
3976
3977 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3978 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3979 return ret;
3980 }
3981
3982 ssl->state++;
3983
3984 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
3985
3986 return 0;
3987 }
3988
3989 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
3990 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_verify(mbedtls_ssl_context * ssl)3991 static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
3992 {
3993 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3994 ssl->handshake->ciphersuite_info;
3995
3996 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
3997
3998 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3999 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4000 ssl->state++;
4001 return 0;
4002 }
4003
4004 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4005 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4006 }
4007 #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
4008 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_verify(mbedtls_ssl_context * ssl)4009 static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
4010 {
4011 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4012 size_t i, sig_len;
4013 unsigned char hash[48];
4014 unsigned char *hash_start = hash;
4015 size_t hashlen;
4016 mbedtls_pk_type_t pk_alg;
4017 mbedtls_md_type_t md_alg;
4018 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
4019 ssl->handshake->ciphersuite_info;
4020 mbedtls_pk_context *peer_pk;
4021
4022 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
4023
4024 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4025 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4026 ssl->state++;
4027 return 0;
4028 }
4029
4030 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4031 if (ssl->session_negotiate->peer_cert == NULL) {
4032 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4033 ssl->state++;
4034 return 0;
4035 }
4036 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4037 if (ssl->session_negotiate->peer_cert_digest == NULL) {
4038 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4039 ssl->state++;
4040 return 0;
4041 }
4042 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4043
4044 /* Read the message without adding it to the checksum */
4045 ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */);
4046 if (0 != ret) {
4047 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret);
4048 return ret;
4049 }
4050
4051 ssl->state++;
4052
4053 /* Process the message contents */
4054 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
4055 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) {
4056 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4057 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
4058 }
4059
4060 i = mbedtls_ssl_hs_hdr_len(ssl);
4061
4062 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4063 peer_pk = &ssl->handshake->peer_pubkey;
4064 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4065 if (ssl->session_negotiate->peer_cert == NULL) {
4066 /* Should never happen */
4067 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4068 }
4069 peer_pk = &ssl->session_negotiate->peer_cert->pk;
4070 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4071
4072 /*
4073 * struct {
4074 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
4075 * opaque signature<0..2^16-1>;
4076 * } DigitallySigned;
4077 */
4078 if (i + 2 > ssl->in_hslen) {
4079 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4080 return MBEDTLS_ERR_SSL_DECODE_ERROR;
4081 }
4082
4083 /*
4084 * Hash
4085 */
4086 md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]);
4087
4088 if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) {
4089 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4090 " for verify message"));
4091 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
4092 }
4093
4094 #if !defined(MBEDTLS_MD_SHA1)
4095 if (MBEDTLS_MD_SHA1 == md_alg) {
4096 hash_start += 16;
4097 }
4098 #endif
4099
4100 /* Info from md_alg will be used instead */
4101 hashlen = 0;
4102
4103 i++;
4104
4105 /*
4106 * Signature
4107 */
4108 if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i]))
4109 == MBEDTLS_PK_NONE) {
4110 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4111 " for verify message"));
4112 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
4113 }
4114
4115 /*
4116 * Check the certificate's key type matches the signature alg
4117 */
4118 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
4119 MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
4120 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
4121 }
4122
4123 i++;
4124
4125 if (i + 2 > ssl->in_hslen) {
4126 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4127 return MBEDTLS_ERR_SSL_DECODE_ERROR;
4128 }
4129
4130 sig_len = (ssl->in_msg[i] << 8) | ssl->in_msg[i+1];
4131 i += 2;
4132
4133 if (i + sig_len != ssl->in_hslen) {
4134 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4135 return MBEDTLS_ERR_SSL_DECODE_ERROR;
4136 }
4137
4138 /* Calculate hash and verify signature */
4139 {
4140 size_t dummy_hlen;
4141 ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
4142 if (0 != ret) {
4143 MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
4144 return ret;
4145 }
4146 }
4147
4148 if ((ret = mbedtls_pk_verify(peer_pk,
4149 md_alg, hash_start, hashlen,
4150 ssl->in_msg + i, sig_len)) != 0) {
4151 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
4152 return ret;
4153 }
4154
4155 ret = mbedtls_ssl_update_handshake_status(ssl);
4156 if (0 != ret) {
4157 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
4158 return ret;
4159 }
4160
4161 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
4162
4163 return ret;
4164 }
4165 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
4166
4167 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4168 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_new_session_ticket(mbedtls_ssl_context * ssl)4169 static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl)
4170 {
4171 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4172 size_t tlen;
4173 uint32_t lifetime;
4174
4175 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket"));
4176
4177 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4178 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
4179
4180 /*
4181 * struct {
4182 * uint32 ticket_lifetime_hint;
4183 * opaque ticket<0..2^16-1>;
4184 * } NewSessionTicket;
4185 *
4186 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
4187 * 8 . 9 ticket_len (n)
4188 * 10 . 9+n ticket content
4189 */
4190
4191 if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
4192 ssl->session_negotiate,
4193 ssl->out_msg + 10,
4194 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
4195 &tlen, &lifetime)) != 0) {
4196 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret);
4197 tlen = 0;
4198 }
4199
4200 MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4);
4201 MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8);
4202 ssl->out_msglen = 10 + tlen;
4203
4204 /*
4205 * Morally equivalent to updating ssl->state, but NewSessionTicket and
4206 * ChangeCipherSpec share the same state.
4207 */
4208 ssl->handshake->new_session_ticket = 0;
4209
4210 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4211 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4212 return ret;
4213 }
4214
4215 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
4216
4217 return 0;
4218 }
4219 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4220
4221 /*
4222 * SSL handshake -- server side -- single step
4223 */
mbedtls_ssl_handshake_server_step(mbedtls_ssl_context * ssl)4224 int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
4225 {
4226 int ret = 0;
4227
4228 MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state));
4229
4230 switch (ssl->state) {
4231 case MBEDTLS_SSL_HELLO_REQUEST:
4232 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
4233 break;
4234
4235 /*
4236 * <== ClientHello
4237 */
4238 case MBEDTLS_SSL_CLIENT_HELLO:
4239 ret = ssl_parse_client_hello(ssl);
4240 break;
4241
4242 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4243 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
4244 return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED;
4245 #endif
4246
4247 /*
4248 * ==> ServerHello
4249 * Certificate
4250 * ( ServerKeyExchange )
4251 * ( CertificateRequest )
4252 * ServerHelloDone
4253 */
4254 case MBEDTLS_SSL_SERVER_HELLO:
4255 ret = ssl_write_server_hello(ssl);
4256 break;
4257
4258 case MBEDTLS_SSL_SERVER_CERTIFICATE:
4259 ret = mbedtls_ssl_write_certificate(ssl);
4260 break;
4261
4262 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
4263 ret = ssl_write_server_key_exchange(ssl);
4264 break;
4265
4266 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
4267 ret = ssl_write_certificate_request(ssl);
4268 break;
4269
4270 case MBEDTLS_SSL_SERVER_HELLO_DONE:
4271 ret = ssl_write_server_hello_done(ssl);
4272 break;
4273
4274 /*
4275 * <== ( Certificate/Alert )
4276 * ClientKeyExchange
4277 * ( CertificateVerify )
4278 * ChangeCipherSpec
4279 * Finished
4280 */
4281 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
4282 ret = mbedtls_ssl_parse_certificate(ssl);
4283 break;
4284
4285 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
4286 ret = ssl_parse_client_key_exchange(ssl);
4287 break;
4288
4289 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
4290 ret = ssl_parse_certificate_verify(ssl);
4291 break;
4292
4293 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
4294 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
4295 break;
4296
4297 case MBEDTLS_SSL_CLIENT_FINISHED:
4298 ret = mbedtls_ssl_parse_finished(ssl);
4299 break;
4300
4301 /*
4302 * ==> ( NewSessionTicket )
4303 * ChangeCipherSpec
4304 * Finished
4305 */
4306 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4307 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4308 if (ssl->handshake->new_session_ticket != 0) {
4309 ret = ssl_write_new_session_ticket(ssl);
4310 } else
4311 #endif
4312 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
4313 break;
4314
4315 case MBEDTLS_SSL_SERVER_FINISHED:
4316 ret = mbedtls_ssl_write_finished(ssl);
4317 break;
4318
4319 case MBEDTLS_SSL_FLUSH_BUFFERS:
4320 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
4321 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
4322 break;
4323
4324 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
4325 mbedtls_ssl_handshake_wrapup(ssl);
4326 break;
4327
4328 default:
4329 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
4330 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4331 }
4332
4333 return ret;
4334 }
4335
mbedtls_ssl_conf_preference_order(mbedtls_ssl_config * conf,int order)4336 void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order)
4337 {
4338 conf->respect_cli_pref = order;
4339 }
4340
4341 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */
4342
