1 /*
2 * TLS client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 #include "common.h"
9
10 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
11
12 #include "mbedtls/platform.h"
13
14 #include "mbedtls/ssl.h"
15 #include "ssl_client.h"
16 #include "ssl_misc.h"
17 #include "debug_internal.h"
18 #include "mbedtls/error.h"
19 #include "mbedtls/constant_time.h"
20
21 #if defined(MBEDTLS_USE_PSA_CRYPTO)
22 #include "psa_util_internal.h"
23 #include "psa/crypto.h"
24 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
25 /* Define a local translating function to save code size by not using too many
26 * arguments in each translating place. */
local_err_translation(psa_status_t status)27 static int local_err_translation(psa_status_t status)
28 {
29 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
30 ARRAY_LENGTH(psa_to_ssl_errors),
31 psa_generic_status_to_mbedtls);
32 }
33 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
34 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
35 #endif /* MBEDTLS_USE_PSA_CRYPTO */
36
37 #include <string.h>
38
39 #include <stdint.h>
40
41 #if defined(MBEDTLS_HAVE_TIME)
42 #include "mbedtls/platform_time.h"
43 #endif
44
45 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
46 #include "mbedtls/platform_util.h"
47 #endif
48
49 #if defined(MBEDTLS_SSL_RENEGOTIATION)
50 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_renegotiation_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)51 static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
52 unsigned char *buf,
53 const unsigned char *end,
54 size_t *olen)
55 {
56 unsigned char *p = buf;
57
58 *olen = 0;
59
60 /* We're always including a TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
61 * initial ClientHello, in which case also adding the renegotiation
62 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
63 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
64 return 0;
65 }
66
67 MBEDTLS_SSL_DEBUG_MSG(3,
68 ("client hello, adding renegotiation extension"));
69
70 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + ssl->verify_data_len);
71
72 /*
73 * Secure renegotiation
74 */
75 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
76 p += 2;
77
78 *p++ = 0x00;
79 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len + 1);
80 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len);
81
82 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
83
84 *olen = 5 + ssl->verify_data_len;
85
86 return 0;
87 }
88 #endif /* MBEDTLS_SSL_RENEGOTIATION */
89
90 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
91 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
92 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
93
94 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_supported_point_formats_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)95 static int ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
96 unsigned char *buf,
97 const unsigned char *end,
98 size_t *olen)
99 {
100 unsigned char *p = buf;
101 (void) ssl; /* ssl used for debugging only */
102
103 *olen = 0;
104
105 MBEDTLS_SSL_DEBUG_MSG(3,
106 ("client hello, adding supported_point_formats extension"));
107 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
108
109 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
110 p += 2;
111
112 *p++ = 0x00;
113 *p++ = 2;
114
115 *p++ = 1;
116 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
117
118 *olen = 6;
119
120 return 0;
121 }
122 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
123 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
124 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
125
126 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
127 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)128 static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
129 unsigned char *buf,
130 const unsigned char *end,
131 size_t *olen)
132 {
133 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
134 unsigned char *p = buf;
135 size_t kkpp_len = 0;
136
137 *olen = 0;
138
139 /* Skip costly extension if we can't use EC J-PAKE anyway */
140 #if defined(MBEDTLS_USE_PSA_CRYPTO)
141 if (ssl->handshake->psa_pake_ctx_is_ok != 1) {
142 return 0;
143 }
144 #else
145 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
146 return 0;
147 }
148 #endif /* MBEDTLS_USE_PSA_CRYPTO */
149
150 MBEDTLS_SSL_DEBUG_MSG(3,
151 ("client hello, adding ecjpake_kkpp extension"));
152
153 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
154
155 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
156 p += 2;
157
158 /*
159 * We may need to send ClientHello multiple times for Hello verification.
160 * We don't want to compute fresh values every time (both for performance
161 * and consistency reasons), so cache the extension content.
162 */
163 if (ssl->handshake->ecjpake_cache == NULL ||
164 ssl->handshake->ecjpake_cache_len == 0) {
165 MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters"));
166
167 #if defined(MBEDTLS_USE_PSA_CRYPTO)
168 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
169 p + 2, end - p - 2, &kkpp_len,
170 MBEDTLS_ECJPAKE_ROUND_ONE);
171 if (ret != 0) {
172 psa_destroy_key(ssl->handshake->psa_pake_password);
173 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
174 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
175 return ret;
176 }
177 #else
178 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
179 p + 2, end - p - 2, &kkpp_len,
180 ssl->conf->f_rng, ssl->conf->p_rng);
181 if (ret != 0) {
182 MBEDTLS_SSL_DEBUG_RET(1,
183 "mbedtls_ecjpake_write_round_one", ret);
184 return ret;
185 }
186 #endif /* MBEDTLS_USE_PSA_CRYPTO */
187
188 ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len);
189 if (ssl->handshake->ecjpake_cache == NULL) {
190 MBEDTLS_SSL_DEBUG_MSG(1, ("allocation failed"));
191 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
192 }
193
194 memcpy(ssl->handshake->ecjpake_cache, p + 2, kkpp_len);
195 ssl->handshake->ecjpake_cache_len = kkpp_len;
196 } else {
197 MBEDTLS_SSL_DEBUG_MSG(3, ("re-using cached ecjpake parameters"));
198
199 kkpp_len = ssl->handshake->ecjpake_cache_len;
200 MBEDTLS_SSL_CHK_BUF_PTR(p + 2, end, kkpp_len);
201
202 memcpy(p + 2, ssl->handshake->ecjpake_cache, kkpp_len);
203 }
204
205 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
206 p += 2;
207
208 *olen = kkpp_len + 4;
209
210 return 0;
211 }
212 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
213
214 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
215 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_cid_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)216 static int ssl_write_cid_ext(mbedtls_ssl_context *ssl,
217 unsigned char *buf,
218 const unsigned char *end,
219 size_t *olen)
220 {
221 unsigned char *p = buf;
222 size_t ext_len;
223
224 /*
225 * struct {
226 * opaque cid<0..2^8-1>;
227 * } ConnectionId;
228 */
229
230 *olen = 0;
231 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
232 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
233 return 0;
234 }
235 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding CID extension"));
236
237 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
238 * which is at most 255, so the increment cannot overflow. */
239 MBEDTLS_SSL_CHK_BUF_PTR(p, end, (unsigned) (ssl->own_cid_len + 5));
240
241 /* Add extension ID + size */
242 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
243 p += 2;
244 ext_len = (size_t) ssl->own_cid_len + 1;
245 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
246 p += 2;
247
248 *p++ = (uint8_t) ssl->own_cid_len;
249 memcpy(p, ssl->own_cid, ssl->own_cid_len);
250
251 *olen = ssl->own_cid_len + 5;
252
253 return 0;
254 }
255 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
256
257 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
258 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_max_fragment_length_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)259 static int ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
260 unsigned char *buf,
261 const unsigned char *end,
262 size_t *olen)
263 {
264 unsigned char *p = buf;
265
266 *olen = 0;
267
268 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
269 return 0;
270 }
271
272 MBEDTLS_SSL_DEBUG_MSG(3,
273 ("client hello, adding max_fragment_length extension"));
274
275 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5);
276
277 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
278 p += 2;
279
280 *p++ = 0x00;
281 *p++ = 1;
282
283 *p++ = ssl->conf->mfl_code;
284
285 *olen = 5;
286
287 return 0;
288 }
289 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
290
291 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
292 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)293 static int ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
294 unsigned char *buf,
295 const unsigned char *end,
296 size_t *olen)
297 {
298 unsigned char *p = buf;
299
300 *olen = 0;
301
302 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
303 return 0;
304 }
305
306 MBEDTLS_SSL_DEBUG_MSG(3,
307 ("client hello, adding encrypt_then_mac extension"));
308
309 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
310
311 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
312 p += 2;
313
314 *p++ = 0x00;
315 *p++ = 0x00;
316
317 *olen = 4;
318
319 return 0;
320 }
321 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
322
323 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
324 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_extended_ms_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)325 static int ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
326 unsigned char *buf,
327 const unsigned char *end,
328 size_t *olen)
329 {
330 unsigned char *p = buf;
331
332 *olen = 0;
333
334 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
335 return 0;
336 }
337
338 MBEDTLS_SSL_DEBUG_MSG(3,
339 ("client hello, adding extended_master_secret extension"));
340
341 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
342
343 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
344 p += 2;
345
346 *p++ = 0x00;
347 *p++ = 0x00;
348
349 *olen = 4;
350
351 return 0;
352 }
353 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
354
355 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
356 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_session_ticket_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)357 static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
358 unsigned char *buf,
359 const unsigned char *end,
360 size_t *olen)
361 {
362 unsigned char *p = buf;
363 size_t tlen = ssl->session_negotiate->ticket_len;
364
365 *olen = 0;
366
367 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
368 return 0;
369 }
370
371 MBEDTLS_SSL_DEBUG_MSG(3,
372 ("client hello, adding session ticket extension"));
373
374 /* The addition is safe here since the ticket length is 16 bit. */
375 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + tlen);
376
377 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
378 p += 2;
379
380 MBEDTLS_PUT_UINT16_BE(tlen, p, 0);
381 p += 2;
382
383 *olen = 4;
384
385 if (ssl->session_negotiate->ticket == NULL || tlen == 0) {
386 return 0;
387 }
388
389 MBEDTLS_SSL_DEBUG_MSG(3,
390 ("sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen));
391
392 memcpy(p, ssl->session_negotiate->ticket, tlen);
393
394 *olen += tlen;
395
396 return 0;
397 }
398 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
399
400 #if defined(MBEDTLS_SSL_DTLS_SRTP)
401 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_use_srtp_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)402 static int ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
403 unsigned char *buf,
404 const unsigned char *end,
405 size_t *olen)
406 {
407 unsigned char *p = buf;
408 size_t protection_profiles_index = 0, ext_len = 0;
409 uint16_t mki_len = 0, profile_value = 0;
410
411 *olen = 0;
412
413 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
414 (ssl->conf->dtls_srtp_profile_list == NULL) ||
415 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
416 return 0;
417 }
418
419 /* RFC 5764 section 4.1.1
420 * uint8 SRTPProtectionProfile[2];
421 *
422 * struct {
423 * SRTPProtectionProfiles SRTPProtectionProfiles;
424 * opaque srtp_mki<0..255>;
425 * } UseSRTPData;
426 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
427 */
428 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
429 mki_len = ssl->dtls_srtp_info.mki_len;
430 }
431 /* Extension length = 2 bytes for profiles length,
432 * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ),
433 * 1 byte for srtp_mki vector length and the mki_len value
434 */
435 ext_len = 2 + 2 * (ssl->conf->dtls_srtp_profile_list_len) + 1 + mki_len;
436
437 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding use_srtp extension"));
438
439 /* Check there is room in the buffer for the extension + 4 bytes
440 * - the extension tag (2 bytes)
441 * - the extension length (2 bytes)
442 */
443 MBEDTLS_SSL_CHK_BUF_PTR(p, end, ext_len + 4);
444
445 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, p, 0);
446 p += 2;
447
448 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
449 p += 2;
450
451 /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */
452 /* micro-optimization:
453 * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH
454 * which is lower than 127, so the upper byte of the length is always 0
455 * For the documentation, the more generic code is left in comments
456 * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len )
457 * >> 8 ) & 0xFF );
458 */
459 *p++ = 0;
460 *p++ = MBEDTLS_BYTE_0(2 * ssl->conf->dtls_srtp_profile_list_len);
461
462 for (protection_profiles_index = 0;
463 protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len;
464 protection_profiles_index++) {
465 profile_value = mbedtls_ssl_check_srtp_profile_value
466 (ssl->conf->dtls_srtp_profile_list[protection_profiles_index]);
467 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
468 MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_write_use_srtp_ext, add profile: %04x",
469 profile_value));
470 MBEDTLS_PUT_UINT16_BE(profile_value, p, 0);
471 p += 2;
472 } else {
473 /*
474 * Note: we shall never arrive here as protection profiles
475 * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function
476 */
477 MBEDTLS_SSL_DEBUG_MSG(3,
478 ("client hello, "
479 "illegal DTLS-SRTP protection profile %d",
480 ssl->conf->dtls_srtp_profile_list[protection_profiles_index]
481 ));
482 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
483 }
484 }
485
486 *p++ = mki_len & 0xFF;
487
488 if (mki_len != 0) {
489 memcpy(p, ssl->dtls_srtp_info.mki_value, mki_len);
490 /*
491 * Increment p to point to the current position.
492 */
493 p += mki_len;
494 MBEDTLS_SSL_DEBUG_BUF(3, "sending mki", ssl->dtls_srtp_info.mki_value,
495 ssl->dtls_srtp_info.mki_len);
496 }
497
498 /*
499 * total extension length: extension type (2 bytes)
500 * + extension length (2 bytes)
501 * + protection profile length (2 bytes)
502 * + 2 * number of protection profiles
503 * + srtp_mki vector length(1 byte)
504 * + mki value
505 */
506 *olen = p - buf;
507
508 return 0;
509 }
510 #endif /* MBEDTLS_SSL_DTLS_SRTP */
511
mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,int uses_ec,size_t * out_len)512 int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
513 unsigned char *buf,
514 const unsigned char *end,
515 int uses_ec,
516 size_t *out_len)
517 {
518 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
519 unsigned char *p = buf;
520 size_t ext_len = 0;
521
522 (void) ssl;
523 (void) end;
524 (void) uses_ec;
525 (void) ret;
526 (void) ext_len;
527
528 *out_len = 0;
529
530 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
531 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
532 #if defined(MBEDTLS_SSL_RENEGOTIATION)
533 if ((ret = ssl_write_renegotiation_ext(ssl, p, end, &ext_len)) != 0) {
534 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_renegotiation_ext", ret);
535 return ret;
536 }
537 p += ext_len;
538 #endif
539
540 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
541 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
542 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
543 if (uses_ec) {
544 if ((ret = ssl_write_supported_point_formats_ext(ssl, p, end,
545 &ext_len)) != 0) {
546 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_point_formats_ext", ret);
547 return ret;
548 }
549 p += ext_len;
550 }
551 #endif
552
553 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
554 if ((ret = ssl_write_ecjpake_kkpp_ext(ssl, p, end, &ext_len)) != 0) {
555 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_ecjpake_kkpp_ext", ret);
556 return ret;
557 }
558 p += ext_len;
559 #endif
560
561 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
562 if ((ret = ssl_write_cid_ext(ssl, p, end, &ext_len)) != 0) {
563 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_cid_ext", ret);
564 return ret;
565 }
566 p += ext_len;
567 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
568
569 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
570 if ((ret = ssl_write_max_fragment_length_ext(ssl, p, end,
571 &ext_len)) != 0) {
572 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_max_fragment_length_ext", ret);
573 return ret;
574 }
575 p += ext_len;
576 #endif
577
578 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
579 if ((ret = ssl_write_encrypt_then_mac_ext(ssl, p, end, &ext_len)) != 0) {
580 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_encrypt_then_mac_ext", ret);
581 return ret;
582 }
583 p += ext_len;
584 #endif
585
586 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
587 if ((ret = ssl_write_extended_ms_ext(ssl, p, end, &ext_len)) != 0) {
588 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_extended_ms_ext", ret);
589 return ret;
590 }
591 p += ext_len;
592 #endif
593
594 #if defined(MBEDTLS_SSL_DTLS_SRTP)
595 if ((ret = ssl_write_use_srtp_ext(ssl, p, end, &ext_len)) != 0) {
596 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_use_srtp_ext", ret);
597 return ret;
598 }
599 p += ext_len;
600 #endif
601
602 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
603 if ((ret = ssl_write_session_ticket_ext(ssl, p, end, &ext_len)) != 0) {
604 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_session_ticket_ext", ret);
605 return ret;
606 }
607 p += ext_len;
608 #endif
609
610 *out_len = (size_t) (p - buf);
611
612 return 0;
613 }
614
615 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_renegotiation_info(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)616 static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
617 const unsigned char *buf,
618 size_t len)
619 {
620 #if defined(MBEDTLS_SSL_RENEGOTIATION)
621 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
622 /* Check verify-data in constant-time. The length OTOH is no secret */
623 if (len != 1 + ssl->verify_data_len * 2 ||
624 buf[0] != ssl->verify_data_len * 2 ||
625 mbedtls_ct_memcmp(buf + 1,
626 ssl->own_verify_data, ssl->verify_data_len) != 0 ||
627 mbedtls_ct_memcmp(buf + 1 + ssl->verify_data_len,
628 ssl->peer_verify_data, ssl->verify_data_len) != 0) {
629 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
630 mbedtls_ssl_send_alert_message(
631 ssl,
632 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
633 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
634 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
635 }
636 } else
637 #endif /* MBEDTLS_SSL_RENEGOTIATION */
638 {
639 if (len != 1 || buf[0] != 0x00) {
640 MBEDTLS_SSL_DEBUG_MSG(1,
641 ("non-zero length renegotiation info"));
642 mbedtls_ssl_send_alert_message(
643 ssl,
644 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
645 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
646 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
647 }
648
649 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
650 }
651
652 return 0;
653 }
654
655 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
656 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_max_fragment_length_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)657 static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
658 const unsigned char *buf,
659 size_t len)
660 {
661 /*
662 * server should use the extension only if we did,
663 * and if so the server's value should match ours (and len is always 1)
664 */
665 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
666 len != 1 ||
667 buf[0] != ssl->conf->mfl_code) {
668 MBEDTLS_SSL_DEBUG_MSG(1,
669 ("non-matching max fragment length extension"));
670 mbedtls_ssl_send_alert_message(
671 ssl,
672 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
673 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
674 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
675 }
676
677 return 0;
678 }
679 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
680
681 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
682 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_cid_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)683 static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
684 const unsigned char *buf,
685 size_t len)
686 {
687 size_t peer_cid_len;
688
689 if ( /* CID extension only makes sense in DTLS */
690 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
691 /* The server must only send the CID extension if we have offered it. */
692 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
693 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension unexpected"));
694 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
695 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
696 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
697 }
698
699 if (len == 0) {
700 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
701 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
702 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
703 return MBEDTLS_ERR_SSL_DECODE_ERROR;
704 }
705
706 peer_cid_len = *buf++;
707 len--;
708
709 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
710 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
711 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
712 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
713 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
714 }
715
716 if (len != peer_cid_len) {
717 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
718 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
719 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
720 return MBEDTLS_ERR_SSL_DECODE_ERROR;
721 }
722
723 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
724 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
725 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
726
727 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
728 MBEDTLS_SSL_DEBUG_BUF(3, "Server CID", buf, peer_cid_len);
729
730 return 0;
731 }
732 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
733
734 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
735 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)736 static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
737 const unsigned char *buf,
738 size_t len)
739 {
740 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
741 len != 0) {
742 MBEDTLS_SSL_DEBUG_MSG(1,
743 ("non-matching encrypt-then-MAC extension"));
744 mbedtls_ssl_send_alert_message(
745 ssl,
746 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
747 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
748 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
749 }
750
751 ((void) buf);
752
753 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
754
755 return 0;
756 }
757 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
758
759 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
760 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_extended_ms_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)761 static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
762 const unsigned char *buf,
763 size_t len)
764 {
765 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
766 len != 0) {
767 MBEDTLS_SSL_DEBUG_MSG(1,
768 ("non-matching extended master secret extension"));
769 mbedtls_ssl_send_alert_message(
770 ssl,
771 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
772 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
773 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
774 }
775
776 ((void) buf);
777
778 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
779
780 return 0;
781 }
782 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
783
784 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
785 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_session_ticket_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)786 static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
787 const unsigned char *buf,
788 size_t len)
789 {
790 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
791 len != 0) {
792 MBEDTLS_SSL_DEBUG_MSG(1,
793 ("non-matching session ticket extension"));
794 mbedtls_ssl_send_alert_message(
795 ssl,
796 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
797 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
798 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
799 }
800
801 ((void) buf);
802
803 ssl->handshake->new_session_ticket = 1;
804
805 return 0;
806 }
807 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
808
809 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
810 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
811 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
812 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_supported_point_formats_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)813 static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl,
814 const unsigned char *buf,
815 size_t len)
816 {
817 size_t list_size;
818 const unsigned char *p;
819
820 if (len == 0 || (size_t) (buf[0] + 1) != len) {
821 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
822 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
823 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
824 return MBEDTLS_ERR_SSL_DECODE_ERROR;
825 }
826 list_size = buf[0];
827
828 p = buf + 1;
829 while (list_size > 0) {
830 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
831 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
832 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
833 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
834 ssl->handshake->ecdh_ctx.point_format = p[0];
835 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
836 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
837 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
838 mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
839 p[0]);
840 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
841 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
842 return 0;
843 }
844
845 list_size--;
846 p++;
847 }
848
849 MBEDTLS_SSL_DEBUG_MSG(1, ("no point format in common"));
850 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
851 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
852 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
853 }
854 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
855 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
856 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
857
858 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
859 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_ecjpake_kkpp(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)860 static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
861 const unsigned char *buf,
862 size_t len)
863 {
864 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
865
866 if (ssl->handshake->ciphersuite_info->key_exchange !=
867 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
868 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
869 return 0;
870 }
871
872 /* If we got here, we no longer need our cached extension */
873 mbedtls_free(ssl->handshake->ecjpake_cache);
874 ssl->handshake->ecjpake_cache = NULL;
875 ssl->handshake->ecjpake_cache_len = 0;
876
877 #if defined(MBEDTLS_USE_PSA_CRYPTO)
878 if ((ret = mbedtls_psa_ecjpake_read_round(
879 &ssl->handshake->psa_pake_ctx, buf, len,
880 MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
881 psa_destroy_key(ssl->handshake->psa_pake_password);
882 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
883
884 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
885 mbedtls_ssl_send_alert_message(
886 ssl,
887 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
888 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
889 return ret;
890 }
891
892 return 0;
893 #else
894 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
895 buf, len)) != 0) {
896 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
897 mbedtls_ssl_send_alert_message(
898 ssl,
899 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
900 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
901 return ret;
902 }
903
904 return 0;
905 #endif /* MBEDTLS_USE_PSA_CRYPTO */
906 }
907 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
908
909 #if defined(MBEDTLS_SSL_ALPN)
910 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_alpn_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)911 static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
912 const unsigned char *buf, size_t len)
913 {
914 size_t list_len, name_len;
915 const char **p;
916
917 /* If we didn't send it, the server shouldn't send it */
918 if (ssl->conf->alpn_list == NULL) {
919 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching ALPN extension"));
920 mbedtls_ssl_send_alert_message(
921 ssl,
922 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
923 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
924 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
925 }
926
927 /*
928 * opaque ProtocolName<1..2^8-1>;
929 *
930 * struct {
931 * ProtocolName protocol_name_list<2..2^16-1>
932 * } ProtocolNameList;
933 *
934 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
935 */
936
937 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
938 if (len < 4) {
939 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
940 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
941 return MBEDTLS_ERR_SSL_DECODE_ERROR;
942 }
943
944 list_len = MBEDTLS_GET_UINT16_BE(buf, 0);
945 if (list_len != len - 2) {
946 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
947 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
948 return MBEDTLS_ERR_SSL_DECODE_ERROR;
949 }
950
951 name_len = buf[2];
952 if (name_len != list_len - 1) {
953 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
954 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
955 return MBEDTLS_ERR_SSL_DECODE_ERROR;
956 }
957
958 /* Check that the server chosen protocol was in our list and save it */
959 for (p = ssl->conf->alpn_list; *p != NULL; p++) {
960 if (name_len == strlen(*p) &&
961 memcmp(buf + 3, *p, name_len) == 0) {
962 ssl->alpn_chosen = *p;
963 return 0;
964 }
965 }
966
967 MBEDTLS_SSL_DEBUG_MSG(1, ("ALPN extension: no matching protocol"));
968 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
969 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
970 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
971 }
972 #endif /* MBEDTLS_SSL_ALPN */
973
974 #if defined(MBEDTLS_SSL_DTLS_SRTP)
975 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_use_srtp_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)976 static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
977 const unsigned char *buf,
978 size_t len)
979 {
980 mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET;
981 size_t i, mki_len = 0;
982 uint16_t server_protection_profile_value = 0;
983
984 /* If use_srtp is not configured, just ignore the extension */
985 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
986 (ssl->conf->dtls_srtp_profile_list == NULL) ||
987 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
988 return 0;
989 }
990
991 /* RFC 5764 section 4.1.1
992 * uint8 SRTPProtectionProfile[2];
993 *
994 * struct {
995 * SRTPProtectionProfiles SRTPProtectionProfiles;
996 * opaque srtp_mki<0..255>;
997 * } UseSRTPData;
998
999 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
1000 *
1001 */
1002 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
1003 mki_len = ssl->dtls_srtp_info.mki_len;
1004 }
1005
1006 /*
1007 * Length is 5 + optional mki_value : one protection profile length (2 bytes)
1008 * + protection profile (2 bytes)
1009 * + mki_len(1 byte)
1010 * and optional srtp_mki
1011 */
1012 if ((len < 5) || (len != (buf[4] + 5u))) {
1013 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1014 }
1015
1016 /*
1017 * get the server protection profile
1018 */
1019
1020 /*
1021 * protection profile length must be 0x0002 as we must have only
1022 * one protection profile in server Hello
1023 */
1024 if ((buf[0] != 0) || (buf[1] != 2)) {
1025 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1026 }
1027
1028 server_protection_profile_value = (buf[2] << 8) | buf[3];
1029 server_protection = mbedtls_ssl_check_srtp_profile_value(
1030 server_protection_profile_value);
1031 if (server_protection != MBEDTLS_TLS_SRTP_UNSET) {
1032 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
1033 mbedtls_ssl_get_srtp_profile_as_string(
1034 server_protection)));
1035 }
1036
1037 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
1038
1039 /*
1040 * Check we have the server profile in our list
1041 */
1042 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
1043 if (server_protection == ssl->conf->dtls_srtp_profile_list[i]) {
1044 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
1045 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
1046 mbedtls_ssl_get_srtp_profile_as_string(
1047 server_protection)));
1048 break;
1049 }
1050 }
1051
1052 /* If no match was found : server problem, it shall never answer with incompatible profile */
1053 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
1054 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1055 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1056 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1057 }
1058
1059 /* If server does not use mki in its reply, make sure the client won't keep
1060 * one as negotiated */
1061 if (len == 5) {
1062 ssl->dtls_srtp_info.mki_len = 0;
1063 }
1064
1065 /*
1066 * RFC5764:
1067 * If the client detects a nonzero-length MKI in the server's response
1068 * that is different than the one the client offered, then the client
1069 * MUST abort the handshake and SHOULD send an invalid_parameter alert.
1070 */
1071 if (len > 5 && (buf[4] != mki_len ||
1072 (memcmp(ssl->dtls_srtp_info.mki_value, &buf[5], mki_len)))) {
1073 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1074 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1075 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1076 }
1077 #if defined(MBEDTLS_DEBUG_C)
1078 if (len > 5) {
1079 MBEDTLS_SSL_DEBUG_BUF(3, "received mki", ssl->dtls_srtp_info.mki_value,
1080 ssl->dtls_srtp_info.mki_len);
1081 }
1082 #endif
1083 return 0;
1084 }
1085 #endif /* MBEDTLS_SSL_DTLS_SRTP */
1086
1087 /*
1088 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1089 */
1090 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1091 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_hello_verify_request(mbedtls_ssl_context * ssl)1092 static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl)
1093 {
1094 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1095 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
1096 uint16_t dtls_legacy_version;
1097
1098 #if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
1099 uint8_t cookie_len;
1100 #else
1101 uint16_t cookie_len;
1102 #endif
1103
1104 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse hello verify request"));
1105
1106 /* Check that there is enough room for:
1107 * - 2 bytes of version
1108 * - 1 byte of cookie_len
1109 */
1110 if (mbedtls_ssl_hs_hdr_len(ssl) + 3 > ssl->in_msglen) {
1111 MBEDTLS_SSL_DEBUG_MSG(1,
1112 ("incoming HelloVerifyRequest message is too short"));
1113 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1114 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1115 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1116 }
1117
1118 /*
1119 * struct {
1120 * ProtocolVersion server_version;
1121 * opaque cookie<0..2^8-1>;
1122 * } HelloVerifyRequest;
1123 */
1124 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
1125 dtls_legacy_version = MBEDTLS_GET_UINT16_BE(p, 0);
1126 p += 2;
1127
1128 /*
1129 * Since the RFC is not clear on this point, accept DTLS 1.0 (0xfeff)
1130 * The DTLS 1.3 (current draft) renames ProtocolVersion server_version to
1131 * legacy_version and locks the value of legacy_version to 0xfefd (DTLS 1.2)
1132 */
1133 if (dtls_legacy_version != 0xfefd && dtls_legacy_version != 0xfeff) {
1134 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server version"));
1135
1136 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1137 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1138
1139 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1140 }
1141
1142 cookie_len = *p++;
1143 if ((ssl->in_msg + ssl->in_msglen) - p < cookie_len) {
1144 MBEDTLS_SSL_DEBUG_MSG(1,
1145 ("cookie length does not match incoming message size"));
1146 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1147 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1148 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1149 }
1150 MBEDTLS_SSL_DEBUG_BUF(3, "cookie", p, cookie_len);
1151
1152 mbedtls_free(ssl->handshake->cookie);
1153
1154 ssl->handshake->cookie = mbedtls_calloc(1, cookie_len);
1155 if (ssl->handshake->cookie == NULL) {
1156 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc failed (%d bytes)", cookie_len));
1157 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1158 }
1159
1160 memcpy(ssl->handshake->cookie, p, cookie_len);
1161 ssl->handshake->cookie_len = cookie_len;
1162
1163 /* Start over at ClientHello */
1164 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1165 ret = mbedtls_ssl_reset_checksum(ssl);
1166 if (0 != ret) {
1167 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_reset_checksum"), ret);
1168 return ret;
1169 }
1170
1171 mbedtls_ssl_recv_flight_completed(ssl);
1172
1173 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse hello verify request"));
1174
1175 return 0;
1176 }
1177 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1178
1179 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_server_hello(mbedtls_ssl_context * ssl)1180 static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
1181 {
1182 int ret, i;
1183 size_t n;
1184 size_t ext_len;
1185 unsigned char *buf, *ext;
1186 unsigned char comp;
1187 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1188 int renegotiation_info_seen = 0;
1189 #endif
1190 int handshake_failure = 0;
1191 const mbedtls_ssl_ciphersuite_t *suite_info;
1192
1193 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello"));
1194
1195 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
1196 /* No alert on a read error. */
1197 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
1198 return ret;
1199 }
1200
1201 buf = ssl->in_msg;
1202
1203 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
1204 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1205 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1206 ssl->renego_records_seen++;
1207
1208 if (ssl->conf->renego_max_records >= 0 &&
1209 ssl->renego_records_seen > ssl->conf->renego_max_records) {
1210 MBEDTLS_SSL_DEBUG_MSG(1,
1211 ("renegotiation requested, but not honored by server"));
1212 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
1213 }
1214
1215 MBEDTLS_SSL_DEBUG_MSG(1,
1216 ("non-handshake message during renegotiation"));
1217
1218 ssl->keep_current_message = 1;
1219 return MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO;
1220 }
1221 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1222
1223 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1224 mbedtls_ssl_send_alert_message(
1225 ssl,
1226 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1227 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
1228 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
1229 }
1230
1231 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1232 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1233 if (buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST) {
1234 MBEDTLS_SSL_DEBUG_MSG(2, ("received hello verify request"));
1235 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
1236 return ssl_parse_hello_verify_request(ssl);
1237 } else {
1238 /* We made it through the verification process */
1239 mbedtls_free(ssl->handshake->cookie);
1240 ssl->handshake->cookie = NULL;
1241 ssl->handshake->cookie_len = 0;
1242 }
1243 }
1244 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1245
1246 if (ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len(ssl) ||
1247 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO) {
1248 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1249 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1250 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1251 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1252 }
1253
1254 /*
1255 * 0 . 1 server_version
1256 * 2 . 33 random (maybe including 4 bytes of Unix time)
1257 * 34 . 34 session_id length = n
1258 * 35 . 34+n session_id
1259 * 35+n . 36+n cipher_suite
1260 * 37+n . 37+n compression_method
1261 *
1262 * 38+n . 39+n extensions length (optional)
1263 * 40+n . .. extensions
1264 */
1265 buf += mbedtls_ssl_hs_hdr_len(ssl);
1266
1267 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", buf, 2);
1268 ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
1269 ssl->conf->transport);
1270 ssl->session_negotiate->tls_version = ssl->tls_version;
1271 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1272
1273 if (ssl->tls_version < ssl->conf->min_tls_version ||
1274 ssl->tls_version > ssl->conf->max_tls_version) {
1275 MBEDTLS_SSL_DEBUG_MSG(1,
1276 (
1277 "server version out of bounds - min: [0x%x], server: [0x%x], max: [0x%x]",
1278 (unsigned) ssl->conf->min_tls_version,
1279 (unsigned) ssl->tls_version,
1280 (unsigned) ssl->conf->max_tls_version));
1281
1282 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1283 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1284
1285 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1286 }
1287
1288 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %lu",
1289 ((unsigned long) buf[2] << 24) |
1290 ((unsigned long) buf[3] << 16) |
1291 ((unsigned long) buf[4] << 8) |
1292 ((unsigned long) buf[5])));
1293
1294 memcpy(ssl->handshake->randbytes + 32, buf + 2, 32);
1295
1296 n = buf[34];
1297
1298 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 2, 32);
1299
1300 if (n > 32) {
1301 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1302 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1303 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1304 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1305 }
1306
1307 if (ssl->in_hslen > mbedtls_ssl_hs_hdr_len(ssl) + 39 + n) {
1308 ext_len = MBEDTLS_GET_UINT16_BE(buf, 38 + n);
1309
1310 if ((ext_len > 0 && ext_len < 4) ||
1311 ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 40 + n + ext_len) {
1312 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1313 mbedtls_ssl_send_alert_message(
1314 ssl,
1315 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1316 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1317 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1318 }
1319 } else if (ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl) + 38 + n) {
1320 ext_len = 0;
1321 } else {
1322 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1323 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1324 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1325 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1326 }
1327
1328 /* ciphersuite (used later) */
1329 i = (int) MBEDTLS_GET_UINT16_BE(buf, n + 35);
1330
1331 /*
1332 * Read and check compression
1333 */
1334 comp = buf[37 + n];
1335
1336 if (comp != MBEDTLS_SSL_COMPRESS_NULL) {
1337 MBEDTLS_SSL_DEBUG_MSG(1,
1338 ("server hello, bad compression: %d", comp));
1339 mbedtls_ssl_send_alert_message(
1340 ssl,
1341 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1342 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1343 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1344 }
1345
1346 /*
1347 * Initialize update checksum functions
1348 */
1349 ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(i);
1350 if (ssl->handshake->ciphersuite_info == NULL) {
1351 MBEDTLS_SSL_DEBUG_MSG(1,
1352 ("ciphersuite info for %04x not found", (unsigned int) i));
1353 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1354 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
1355 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1356 }
1357
1358 mbedtls_ssl_optimize_checksum(ssl, ssl->handshake->ciphersuite_info);
1359
1360 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
1361 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 35, n);
1362
1363 /*
1364 * Check if the session can be resumed
1365 */
1366 if (ssl->handshake->resume == 0 || n == 0 ||
1367 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1368 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
1369 #endif
1370 ssl->session_negotiate->ciphersuite != i ||
1371 ssl->session_negotiate->id_len != n ||
1372 memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) {
1373 ssl->state++;
1374 ssl->handshake->resume = 0;
1375 #if defined(MBEDTLS_HAVE_TIME)
1376 ssl->session_negotiate->start = mbedtls_time(NULL);
1377 #endif
1378 ssl->session_negotiate->ciphersuite = i;
1379 ssl->session_negotiate->id_len = n;
1380 memcpy(ssl->session_negotiate->id, buf + 35, n);
1381 } else {
1382 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
1383 }
1384
1385 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
1386 ssl->handshake->resume ? "a" : "no"));
1387
1388 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %04x", (unsigned) i));
1389 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: %d",
1390 buf[37 + n]));
1391
1392 /*
1393 * Perform cipher suite validation in same way as in ssl_write_client_hello.
1394 */
1395 i = 0;
1396 while (1) {
1397 if (ssl->conf->ciphersuite_list[i] == 0) {
1398 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1399 mbedtls_ssl_send_alert_message(
1400 ssl,
1401 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1402 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1403 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1404 }
1405
1406 if (ssl->conf->ciphersuite_list[i++] ==
1407 ssl->session_negotiate->ciphersuite) {
1408 break;
1409 }
1410 }
1411
1412 suite_info = mbedtls_ssl_ciphersuite_from_id(
1413 ssl->session_negotiate->ciphersuite);
1414 if (mbedtls_ssl_validate_ciphersuite(ssl, suite_info, ssl->tls_version,
1415 ssl->tls_version) != 0) {
1416 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1417 mbedtls_ssl_send_alert_message(
1418 ssl,
1419 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1420 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1421 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1422 }
1423
1424 MBEDTLS_SSL_DEBUG_MSG(3,
1425 ("server hello, chosen ciphersuite: %s", suite_info->name));
1426
1427 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
1428 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
1429 ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
1430 ssl->handshake->ecrs_enabled = 1;
1431 }
1432 #endif
1433
1434 if (comp != MBEDTLS_SSL_COMPRESS_NULL) {
1435 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1436 mbedtls_ssl_send_alert_message(
1437 ssl,
1438 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1439 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1440 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1441 }
1442
1443 ext = buf + 40 + n;
1444
1445 MBEDTLS_SSL_DEBUG_MSG(2,
1446 ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
1447 ext_len));
1448
1449 while (ext_len) {
1450 unsigned int ext_id = MBEDTLS_GET_UINT16_BE(ext, 0);
1451 unsigned int ext_size = MBEDTLS_GET_UINT16_BE(ext, 2);
1452
1453 if (ext_size + 4 > ext_len) {
1454 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1455 mbedtls_ssl_send_alert_message(
1456 ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1457 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1458 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1459 }
1460
1461 switch (ext_id) {
1462 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1463 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
1464 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1465 renegotiation_info_seen = 1;
1466 #endif
1467
1468 if ((ret = ssl_parse_renegotiation_info(ssl, ext + 4,
1469 ext_size)) != 0) {
1470 return ret;
1471 }
1472
1473 break;
1474
1475 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1476 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1477 MBEDTLS_SSL_DEBUG_MSG(3,
1478 ("found max_fragment_length extension"));
1479
1480 if ((ret = ssl_parse_max_fragment_length_ext(ssl,
1481 ext + 4, ext_size)) != 0) {
1482 return ret;
1483 }
1484
1485 break;
1486 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1487
1488 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1489 case MBEDTLS_TLS_EXT_CID:
1490 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
1491
1492 if ((ret = ssl_parse_cid_ext(ssl,
1493 ext + 4,
1494 ext_size)) != 0) {
1495 return ret;
1496 }
1497
1498 break;
1499 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1500
1501 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1502 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1503 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt_then_mac extension"));
1504
1505 if ((ret = ssl_parse_encrypt_then_mac_ext(ssl,
1506 ext + 4, ext_size)) != 0) {
1507 return ret;
1508 }
1509
1510 break;
1511 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1512
1513 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1514 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1515 MBEDTLS_SSL_DEBUG_MSG(3,
1516 ("found extended_master_secret extension"));
1517
1518 if ((ret = ssl_parse_extended_ms_ext(ssl,
1519 ext + 4, ext_size)) != 0) {
1520 return ret;
1521 }
1522
1523 break;
1524 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1525
1526 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1527 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1528 MBEDTLS_SSL_DEBUG_MSG(3, ("found session_ticket extension"));
1529
1530 if ((ret = ssl_parse_session_ticket_ext(ssl,
1531 ext + 4, ext_size)) != 0) {
1532 return ret;
1533 }
1534
1535 break;
1536 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1537
1538 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
1539 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
1540 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1541 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1542 MBEDTLS_SSL_DEBUG_MSG(3,
1543 ("found supported_point_formats extension"));
1544
1545 if ((ret = ssl_parse_supported_point_formats_ext(ssl,
1546 ext + 4, ext_size)) != 0) {
1547 return ret;
1548 }
1549
1550 break;
1551 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
1552 MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
1553 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1554
1555 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1556 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1557 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake_kkpp extension"));
1558
1559 if ((ret = ssl_parse_ecjpake_kkpp(ssl,
1560 ext + 4, ext_size)) != 0) {
1561 return ret;
1562 }
1563
1564 break;
1565 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1566
1567 #if defined(MBEDTLS_SSL_ALPN)
1568 case MBEDTLS_TLS_EXT_ALPN:
1569 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
1570
1571 if ((ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size)) != 0) {
1572 return ret;
1573 }
1574
1575 break;
1576 #endif /* MBEDTLS_SSL_ALPN */
1577
1578 #if defined(MBEDTLS_SSL_DTLS_SRTP)
1579 case MBEDTLS_TLS_EXT_USE_SRTP:
1580 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
1581
1582 if ((ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size)) != 0) {
1583 return ret;
1584 }
1585
1586 break;
1587 #endif /* MBEDTLS_SSL_DTLS_SRTP */
1588
1589 default:
1590 MBEDTLS_SSL_DEBUG_MSG(3,
1591 ("unknown extension found: %u (ignoring)", ext_id));
1592 }
1593
1594 ext_len -= 4 + ext_size;
1595 ext += 4 + ext_size;
1596
1597 if (ext_len > 0 && ext_len < 4) {
1598 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1599 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1600 }
1601 }
1602
1603 /*
1604 * mbedtls_ssl_derive_keys() has to be called after the parsing of the
1605 * extensions. It sets the transform data for the resumed session which in
1606 * case of DTLS includes the server CID extracted from the CID extension.
1607 */
1608 if (ssl->handshake->resume) {
1609 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
1610 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
1611 mbedtls_ssl_send_alert_message(
1612 ssl,
1613 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1614 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
1615 return ret;
1616 }
1617 }
1618
1619 /*
1620 * Renegotiation security checks
1621 */
1622 if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1623 ssl->conf->allow_legacy_renegotiation ==
1624 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1625 MBEDTLS_SSL_DEBUG_MSG(1,
1626 ("legacy renegotiation, breaking off handshake"));
1627 handshake_failure = 1;
1628 }
1629 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1630 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1631 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1632 renegotiation_info_seen == 0) {
1633 MBEDTLS_SSL_DEBUG_MSG(1,
1634 ("renegotiation_info extension missing (secure)"));
1635 handshake_failure = 1;
1636 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1637 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1638 ssl->conf->allow_legacy_renegotiation ==
1639 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1640 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
1641 handshake_failure = 1;
1642 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1643 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1644 renegotiation_info_seen == 1) {
1645 MBEDTLS_SSL_DEBUG_MSG(1,
1646 ("renegotiation_info extension present (legacy)"));
1647 handshake_failure = 1;
1648 }
1649 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1650
1651 if (handshake_failure == 1) {
1652 mbedtls_ssl_send_alert_message(
1653 ssl,
1654 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1655 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1656 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1657 }
1658
1659 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
1660
1661 return 0;
1662 }
1663
1664 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1665 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
1666 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_server_dh_params(mbedtls_ssl_context * ssl,unsigned char ** p,unsigned char * end)1667 static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl,
1668 unsigned char **p,
1669 unsigned char *end)
1670 {
1671 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1672 size_t dhm_actual_bitlen;
1673
1674 /*
1675 * Ephemeral DH parameters:
1676 *
1677 * struct {
1678 * opaque dh_p<1..2^16-1>;
1679 * opaque dh_g<1..2^16-1>;
1680 * opaque dh_Ys<1..2^16-1>;
1681 * } ServerDHParams;
1682 */
1683 if ((ret = mbedtls_dhm_read_params(&ssl->handshake->dhm_ctx,
1684 p, end)) != 0) {
1685 MBEDTLS_SSL_DEBUG_RET(2, ("mbedtls_dhm_read_params"), ret);
1686 return ret;
1687 }
1688
1689 dhm_actual_bitlen = mbedtls_dhm_get_bitlen(&ssl->handshake->dhm_ctx);
1690 if (dhm_actual_bitlen < ssl->conf->dhm_min_bitlen) {
1691 MBEDTLS_SSL_DEBUG_MSG(1, ("DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u",
1692 dhm_actual_bitlen,
1693 ssl->conf->dhm_min_bitlen));
1694 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1695 }
1696
1697 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
1698 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
1699 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
1700
1701 return ret;
1702 }
1703 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1704 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
1705
1706 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1707 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1708 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1709 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1710 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_server_ecdh_params(mbedtls_ssl_context * ssl,unsigned char ** p,unsigned char * end)1711 static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
1712 unsigned char **p,
1713 unsigned char *end)
1714 {
1715 uint16_t tls_id;
1716 size_t ecpoint_len;
1717 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1718 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
1719 size_t ec_bits = 0;
1720
1721 /*
1722 * struct {
1723 * ECParameters curve_params;
1724 * ECPoint public;
1725 * } ServerECDHParams;
1726 *
1727 * 1 curve_type (must be "named_curve")
1728 * 2..3 NamedCurve
1729 * 4 ECPoint.len
1730 * 5+ ECPoint contents
1731 */
1732 if (end - *p < 4) {
1733 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1734 }
1735
1736 /* First byte is curve_type; only named_curve is handled */
1737 if (*(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) {
1738 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1739 }
1740
1741 /* Next two bytes are the namedcurve value */
1742 tls_id = MBEDTLS_GET_UINT16_BE(*p, 0);
1743 *p += 2;
1744
1745 /* Check it's a curve we offered */
1746 if (mbedtls_ssl_check_curve_tls_id(ssl, tls_id) != 0) {
1747 MBEDTLS_SSL_DEBUG_MSG(2,
1748 ("bad server key exchange message (ECDHE curve): %u",
1749 (unsigned) tls_id));
1750 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1751 }
1752
1753 /* Convert EC's TLS ID to PSA key type. */
1754 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
1755 &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
1756 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1757 }
1758 handshake->xxdh_psa_type = key_type;
1759 handshake->xxdh_psa_bits = ec_bits;
1760
1761 /* Keep a copy of the peer's public key */
1762 ecpoint_len = *(*p)++;
1763 if ((size_t) (end - *p) < ecpoint_len) {
1764 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1765 }
1766
1767 if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
1768 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1769 }
1770
1771 memcpy(handshake->xxdh_psa_peerkey, *p, ecpoint_len);
1772 handshake->xxdh_psa_peerkey_len = ecpoint_len;
1773 *p += ecpoint_len;
1774
1775 return 0;
1776 }
1777 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1778 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1779 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1780 #else
1781 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1782 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1783 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1784 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1785 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1786 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_server_ecdh_params(const mbedtls_ssl_context * ssl)1787 static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl)
1788 {
1789 uint16_t tls_id;
1790 mbedtls_ecp_group_id grp_id;
1791 #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
1792 grp_id = ssl->handshake->ecdh_ctx.grp.id;
1793 #else
1794 grp_id = ssl->handshake->ecdh_ctx.grp_id;
1795 #endif
1796
1797 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
1798 if (tls_id == 0) {
1799 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1800 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1801 }
1802
1803 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s",
1804 mbedtls_ssl_get_curve_name_from_tls_id(tls_id)));
1805
1806 if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
1807 return -1;
1808 }
1809
1810 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
1811 MBEDTLS_DEBUG_ECDH_QP);
1812
1813 return 0;
1814 }
1815
1816 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1817 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
1818 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1819 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1820 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1821
1822 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1823 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1824 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1825 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_server_ecdh_params(mbedtls_ssl_context * ssl,unsigned char ** p,unsigned char * end)1826 static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
1827 unsigned char **p,
1828 unsigned char *end)
1829 {
1830 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1831
1832 /*
1833 * Ephemeral ECDH parameters:
1834 *
1835 * struct {
1836 * ECParameters curve_params;
1837 * ECPoint public;
1838 * } ServerECDHParams;
1839 */
1840 if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx,
1841 (const unsigned char **) p, end)) != 0) {
1842 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret);
1843 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
1844 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
1845 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
1846 }
1847 #endif
1848 return ret;
1849 }
1850
1851 if (ssl_check_server_ecdh_params(ssl) != 0) {
1852 MBEDTLS_SSL_DEBUG_MSG(1,
1853 ("bad server key exchange message (ECDHE curve)"));
1854 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1855 }
1856
1857 return ret;
1858 }
1859 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \
1860 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
1861 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1862 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
1863 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1864 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_server_psk_hint(mbedtls_ssl_context * ssl,unsigned char ** p,unsigned char * end)1865 static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
1866 unsigned char **p,
1867 unsigned char *end)
1868 {
1869 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1870 uint16_t len;
1871 ((void) ssl);
1872
1873 /*
1874 * PSK parameters:
1875 *
1876 * opaque psk_identity_hint<0..2^16-1>;
1877 */
1878 if (end - (*p) < 2) {
1879 MBEDTLS_SSL_DEBUG_MSG(1,
1880 ("bad server key exchange message (psk_identity_hint length)"));
1881 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1882 }
1883 len = MBEDTLS_GET_UINT16_BE(*p, 0);
1884 *p += 2;
1885
1886 if (end - (*p) < len) {
1887 MBEDTLS_SSL_DEBUG_MSG(1,
1888 ("bad server key exchange message (psk_identity_hint length)"));
1889 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1890 }
1891
1892 /*
1893 * Note: we currently ignore the PSK identity hint, as we only allow one
1894 * PSK to be provisioned on the client. This could be changed later if
1895 * someone needs that feature.
1896 */
1897 *p += len;
1898 ret = 0;
1899
1900 return ret;
1901 }
1902 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1903
1904 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
1905 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
1906 /*
1907 * Generate a pre-master secret and encrypt it with the server's RSA key
1908 */
1909 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_encrypted_pms(mbedtls_ssl_context * ssl,size_t offset,size_t * olen,size_t pms_offset)1910 static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl,
1911 size_t offset, size_t *olen,
1912 size_t pms_offset)
1913 {
1914 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1915 size_t len_bytes = 2;
1916 unsigned char *p = ssl->handshake->premaster + pms_offset;
1917 mbedtls_pk_context *peer_pk;
1918
1919 if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) {
1920 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms"));
1921 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
1922 }
1923
1924 /*
1925 * Generate (part of) the pre-master as
1926 * struct {
1927 * ProtocolVersion client_version;
1928 * opaque random[46];
1929 * } PreMasterSecret;
1930 */
1931 mbedtls_ssl_write_version(p, ssl->conf->transport,
1932 MBEDTLS_SSL_VERSION_TLS1_2);
1933
1934 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) {
1935 MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
1936 return ret;
1937 }
1938
1939 ssl->handshake->pmslen = 48;
1940
1941 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1942 peer_pk = &ssl->handshake->peer_pubkey;
1943 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1944 if (ssl->session_negotiate->peer_cert == NULL) {
1945 /* Should never happen */
1946 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1947 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1948 }
1949 peer_pk = &ssl->session_negotiate->peer_cert->pk;
1950 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1951
1952 /*
1953 * Now write it out, encrypted
1954 */
1955 if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) {
1956 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch"));
1957 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
1958 }
1959
1960 if ((ret = mbedtls_pk_encrypt(peer_pk,
1961 p, ssl->handshake->pmslen,
1962 ssl->out_msg + offset + len_bytes, olen,
1963 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
1964 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
1965 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret);
1966 return ret;
1967 }
1968
1969 if (len_bytes == 2) {
1970 MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset);
1971 *olen += 2;
1972 }
1973
1974 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1975 /* We don't need the peer's public key anymore. Free it. */
1976 mbedtls_pk_free(peer_pk);
1977 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1978 return 0;
1979 }
1980 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
1981 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
1982
1983 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1984 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1985 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_ecdh_params_from_cert(mbedtls_ssl_context * ssl)1986 static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
1987 {
1988 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1989 mbedtls_pk_context *peer_pk;
1990
1991 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1992 peer_pk = &ssl->handshake->peer_pubkey;
1993 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1994 if (ssl->session_negotiate->peer_cert == NULL) {
1995 /* Should never happen */
1996 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1997 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1998 }
1999 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2000 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2001
2002 /* This is a public key, so it can't be opaque, so can_do() is a good
2003 * enough check to ensure pk_ec() is safe to use below. */
2004 if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECKEY)) {
2005 MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
2006 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2007 }
2008
2009 #if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2010 const mbedtls_ecp_keypair *peer_key = mbedtls_pk_ec_ro(*peer_pk);
2011 #endif /* !defined(MBEDTLS_PK_USE_PSA_EC_DATA) */
2012
2013 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2014 uint16_t tls_id = 0;
2015 psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
2016 mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(peer_pk);
2017
2018 if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
2019 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
2020 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
2021 }
2022
2023 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
2024 if (tls_id == 0) {
2025 MBEDTLS_SSL_DEBUG_MSG(1, ("ECC group %u not suported",
2026 grp_id));
2027 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2028 }
2029
2030 /* If the above conversion to TLS ID was fine, then also this one will be,
2031 so there is no need to check the return value here */
2032 mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
2033 &ssl->handshake->xxdh_psa_bits);
2034
2035 ssl->handshake->xxdh_psa_type = key_type;
2036
2037 /* Store peer's public key in psa format. */
2038 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2039 memcpy(ssl->handshake->xxdh_psa_peerkey, peer_pk->pub_raw, peer_pk->pub_raw_len);
2040 ssl->handshake->xxdh_psa_peerkey_len = peer_pk->pub_raw_len;
2041 ret = 0;
2042 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
2043 size_t olen = 0;
2044 ret = mbedtls_ecp_point_write_binary(&peer_key->grp, &peer_key->Q,
2045 MBEDTLS_ECP_PF_UNCOMPRESSED, &olen,
2046 ssl->handshake->xxdh_psa_peerkey,
2047 sizeof(ssl->handshake->xxdh_psa_peerkey));
2048
2049 if (ret != 0) {
2050 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecp_point_write_binary"), ret);
2051 return ret;
2052 }
2053 ssl->handshake->xxdh_psa_peerkey_len = olen;
2054 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
2055 #else /* MBEDTLS_USE_PSA_CRYPTO */
2056 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key,
2057 MBEDTLS_ECDH_THEIRS)) != 0) {
2058 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
2059 return ret;
2060 }
2061
2062 if (ssl_check_server_ecdh_params(ssl) != 0) {
2063 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
2064 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
2065 }
2066 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2067 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2068 /* We don't need the peer's public key anymore. Free it,
2069 * so that more RAM is available for upcoming expensive
2070 * operations like ECDHE. */
2071 mbedtls_pk_free(peer_pk);
2072 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2073
2074 return ret;
2075 }
2076 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2077 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2078
2079 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_server_key_exchange(mbedtls_ssl_context * ssl)2080 static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
2081 {
2082 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2083 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2084 ssl->handshake->ciphersuite_info;
2085 unsigned char *p = NULL, *end = NULL;
2086
2087 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange"));
2088
2089 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2090 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
2091 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
2092 ssl->state++;
2093 return 0;
2094 }
2095 ((void) p);
2096 ((void) end);
2097 #endif
2098
2099 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2100 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2101 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2102 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
2103 if ((ret = ssl_get_ecdh_params_from_cert(ssl)) != 0) {
2104 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
2105 mbedtls_ssl_send_alert_message(
2106 ssl,
2107 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2108 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2109 return ret;
2110 }
2111
2112 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
2113 ssl->state++;
2114 return 0;
2115 }
2116 ((void) p);
2117 ((void) end);
2118 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2119 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2120
2121 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2122 if (ssl->handshake->ecrs_enabled &&
2123 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing) {
2124 goto start_processing;
2125 }
2126 #endif
2127
2128 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2129 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2130 return ret;
2131 }
2132
2133 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2134 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
2135 mbedtls_ssl_send_alert_message(
2136 ssl,
2137 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2138 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
2139 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
2140 }
2141
2142 /*
2143 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2144 * doesn't use a psk_identity_hint
2145 */
2146 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE) {
2147 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2148 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
2149 /* Current message is probably either
2150 * CertificateRequest or ServerHelloDone */
2151 ssl->keep_current_message = 1;
2152 goto exit;
2153 }
2154
2155 MBEDTLS_SSL_DEBUG_MSG(1,
2156 ("server key exchange message must not be skipped"));
2157 mbedtls_ssl_send_alert_message(
2158 ssl,
2159 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2160 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
2161
2162 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
2163 }
2164
2165 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2166 if (ssl->handshake->ecrs_enabled) {
2167 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
2168 }
2169
2170 start_processing:
2171 #endif
2172 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
2173 end = ssl->in_msg + ssl->in_hslen;
2174 MBEDTLS_SSL_DEBUG_BUF(3, "server key exchange", p, (size_t) (end - p));
2175
2176 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
2177 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2178 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2179 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2180 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
2181 if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) {
2182 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
2183 mbedtls_ssl_send_alert_message(
2184 ssl,
2185 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2186 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2187 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2188 }
2189 } /* FALLTHROUGH */
2190 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
2191
2192 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2193 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2194 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2195 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
2196 ; /* nothing more to do */
2197 } else
2198 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2199 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2200 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2201 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2202 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2203 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
2204 if (ssl_parse_server_dh_params(ssl, &p, end) != 0) {
2205 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
2206 mbedtls_ssl_send_alert_message(
2207 ssl,
2208 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2209 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2210 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2211 }
2212 } else
2213 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2214 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2215 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2216 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2217 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2218 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2219 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2220 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
2221 if (ssl_parse_server_ecdh_params(ssl, &p, end) != 0) {
2222 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
2223 mbedtls_ssl_send_alert_message(
2224 ssl,
2225 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2226 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2227 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2228 }
2229 } else
2230 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2231 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2232 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2233 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2234 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
2235 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2236 /*
2237 * The first 3 bytes are:
2238 * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
2239 * [1, 2] elliptic curve's TLS ID
2240 *
2241 * However since we only support secp256r1 for now, we check only
2242 * that TLS ID here
2243 */
2244 uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE(p, 1);
2245 uint16_t exp_tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
2246 MBEDTLS_ECP_DP_SECP256R1);
2247
2248 if (exp_tls_id == 0) {
2249 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2250 }
2251
2252 if ((*p != MBEDTLS_ECP_TLS_NAMED_CURVE) ||
2253 (read_tls_id != exp_tls_id)) {
2254 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2255 }
2256
2257 p += 3;
2258
2259 if ((ret = mbedtls_psa_ecjpake_read_round(
2260 &ssl->handshake->psa_pake_ctx, p, end - p,
2261 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
2262 psa_destroy_key(ssl->handshake->psa_pake_password);
2263 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2264
2265 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
2266 mbedtls_ssl_send_alert_message(
2267 ssl,
2268 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2269 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2270 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2271 }
2272 #else
2273 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
2274 p, end - p);
2275 if (ret != 0) {
2276 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
2277 mbedtls_ssl_send_alert_message(
2278 ssl,
2279 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2280 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2281 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2282 }
2283 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2284 } else
2285 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2286 {
2287 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2288 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2289 }
2290
2291 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
2292 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
2293 size_t sig_len, hashlen;
2294 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
2295
2296 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2297 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
2298 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
2299 size_t params_len = (size_t) (p - params);
2300 void *rs_ctx = NULL;
2301 uint16_t sig_alg;
2302
2303 mbedtls_pk_context *peer_pk;
2304
2305 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2306 peer_pk = &ssl->handshake->peer_pubkey;
2307 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2308 if (ssl->session_negotiate->peer_cert == NULL) {
2309 /* Should never happen */
2310 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2311 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2312 }
2313 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2314 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2315
2316 /*
2317 * Handle the digitally-signed structure
2318 */
2319 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2320 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
2321 if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
2322 sig_alg, &pk_alg, &md_alg) != 0 &&
2323 !mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg) &&
2324 !mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg)) {
2325 MBEDTLS_SSL_DEBUG_MSG(1,
2326 ("bad server key exchange message"));
2327 mbedtls_ssl_send_alert_message(
2328 ssl,
2329 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2330 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2331 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2332 }
2333 p += 2;
2334
2335 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
2336 MBEDTLS_SSL_DEBUG_MSG(1,
2337 ("bad server key exchange message"));
2338 mbedtls_ssl_send_alert_message(
2339 ssl,
2340 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2341 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2342 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2343 }
2344
2345 /*
2346 * Read signature
2347 */
2348
2349 if (p > end - 2) {
2350 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
2351 mbedtls_ssl_send_alert_message(
2352 ssl,
2353 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2354 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2355 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2356 }
2357 sig_len = MBEDTLS_GET_UINT16_BE(p, 0);
2358 p += 2;
2359
2360 if (p != end - sig_len) {
2361 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
2362 mbedtls_ssl_send_alert_message(
2363 ssl,
2364 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2365 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2366 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2367 }
2368
2369 MBEDTLS_SSL_DEBUG_BUF(3, "signature", p, sig_len);
2370
2371 /*
2372 * Compute the hash that has been signed
2373 */
2374 if (md_alg != MBEDTLS_MD_NONE) {
2375 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
2376 params, params_len,
2377 md_alg);
2378 if (ret != 0) {
2379 return ret;
2380 }
2381 } else {
2382 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2383 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2384 }
2385
2386 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
2387
2388 /*
2389 * Verify signature
2390 */
2391 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
2392 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
2393 mbedtls_ssl_send_alert_message(
2394 ssl,
2395 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2396 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2397 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2398 }
2399
2400 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2401 if (ssl->handshake->ecrs_enabled) {
2402 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
2403 }
2404 #endif
2405
2406 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
2407 if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
2408 mbedtls_pk_rsassa_pss_options rsassa_pss_options;
2409 rsassa_pss_options.mgf1_hash_id = md_alg;
2410 rsassa_pss_options.expected_salt_len =
2411 mbedtls_md_get_size_from_type(md_alg);
2412 if (rsassa_pss_options.expected_salt_len == 0) {
2413 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2414 }
2415
2416 ret = mbedtls_pk_verify_ext(pk_alg, &rsassa_pss_options,
2417 peer_pk,
2418 md_alg, hash, hashlen,
2419 p, sig_len);
2420 } else
2421 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
2422 ret = mbedtls_pk_verify_restartable(peer_pk,
2423 md_alg, hash, hashlen, p, sig_len, rs_ctx);
2424
2425 if (ret != 0) {
2426 int send_alert_msg = 1;
2427 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2428 send_alert_msg = (ret != MBEDTLS_ERR_ECP_IN_PROGRESS);
2429 #endif
2430 if (send_alert_msg) {
2431 mbedtls_ssl_send_alert_message(
2432 ssl,
2433 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2434 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
2435 }
2436 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
2437 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2438 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2439 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2440 }
2441 #endif
2442 return ret;
2443 }
2444
2445 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2446 /* We don't need the peer's public key anymore. Free it,
2447 * so that more RAM is available for upcoming expensive
2448 * operations like ECDHE. */
2449 mbedtls_pk_free(peer_pk);
2450 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2451 }
2452 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
2453
2454 exit:
2455 ssl->state++;
2456
2457 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange"));
2458
2459 return 0;
2460 }
2461
2462 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2463 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_request(mbedtls_ssl_context * ssl)2464 static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
2465 {
2466 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2467 ssl->handshake->ciphersuite_info;
2468
2469 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
2470
2471 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2472 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
2473 ssl->state++;
2474 return 0;
2475 }
2476
2477 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2478 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2479 }
2480 #else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
2481 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_request(mbedtls_ssl_context * ssl)2482 static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
2483 {
2484 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2485 unsigned char *buf;
2486 size_t n = 0;
2487 size_t cert_type_len = 0, dn_len = 0;
2488 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2489 ssl->handshake->ciphersuite_info;
2490 size_t sig_alg_len;
2491 #if defined(MBEDTLS_DEBUG_C)
2492 unsigned char *sig_alg;
2493 unsigned char *dn;
2494 #endif
2495
2496 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
2497
2498 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2499 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
2500 ssl->state++;
2501 return 0;
2502 }
2503
2504 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2505 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2506 return ret;
2507 }
2508
2509 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2510 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2511 mbedtls_ssl_send_alert_message(
2512 ssl,
2513 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2514 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
2515 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
2516 }
2517
2518 ssl->state++;
2519 ssl->handshake->client_auth =
2520 (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST);
2521
2522 MBEDTLS_SSL_DEBUG_MSG(3, ("got %s certificate request",
2523 ssl->handshake->client_auth ? "a" : "no"));
2524
2525 if (ssl->handshake->client_auth == 0) {
2526 /* Current message is probably the ServerHelloDone */
2527 ssl->keep_current_message = 1;
2528 goto exit;
2529 }
2530
2531 /*
2532 * struct {
2533 * ClientCertificateType certificate_types<1..2^8-1>;
2534 * SignatureAndHashAlgorithm
2535 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
2536 * DistinguishedName certificate_authorities<0..2^16-1>;
2537 * } CertificateRequest;
2538 *
2539 * Since we only support a single certificate on clients, let's just
2540 * ignore all the information that's supposed to help us pick a
2541 * certificate.
2542 *
2543 * We could check that our certificate matches the request, and bail out
2544 * if it doesn't, but it's simpler to just send the certificate anyway,
2545 * and give the server the opportunity to decide if it should terminate
2546 * the connection when it doesn't like our certificate.
2547 *
2548 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
2549 * point we only have one hash available (see comments in
2550 * write_certificate_verify), so let's just use what we have.
2551 *
2552 * However, we still minimally parse the message to check it is at least
2553 * superficially sane.
2554 */
2555 buf = ssl->in_msg;
2556
2557 /* certificate_types */
2558 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)) {
2559 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2560 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2561 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2562 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2563 }
2564 cert_type_len = buf[mbedtls_ssl_hs_hdr_len(ssl)];
2565 n = cert_type_len;
2566
2567 /*
2568 * In the subsequent code there are two paths that read from buf:
2569 * * the length of the signature algorithms field (if minor version of
2570 * SSL is 3),
2571 * * distinguished name length otherwise.
2572 * Both reach at most the index:
2573 * ...hdr_len + 2 + n,
2574 * therefore the buffer length at this point must be greater than that
2575 * regardless of the actual code path.
2576 */
2577 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 2 + n) {
2578 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2579 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2580 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2581 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2582 }
2583
2584 /* supported_signature_algorithms */
2585 sig_alg_len = MBEDTLS_GET_UINT16_BE(buf, mbedtls_ssl_hs_hdr_len(ssl) + 1 + n);
2586
2587 /*
2588 * The furthest access in buf is in the loop few lines below:
2589 * sig_alg[i + 1],
2590 * where:
2591 * sig_alg = buf + ...hdr_len + 3 + n,
2592 * max(i) = sig_alg_len - 1.
2593 * Therefore the furthest access is:
2594 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
2595 * which reduces to:
2596 * buf[...hdr_len + 3 + n + sig_alg_len],
2597 * which is one less than we need the buf to be.
2598 */
2599 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 3 + n + sig_alg_len) {
2600 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2601 mbedtls_ssl_send_alert_message(
2602 ssl,
2603 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2604 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2605 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2606 }
2607
2608 #if defined(MBEDTLS_DEBUG_C)
2609 sig_alg = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n;
2610 for (size_t i = 0; i < sig_alg_len; i += 2) {
2611 MBEDTLS_SSL_DEBUG_MSG(3,
2612 ("Supported Signature Algorithm found: %02x %02x",
2613 sig_alg[i], sig_alg[i + 1]));
2614 }
2615 #endif
2616
2617 n += 2 + sig_alg_len;
2618
2619 /* certificate_authorities */
2620 dn_len = MBEDTLS_GET_UINT16_BE(buf, mbedtls_ssl_hs_hdr_len(ssl) + 1 + n);
2621
2622 n += dn_len;
2623 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 3 + n) {
2624 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2625 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2626 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2627 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2628 }
2629
2630 #if defined(MBEDTLS_DEBUG_C)
2631 dn = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n - dn_len;
2632 for (size_t i = 0, dni_len = 0; i < dn_len; i += 2 + dni_len) {
2633 unsigned char *p = dn + i + 2;
2634 mbedtls_x509_name name;
2635 size_t asn1_len;
2636 char s[MBEDTLS_X509_MAX_DN_NAME_SIZE];
2637 memset(&name, 0, sizeof(name));
2638 dni_len = MBEDTLS_GET_UINT16_BE(dn + i, 0);
2639 if (dni_len > dn_len - i - 2 ||
2640 mbedtls_asn1_get_tag(&p, p + dni_len, &asn1_len,
2641 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) != 0 ||
2642 mbedtls_x509_get_name(&p, p + asn1_len, &name) != 0) {
2643 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2644 mbedtls_ssl_send_alert_message(
2645 ssl,
2646 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2647 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2648 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2649 }
2650 MBEDTLS_SSL_DEBUG_MSG(3,
2651 ("DN hint: %.*s",
2652 mbedtls_x509_dn_gets(s, sizeof(s), &name), s));
2653 mbedtls_asn1_free_named_data_list_shallow(name.next);
2654 }
2655 #endif
2656
2657 exit:
2658 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
2659
2660 return 0;
2661 }
2662 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
2663
2664 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_server_hello_done(mbedtls_ssl_context * ssl)2665 static int ssl_parse_server_hello_done(mbedtls_ssl_context *ssl)
2666 {
2667 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2668
2669 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello done"));
2670
2671 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2672 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2673 return ret;
2674 }
2675
2676 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2677 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
2678 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
2679 }
2680
2681 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) ||
2682 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE) {
2683 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
2684 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2685 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2686 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2687 }
2688
2689 ssl->state++;
2690
2691 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2692 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
2693 mbedtls_ssl_recv_flight_completed(ssl);
2694 }
2695 #endif
2696
2697 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello done"));
2698
2699 return 0;
2700 }
2701
2702 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_client_key_exchange(mbedtls_ssl_context * ssl)2703 static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
2704 {
2705 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2706
2707 size_t header_len;
2708 size_t content_len;
2709 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2710 ssl->handshake->ciphersuite_info;
2711
2712 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client key exchange"));
2713
2714 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
2715 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
2716 /*
2717 * DHM key exchange -- send G^X mod P
2718 */
2719 content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
2720
2721 MBEDTLS_PUT_UINT16_BE(content_len, ssl->out_msg, 4);
2722 header_len = 6;
2723
2724 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
2725 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
2726 &ssl->out_msg[header_len], content_len,
2727 ssl->conf->f_rng, ssl->conf->p_rng);
2728 if (ret != 0) {
2729 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
2730 return ret;
2731 }
2732
2733 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
2734 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
2735
2736 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
2737 ssl->handshake->premaster,
2738 MBEDTLS_PREMASTER_SIZE,
2739 &ssl->handshake->pmslen,
2740 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2741 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
2742 return ret;
2743 }
2744
2745 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
2746 } else
2747 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
2748 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2749 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2750 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2751 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2752 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2753 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
2754 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2755 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
2756 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2757 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2758 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
2759 psa_key_attributes_t key_attributes;
2760
2761 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2762
2763 header_len = 4;
2764
2765 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
2766
2767 /*
2768 * Generate EC private key for ECDHE exchange.
2769 */
2770
2771 /* The master secret is obtained from the shared ECDH secret by
2772 * applying the TLS 1.2 PRF with a specific salt and label. While
2773 * the PSA Crypto API encourages combining key agreement schemes
2774 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
2775 * yet support the provisioning of salt + label to the KDF.
2776 * For the time being, we therefore need to split the computation
2777 * of the ECDH secret and the application of the TLS 1.2 PRF. */
2778 key_attributes = psa_key_attributes_init();
2779 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2780 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2781 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
2782 psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
2783
2784 /* Generate ECDH private key. */
2785 status = psa_generate_key(&key_attributes,
2786 &handshake->xxdh_psa_privkey);
2787 if (status != PSA_SUCCESS) {
2788 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2789 }
2790
2791 /* Export the public part of the ECDH private key from PSA.
2792 * The export format is an ECPoint structure as expected by TLS,
2793 * but we just need to add a length byte before that. */
2794 unsigned char *own_pubkey = ssl->out_msg + header_len + 1;
2795 unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2796 size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
2797 size_t own_pubkey_len;
2798
2799 status = psa_export_public_key(handshake->xxdh_psa_privkey,
2800 own_pubkey, own_pubkey_max_len,
2801 &own_pubkey_len);
2802 if (status != PSA_SUCCESS) {
2803 psa_destroy_key(handshake->xxdh_psa_privkey);
2804 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
2805 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2806 }
2807
2808 ssl->out_msg[header_len] = (unsigned char) own_pubkey_len;
2809 content_len = own_pubkey_len + 1;
2810
2811 /* The ECDH secret is the premaster secret used for key derivation. */
2812
2813 /* Compute ECDH shared secret. */
2814 status = psa_raw_key_agreement(PSA_ALG_ECDH,
2815 handshake->xxdh_psa_privkey,
2816 handshake->xxdh_psa_peerkey,
2817 handshake->xxdh_psa_peerkey_len,
2818 ssl->handshake->premaster,
2819 sizeof(ssl->handshake->premaster),
2820 &ssl->handshake->pmslen);
2821
2822 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
2823 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
2824
2825 if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) {
2826 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2827 }
2828 #else
2829 /*
2830 * ECDH key exchange -- send client public value
2831 */
2832 header_len = 4;
2833
2834 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2835 if (ssl->handshake->ecrs_enabled) {
2836 if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret) {
2837 goto ecdh_calc_secret;
2838 }
2839
2840 mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx);
2841 }
2842 #endif
2843
2844 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
2845 &content_len,
2846 &ssl->out_msg[header_len], 1000,
2847 ssl->conf->f_rng, ssl->conf->p_rng);
2848 if (ret != 0) {
2849 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
2850 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2851 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2852 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2853 }
2854 #endif
2855 return ret;
2856 }
2857
2858 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
2859 MBEDTLS_DEBUG_ECDH_Q);
2860
2861 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2862 if (ssl->handshake->ecrs_enabled) {
2863 ssl->handshake->ecrs_n = content_len;
2864 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
2865 }
2866
2867 ecdh_calc_secret:
2868 if (ssl->handshake->ecrs_enabled) {
2869 content_len = ssl->handshake->ecrs_n;
2870 }
2871 #endif
2872 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
2873 &ssl->handshake->pmslen,
2874 ssl->handshake->premaster,
2875 MBEDTLS_MPI_MAX_SIZE,
2876 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2877 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
2878 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2879 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2880 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2881 }
2882 #endif
2883 return ret;
2884 }
2885
2886 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
2887 MBEDTLS_DEBUG_ECDH_Z);
2888 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2889 } else
2890 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2891 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2892 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2893 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2894 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
2895 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2896 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
2897 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2898 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
2899 psa_key_attributes_t key_attributes;
2900
2901 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2902
2903 /*
2904 * opaque psk_identity<0..2^16-1>;
2905 */
2906 if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
2907 /* We don't offer PSK suites if we don't have a PSK,
2908 * and we check that the server's choice is among the
2909 * ciphersuites we offered, so this should never happen. */
2910 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2911 }
2912
2913 /* uint16 to store content length */
2914 const size_t content_len_size = 2;
2915
2916 header_len = 4;
2917
2918 if (header_len + content_len_size + ssl->conf->psk_identity_len
2919 > MBEDTLS_SSL_OUT_CONTENT_LEN) {
2920 MBEDTLS_SSL_DEBUG_MSG(1,
2921 ("psk identity too long or SSL buffer too short"));
2922 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
2923 }
2924
2925 unsigned char *p = ssl->out_msg + header_len;
2926
2927 *p++ = MBEDTLS_BYTE_1(ssl->conf->psk_identity_len);
2928 *p++ = MBEDTLS_BYTE_0(ssl->conf->psk_identity_len);
2929 header_len += content_len_size;
2930
2931 memcpy(p, ssl->conf->psk_identity,
2932 ssl->conf->psk_identity_len);
2933 p += ssl->conf->psk_identity_len;
2934
2935 header_len += ssl->conf->psk_identity_len;
2936
2937 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
2938
2939 /*
2940 * Generate EC private key for ECDHE exchange.
2941 */
2942
2943 /* The master secret is obtained from the shared ECDH secret by
2944 * applying the TLS 1.2 PRF with a specific salt and label. While
2945 * the PSA Crypto API encourages combining key agreement schemes
2946 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
2947 * yet support the provisioning of salt + label to the KDF.
2948 * For the time being, we therefore need to split the computation
2949 * of the ECDH secret and the application of the TLS 1.2 PRF. */
2950 key_attributes = psa_key_attributes_init();
2951 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2952 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2953 psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
2954 psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
2955
2956 /* Generate ECDH private key. */
2957 status = psa_generate_key(&key_attributes,
2958 &handshake->xxdh_psa_privkey);
2959 if (status != PSA_SUCCESS) {
2960 return PSA_TO_MBEDTLS_ERR(status);
2961 }
2962
2963 /* Export the public part of the ECDH private key from PSA.
2964 * The export format is an ECPoint structure as expected by TLS,
2965 * but we just need to add a length byte before that. */
2966 unsigned char *own_pubkey = p + 1;
2967 unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2968 size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
2969 size_t own_pubkey_len = 0;
2970
2971 status = psa_export_public_key(handshake->xxdh_psa_privkey,
2972 own_pubkey, own_pubkey_max_len,
2973 &own_pubkey_len);
2974 if (status != PSA_SUCCESS) {
2975 psa_destroy_key(handshake->xxdh_psa_privkey);
2976 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
2977 return PSA_TO_MBEDTLS_ERR(status);
2978 }
2979
2980 *p = (unsigned char) own_pubkey_len;
2981 content_len = own_pubkey_len + 1;
2982
2983 /* As RFC 5489 section 2, the premaster secret is formed as follows:
2984 * - a uint16 containing the length (in octets) of the ECDH computation
2985 * - the octet string produced by the ECDH computation
2986 * - a uint16 containing the length (in octets) of the PSK
2987 * - the PSK itself
2988 */
2989 unsigned char *pms = ssl->handshake->premaster;
2990 const unsigned char * const pms_end = pms +
2991 sizeof(ssl->handshake->premaster);
2992 /* uint16 to store length (in octets) of the ECDH computation */
2993 const size_t zlen_size = 2;
2994 size_t zlen = 0;
2995
2996 /* Perform ECDH computation after the uint16 reserved for the length */
2997 status = psa_raw_key_agreement(PSA_ALG_ECDH,
2998 handshake->xxdh_psa_privkey,
2999 handshake->xxdh_psa_peerkey,
3000 handshake->xxdh_psa_peerkey_len,
3001 pms + zlen_size,
3002 pms_end - (pms + zlen_size),
3003 &zlen);
3004
3005 destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
3006 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3007
3008 if (status != PSA_SUCCESS) {
3009 return PSA_TO_MBEDTLS_ERR(status);
3010 } else if (destruction_status != PSA_SUCCESS) {
3011 return PSA_TO_MBEDTLS_ERR(destruction_status);
3012 }
3013
3014 /* Write the ECDH computation length before the ECDH computation */
3015 MBEDTLS_PUT_UINT16_BE(zlen, pms, 0);
3016 pms += zlen_size + zlen;
3017 } else
3018 #endif /* MBEDTLS_USE_PSA_CRYPTO &&
3019 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3020 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
3021 if (mbedtls_ssl_ciphersuite_uses_psk(ciphersuite_info)) {
3022 /*
3023 * opaque psk_identity<0..2^16-1>;
3024 */
3025 if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
3026 /* We don't offer PSK suites if we don't have a PSK,
3027 * and we check that the server's choice is among the
3028 * ciphersuites we offered, so this should never happen. */
3029 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3030 }
3031
3032 header_len = 4;
3033 content_len = ssl->conf->psk_identity_len;
3034
3035 if (header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
3036 MBEDTLS_SSL_DEBUG_MSG(1,
3037 ("psk identity too long or SSL buffer too short"));
3038 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
3039 }
3040
3041 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
3042 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
3043
3044 memcpy(ssl->out_msg + header_len,
3045 ssl->conf->psk_identity,
3046 ssl->conf->psk_identity_len);
3047 header_len += ssl->conf->psk_identity_len;
3048
3049 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3050 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
3051 content_len = 0;
3052 } else
3053 #endif
3054 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3055 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
3056 if ((ret = ssl_write_encrypted_pms(ssl, header_len,
3057 &content_len, 2)) != 0) {
3058 return ret;
3059 }
3060 } else
3061 #endif
3062 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3063 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
3064 /*
3065 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3066 */
3067 content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
3068
3069 if (header_len + 2 + content_len >
3070 MBEDTLS_SSL_OUT_CONTENT_LEN) {
3071 MBEDTLS_SSL_DEBUG_MSG(1,
3072 ("psk identity or DHM size too long or SSL buffer too short"));
3073 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
3074 }
3075
3076 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
3077 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
3078
3079 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
3080 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
3081 &ssl->out_msg[header_len], content_len,
3082 ssl->conf->f_rng, ssl->conf->p_rng);
3083 if (ret != 0) {
3084 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
3085 return ret;
3086 }
3087
3088 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3089 unsigned char *pms = ssl->handshake->premaster;
3090 unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
3091 size_t pms_len;
3092
3093 /* Write length only when we know the actual value */
3094 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3095 pms + 2, pms_end - (pms + 2), &pms_len,
3096 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3097 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3098 return ret;
3099 }
3100 MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
3101 pms += 2 + pms_len;
3102
3103 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3104 #endif
3105 } else
3106 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3107 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
3108 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3109 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
3110 /*
3111 * ClientECDiffieHellmanPublic public;
3112 */
3113 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
3114 &content_len,
3115 &ssl->out_msg[header_len],
3116 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3117 ssl->conf->f_rng, ssl->conf->p_rng);
3118 if (ret != 0) {
3119 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
3120 return ret;
3121 }
3122
3123 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3124 MBEDTLS_DEBUG_ECDH_Q);
3125 } else
3126 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3127 {
3128 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3129 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3130 }
3131
3132 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
3133 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3134 (mbedtls_key_exchange_type_t) ciphersuite_info->
3135 key_exchange)) != 0) {
3136 MBEDTLS_SSL_DEBUG_RET(1,
3137 "mbedtls_ssl_psk_derive_premaster", ret);
3138 return ret;
3139 }
3140 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
3141 } else
3142 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
3143 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3144 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
3145 header_len = 4;
3146 if ((ret = ssl_write_encrypted_pms(ssl, header_len,
3147 &content_len, 0)) != 0) {
3148 return ret;
3149 }
3150 } else
3151 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3152 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3153 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
3154 header_len = 4;
3155
3156 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3157 unsigned char *out_p = ssl->out_msg + header_len;
3158 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
3159 header_len;
3160 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
3161 out_p, end_p - out_p, &content_len,
3162 MBEDTLS_ECJPAKE_ROUND_TWO);
3163 if (ret != 0) {
3164 psa_destroy_key(ssl->handshake->psa_pake_password);
3165 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
3166 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
3167 return ret;
3168 }
3169 #else
3170 ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx,
3171 ssl->out_msg + header_len,
3172 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3173 &content_len,
3174 ssl->conf->f_rng, ssl->conf->p_rng);
3175 if (ret != 0) {
3176 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
3177 return ret;
3178 }
3179
3180 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
3181 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3182 ssl->conf->f_rng, ssl->conf->p_rng);
3183 if (ret != 0) {
3184 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
3185 return ret;
3186 }
3187 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3188 } else
3189 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3190 {
3191 ((void) ciphersuite_info);
3192 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3193 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3194 }
3195
3196 ssl->out_msglen = header_len + content_len;
3197 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3198 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
3199
3200 ssl->state++;
3201
3202 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3203 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3204 return ret;
3205 }
3206
3207 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client key exchange"));
3208
3209 return 0;
3210 }
3211
3212 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
3213 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_certificate_verify(mbedtls_ssl_context * ssl)3214 static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
3215 {
3216 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3217 ssl->handshake->ciphersuite_info;
3218 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3219
3220 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
3221
3222 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3223 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3224 return ret;
3225 }
3226
3227 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3228 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
3229 ssl->state++;
3230 return 0;
3231 }
3232
3233 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3234 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3235 }
3236 #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
3237 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_certificate_verify(mbedtls_ssl_context * ssl)3238 static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
3239 {
3240 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3241 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3242 ssl->handshake->ciphersuite_info;
3243 size_t n = 0, offset = 0;
3244 unsigned char hash[48];
3245 unsigned char *hash_start = hash;
3246 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
3247 size_t hashlen;
3248 void *rs_ctx = NULL;
3249 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3250 size_t out_buf_len = ssl->out_buf_len - (size_t) (ssl->out_msg - ssl->out_buf);
3251 #else
3252 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (size_t) (ssl->out_msg - ssl->out_buf);
3253 #endif
3254
3255 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
3256
3257 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
3258 if (ssl->handshake->ecrs_enabled &&
3259 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign) {
3260 goto sign;
3261 }
3262 #endif
3263
3264 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3265 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3266 return ret;
3267 }
3268
3269 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3270 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
3271 ssl->state++;
3272 return 0;
3273 }
3274
3275 if (ssl->handshake->client_auth == 0 ||
3276 mbedtls_ssl_own_cert(ssl) == NULL) {
3277 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
3278 ssl->state++;
3279 return 0;
3280 }
3281
3282 if (mbedtls_ssl_own_key(ssl) == NULL) {
3283 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key for certificate"));
3284 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
3285 }
3286
3287 /*
3288 * Make a signature of the handshake digests
3289 */
3290 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
3291 if (ssl->handshake->ecrs_enabled) {
3292 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
3293 }
3294
3295 sign:
3296 #endif
3297
3298 ret = ssl->handshake->calc_verify(ssl, hash, &hashlen);
3299 if (0 != ret) {
3300 MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
3301 return ret;
3302 }
3303
3304 /*
3305 * digitally-signed struct {
3306 * opaque handshake_messages[handshake_messages_length];
3307 * };
3308 *
3309 * Taking shortcut here. We assume that the server always allows the
3310 * PRF Hash function and has sent it in the allowed signature
3311 * algorithms list received in the Certificate Request message.
3312 *
3313 * Until we encounter a server that does not, we will take this
3314 * shortcut.
3315 *
3316 * Reason: Otherwise we should have running hashes for SHA512 and
3317 * SHA224 in order to satisfy 'weird' needs from the server
3318 * side.
3319 */
3320 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
3321 md_alg = MBEDTLS_MD_SHA384;
3322 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
3323 } else {
3324 md_alg = MBEDTLS_MD_SHA256;
3325 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
3326 }
3327 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk(mbedtls_ssl_own_key(ssl));
3328
3329 /* Info from md_alg will be used instead */
3330 hashlen = 0;
3331 offset = 2;
3332
3333 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
3334 if (ssl->handshake->ecrs_enabled) {
3335 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
3336 }
3337 #endif
3338
3339 if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl),
3340 md_alg, hash_start, hashlen,
3341 ssl->out_msg + 6 + offset,
3342 out_buf_len - 6 - offset,
3343 &n,
3344 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx)) != 0) {
3345 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
3346 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
3347 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
3348 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3349 }
3350 #endif
3351 return ret;
3352 }
3353
3354 MBEDTLS_PUT_UINT16_BE(n, ssl->out_msg, offset + 4);
3355
3356 ssl->out_msglen = 6 + n + offset;
3357 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3358 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
3359
3360 ssl->state++;
3361
3362 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3363 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3364 return ret;
3365 }
3366
3367 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify"));
3368
3369 return ret;
3370 }
3371 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
3372
3373 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3374 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_new_session_ticket(mbedtls_ssl_context * ssl)3375 static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl)
3376 {
3377 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3378 uint32_t lifetime;
3379 size_t ticket_len;
3380 unsigned char *ticket;
3381 const unsigned char *msg;
3382
3383 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
3384
3385 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3386 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3387 return ret;
3388 }
3389
3390 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3391 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
3392 mbedtls_ssl_send_alert_message(
3393 ssl,
3394 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3395 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
3396 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
3397 }
3398
3399 /*
3400 * struct {
3401 * uint32 ticket_lifetime_hint;
3402 * opaque ticket<0..2^16-1>;
3403 * } NewSessionTicket;
3404 *
3405 * 0 . 3 ticket_lifetime_hint
3406 * 4 . 5 ticket_len (n)
3407 * 6 . 5+n ticket content
3408 */
3409 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3410 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len(ssl)) {
3411 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
3412 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3413 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3414 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3415 }
3416
3417 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
3418
3419 lifetime = MBEDTLS_GET_UINT32_BE(msg, 0);
3420
3421 ticket_len = MBEDTLS_GET_UINT16_BE(msg, 4);
3422
3423 if (ticket_len + 6 + mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_hslen) {
3424 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
3425 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3426 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3427 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3428 }
3429
3430 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len));
3431
3432 /* We're not waiting for a NewSessionTicket message any more */
3433 ssl->handshake->new_session_ticket = 0;
3434 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
3435
3436 /*
3437 * Zero-length ticket means the server changed his mind and doesn't want
3438 * to send a ticket after all, so just forget it
3439 */
3440 if (ticket_len == 0) {
3441 return 0;
3442 }
3443
3444 if (ssl->session != NULL && ssl->session->ticket != NULL) {
3445 mbedtls_zeroize_and_free(ssl->session->ticket,
3446 ssl->session->ticket_len);
3447 ssl->session->ticket = NULL;
3448 ssl->session->ticket_len = 0;
3449 }
3450
3451 mbedtls_zeroize_and_free(ssl->session_negotiate->ticket,
3452 ssl->session_negotiate->ticket_len);
3453 ssl->session_negotiate->ticket = NULL;
3454 ssl->session_negotiate->ticket_len = 0;
3455
3456 if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
3457 MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
3458 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3459 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
3460 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3461 }
3462
3463 memcpy(ticket, msg + 6, ticket_len);
3464
3465 ssl->session_negotiate->ticket = ticket;
3466 ssl->session_negotiate->ticket_len = ticket_len;
3467 ssl->session_negotiate->ticket_lifetime = lifetime;
3468
3469 /*
3470 * RFC 5077 section 3.4:
3471 * "If the client receives a session ticket from the server, then it
3472 * discards any Session ID that was sent in the ServerHello."
3473 */
3474 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket in use, discarding session id"));
3475 ssl->session_negotiate->id_len = 0;
3476
3477 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
3478
3479 return 0;
3480 }
3481 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3482
3483 /*
3484 * SSL handshake -- client side -- single step
3485 */
mbedtls_ssl_handshake_client_step(mbedtls_ssl_context * ssl)3486 int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
3487 {
3488 int ret = 0;
3489
3490 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
3491 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
3492 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3493 if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
3494 ssl->handshake->new_session_ticket != 0) {
3495 ssl->state = MBEDTLS_SSL_NEW_SESSION_TICKET;
3496 }
3497 #endif
3498
3499 switch (ssl->state) {
3500 case MBEDTLS_SSL_HELLO_REQUEST:
3501 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
3502 break;
3503
3504 /*
3505 * ==> ClientHello
3506 */
3507 case MBEDTLS_SSL_CLIENT_HELLO:
3508 ret = mbedtls_ssl_write_client_hello(ssl);
3509 break;
3510
3511 /*
3512 * <== ServerHello
3513 * Certificate
3514 * ( ServerKeyExchange )
3515 * ( CertificateRequest )
3516 * ServerHelloDone
3517 */
3518 case MBEDTLS_SSL_SERVER_HELLO:
3519 ret = ssl_parse_server_hello(ssl);
3520 break;
3521
3522 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3523 ret = mbedtls_ssl_parse_certificate(ssl);
3524 break;
3525
3526 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
3527 ret = ssl_parse_server_key_exchange(ssl);
3528 break;
3529
3530 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3531 ret = ssl_parse_certificate_request(ssl);
3532 break;
3533
3534 case MBEDTLS_SSL_SERVER_HELLO_DONE:
3535 ret = ssl_parse_server_hello_done(ssl);
3536 break;
3537
3538 /*
3539 * ==> ( Certificate/Alert )
3540 * ClientKeyExchange
3541 * ( CertificateVerify )
3542 * ChangeCipherSpec
3543 * Finished
3544 */
3545 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3546 ret = mbedtls_ssl_write_certificate(ssl);
3547 break;
3548
3549 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
3550 ret = ssl_write_client_key_exchange(ssl);
3551 break;
3552
3553 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3554 ret = ssl_write_certificate_verify(ssl);
3555 break;
3556
3557 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3558 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
3559 break;
3560
3561 case MBEDTLS_SSL_CLIENT_FINISHED:
3562 ret = mbedtls_ssl_write_finished(ssl);
3563 break;
3564
3565 /*
3566 * <== ( NewSessionTicket )
3567 * ChangeCipherSpec
3568 * Finished
3569 */
3570 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3571 case MBEDTLS_SSL_NEW_SESSION_TICKET:
3572 ret = ssl_parse_new_session_ticket(ssl);
3573 break;
3574 #endif
3575
3576 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3577 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
3578 break;
3579
3580 case MBEDTLS_SSL_SERVER_FINISHED:
3581 ret = mbedtls_ssl_parse_finished(ssl);
3582 break;
3583
3584 case MBEDTLS_SSL_FLUSH_BUFFERS:
3585 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
3586 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
3587 break;
3588
3589 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3590 mbedtls_ssl_handshake_wrapup(ssl);
3591 break;
3592
3593 default:
3594 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
3595 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3596 }
3597
3598 return ret;
3599 }
3600
3601 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_2 */
3602