1 /*
2  *  TLS server-side functions
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6  */
7 
8 #include "common.h"
9 
10 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
11 
12 #include "mbedtls/platform.h"
13 
14 #include "mbedtls/ssl.h"
15 #include "ssl_misc.h"
16 #include "debug_internal.h"
17 #include "mbedtls/error.h"
18 #include "mbedtls/platform_util.h"
19 #include "constant_time_internal.h"
20 #include "mbedtls/constant_time.h"
21 
22 #include <string.h>
23 
24 #if defined(MBEDTLS_USE_PSA_CRYPTO)
25 /* Define a local translating function to save code size by not using too many
26  * arguments in each translating place. */
27 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \
28     defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
local_err_translation(psa_status_t status)29 static int local_err_translation(psa_status_t status)
30 {
31     return psa_status_to_mbedtls(status, psa_to_ssl_errors,
32                                  ARRAY_LENGTH(psa_to_ssl_errors),
33                                  psa_generic_status_to_mbedtls);
34 }
35 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
36 #endif
37 #endif
38 
39 #if defined(MBEDTLS_ECP_C)
40 #include "mbedtls/ecp.h"
41 #endif
42 
43 #if defined(MBEDTLS_HAVE_TIME)
44 #include "mbedtls/platform_time.h"
45 #endif
46 
47 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context * ssl,const unsigned char * info,size_t ilen)48 int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
49                                         const unsigned char *info,
50                                         size_t ilen)
51 {
52     if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) {
53         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
54     }
55 
56     mbedtls_free(ssl->cli_id);
57 
58     if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) {
59         return MBEDTLS_ERR_SSL_ALLOC_FAILED;
60     }
61 
62     memcpy(ssl->cli_id, info, ilen);
63     ssl->cli_id_len = ilen;
64 
65     return 0;
66 }
67 
mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config * conf,mbedtls_ssl_cookie_write_t * f_cookie_write,mbedtls_ssl_cookie_check_t * f_cookie_check,void * p_cookie)68 void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf,
69                                    mbedtls_ssl_cookie_write_t *f_cookie_write,
70                                    mbedtls_ssl_cookie_check_t *f_cookie_check,
71                                    void *p_cookie)
72 {
73     conf->f_cookie_write = f_cookie_write;
74     conf->f_cookie_check = f_cookie_check;
75     conf->p_cookie       = p_cookie;
76 }
77 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
78 
79 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
80 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_has_psk_or_cb(mbedtls_ssl_config const * conf)81 static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf)
82 {
83     if (conf->f_psk != NULL) {
84         return 1;
85     }
86 
87     if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) {
88         return 0;
89     }
90 
91 
92 #if defined(MBEDTLS_USE_PSA_CRYPTO)
93     if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
94         return 1;
95     }
96 #endif /* MBEDTLS_USE_PSA_CRYPTO */
97 
98     if (conf->psk != NULL && conf->psk_len != 0) {
99         return 1;
100     }
101 
102     return 0;
103 }
104 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
105 
106 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_renegotiation_info(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)107 static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
108                                         const unsigned char *buf,
109                                         size_t len)
110 {
111 #if defined(MBEDTLS_SSL_RENEGOTIATION)
112     if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
113         /* Check verify-data in constant-time. The length OTOH is no secret */
114         if (len    != 1 + ssl->verify_data_len ||
115             buf[0] !=     ssl->verify_data_len ||
116             mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data,
117                               ssl->verify_data_len) != 0) {
118             MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
119             mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
120                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
121             return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
122         }
123     } else
124 #endif /* MBEDTLS_SSL_RENEGOTIATION */
125     {
126         if (len != 1 || buf[0] != 0x0) {
127             MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info"));
128             mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
129                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
130             return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
131         }
132 
133         ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
134     }
135 
136     return 0;
137 }
138 
139 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
140     defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
141     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
142 /*
143  * Function for parsing a supported groups (TLS 1.3) or supported elliptic
144  * curves (TLS 1.2) extension.
145  *
146  * The "extension_data" field of a supported groups extension contains a
147  * "NamedGroupList" value (TLS 1.3 RFC8446):
148  *      enum {
149  *          secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
150  *          x25519(0x001D), x448(0x001E),
151  *          ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
152  *          ffdhe6144(0x0103), ffdhe8192(0x0104),
153  *          ffdhe_private_use(0x01FC..0x01FF),
154  *          ecdhe_private_use(0xFE00..0xFEFF),
155  *          (0xFFFF)
156  *      } NamedGroup;
157  *      struct {
158  *          NamedGroup named_group_list<2..2^16-1>;
159  *      } NamedGroupList;
160  *
161  * The "extension_data" field of a supported elliptic curves extension contains
162  * a "NamedCurveList" value (TLS 1.2 RFC 8422):
163  * enum {
164  *      deprecated(1..22),
165  *      secp256r1 (23), secp384r1 (24), secp521r1 (25),
166  *      x25519(29), x448(30),
167  *      reserved (0xFE00..0xFEFF),
168  *      deprecated(0xFF01..0xFF02),
169  *      (0xFFFF)
170  *  } NamedCurve;
171  * struct {
172  *      NamedCurve named_curve_list<2..2^16-1>
173  *  } NamedCurveList;
174  *
175  * The TLS 1.3 supported groups extension was defined to be a compatible
176  * generalization of the TLS 1.2 supported elliptic curves extension. They both
177  * share the same extension identifier.
178  *
179  */
180 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_supported_groups_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)181 static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
182                                           const unsigned char *buf,
183                                           size_t len)
184 {
185     size_t list_size, our_size;
186     const unsigned char *p;
187     uint16_t *curves_tls_id;
188 
189     if (len < 2) {
190         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
191         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
192                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
193         return MBEDTLS_ERR_SSL_DECODE_ERROR;
194     }
195     list_size = MBEDTLS_GET_UINT16_BE(buf, 0);
196     if (list_size + 2 != len ||
197         list_size % 2 != 0) {
198         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
199         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
200                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
201         return MBEDTLS_ERR_SSL_DECODE_ERROR;
202     }
203 
204     /* Should never happen unless client duplicates the extension */
205     if (ssl->handshake->curves_tls_id != NULL) {
206         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
207         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
208                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
209         return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
210     }
211 
212     /* Don't allow our peer to make us allocate too much memory,
213      * and leave room for a final 0 */
214     our_size = list_size / 2 + 1;
215     if (our_size > MBEDTLS_ECP_DP_MAX) {
216         our_size = MBEDTLS_ECP_DP_MAX;
217     }
218 
219     if ((curves_tls_id = mbedtls_calloc(our_size,
220                                         sizeof(*curves_tls_id))) == NULL) {
221         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
222                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
223         return MBEDTLS_ERR_SSL_ALLOC_FAILED;
224     }
225 
226     ssl->handshake->curves_tls_id = curves_tls_id;
227 
228     p = buf + 2;
229     while (list_size > 0 && our_size > 1) {
230         uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0);
231 
232         if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) !=
233             MBEDTLS_ECP_DP_NONE) {
234             *curves_tls_id++ = curr_tls_id;
235             our_size--;
236         }
237 
238         list_size -= 2;
239         p += 2;
240     }
241 
242     return 0;
243 }
244 
245 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_supported_point_formats(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)246 static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
247                                              const unsigned char *buf,
248                                              size_t len)
249 {
250     size_t list_size;
251     const unsigned char *p;
252 
253     if (len == 0 || (size_t) (buf[0] + 1) != len) {
254         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
255         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
256                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
257         return MBEDTLS_ERR_SSL_DECODE_ERROR;
258     }
259     list_size = buf[0];
260 
261     p = buf + 1;
262     while (list_size > 0) {
263         if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
264             p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
265 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
266             defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
267             ssl->handshake->ecdh_ctx.point_format = p[0];
268 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
269 #if !defined(MBEDTLS_USE_PSA_CRYPTO) &&                             \
270             defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
271             mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
272                                              p[0]);
273 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
274             MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
275             return 0;
276         }
277 
278         list_size--;
279         p++;
280     }
281 
282     return 0;
283 }
284 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
285           MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
286           MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
287 
288 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
289 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_ecjpake_kkpp(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)290 static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
291                                   const unsigned char *buf,
292                                   size_t len)
293 {
294     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
295 
296 #if defined(MBEDTLS_USE_PSA_CRYPTO)
297     if (ssl->handshake->psa_pake_ctx_is_ok != 1)
298 #else
299     if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
300 #endif /* MBEDTLS_USE_PSA_CRYPTO */
301     {
302         MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
303         return 0;
304     }
305 
306 #if defined(MBEDTLS_USE_PSA_CRYPTO)
307     if ((ret = mbedtls_psa_ecjpake_read_round(
308              &ssl->handshake->psa_pake_ctx, buf, len,
309              MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
310         psa_destroy_key(ssl->handshake->psa_pake_password);
311         psa_pake_abort(&ssl->handshake->psa_pake_ctx);
312 
313         MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
314         mbedtls_ssl_send_alert_message(
315             ssl,
316             MBEDTLS_SSL_ALERT_LEVEL_FATAL,
317             MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
318 
319         return ret;
320     }
321 #else
322     if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
323                                               buf, len)) != 0) {
324         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
325         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
326                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
327         return ret;
328     }
329 #endif /* MBEDTLS_USE_PSA_CRYPTO */
330 
331     /* Only mark the extension as OK when we're sure it is */
332     ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
333 
334     return 0;
335 }
336 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
337 
338 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
339 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_max_fragment_length_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)340 static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
341                                              const unsigned char *buf,
342                                              size_t len)
343 {
344     if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) {
345         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
346         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
347                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
348         return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
349     }
350 
351     ssl->session_negotiate->mfl_code = buf[0];
352 
353     return 0;
354 }
355 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
356 
357 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
358 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_cid_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)359 static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
360                              const unsigned char *buf,
361                              size_t len)
362 {
363     size_t peer_cid_len;
364 
365     /* CID extension only makes sense in DTLS */
366     if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
367         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
368         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
369                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
370         return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
371     }
372 
373     /*
374      *   struct {
375      *      opaque cid<0..2^8-1>;
376      *   } ConnectionId;
377      */
378 
379     if (len < 1) {
380         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
381         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
382                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
383         return MBEDTLS_ERR_SSL_DECODE_ERROR;
384     }
385 
386     peer_cid_len = *buf++;
387     len--;
388 
389     if (len != peer_cid_len) {
390         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
391         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
392                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
393         return MBEDTLS_ERR_SSL_DECODE_ERROR;
394     }
395 
396     /* Ignore CID if the user has disabled its use. */
397     if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
398         /* Leave ssl->handshake->cid_in_use in its default
399          * value of MBEDTLS_SSL_CID_DISABLED. */
400         MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled"));
401         return 0;
402     }
403 
404     if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
405         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
406         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
407                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
408         return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
409     }
410 
411     ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
412     ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
413     memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
414 
415     MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
416     MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len);
417 
418     return 0;
419 }
420 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
421 
422 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
423 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)424 static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
425                                           const unsigned char *buf,
426                                           size_t len)
427 {
428     if (len != 0) {
429         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
430         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
431                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
432         return MBEDTLS_ERR_SSL_DECODE_ERROR;
433     }
434 
435     ((void) buf);
436 
437     if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) {
438         ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
439     }
440 
441     return 0;
442 }
443 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
444 
445 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
446 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_extended_ms_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)447 static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
448                                      const unsigned char *buf,
449                                      size_t len)
450 {
451     if (len != 0) {
452         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
453         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
454                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
455         return MBEDTLS_ERR_SSL_DECODE_ERROR;
456     }
457 
458     ((void) buf);
459 
460     if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
461         ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
462     }
463 
464     return 0;
465 }
466 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
467 
468 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
469 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_session_ticket_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t len)470 static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
471                                         unsigned char *buf,
472                                         size_t len)
473 {
474     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
475     mbedtls_ssl_session session;
476 
477     mbedtls_ssl_session_init(&session);
478 
479     if (ssl->conf->f_ticket_parse == NULL ||
480         ssl->conf->f_ticket_write == NULL) {
481         return 0;
482     }
483 
484     /* Remember the client asked us to send a new ticket */
485     ssl->handshake->new_session_ticket = 1;
486 
487     MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len));
488 
489     if (len == 0) {
490         return 0;
491     }
492 
493 #if defined(MBEDTLS_SSL_RENEGOTIATION)
494     if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
495         MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating"));
496         return 0;
497     }
498 #endif /* MBEDTLS_SSL_RENEGOTIATION */
499 
500     /*
501      * Failures are ok: just ignore the ticket and proceed.
502      */
503     if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session,
504                                          buf, len)) != 0) {
505         mbedtls_ssl_session_free(&session);
506 
507         if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
508             MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
509         } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
510             MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
511         } else {
512             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret);
513         }
514 
515         return 0;
516     }
517 
518     /*
519      * Keep the session ID sent by the client, since we MUST send it back to
520      * inform them we're accepting the ticket  (RFC 5077 section 3.4)
521      */
522     session.id_len = ssl->session_negotiate->id_len;
523     memcpy(&session.id, ssl->session_negotiate->id, session.id_len);
524 
525     mbedtls_ssl_session_free(ssl->session_negotiate);
526     memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session));
527 
528     /* Zeroize instead of free as we copied the content */
529     mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session));
530 
531     MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket"));
532 
533     ssl->handshake->resume = 1;
534 
535     /* Don't send a new ticket after all, this one is OK */
536     ssl->handshake->new_session_ticket = 0;
537 
538     return 0;
539 }
540 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
541 
542 #if defined(MBEDTLS_SSL_DTLS_SRTP)
543 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_use_srtp_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)544 static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
545                                   const unsigned char *buf,
546                                   size_t len)
547 {
548     mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET;
549     size_t i, j;
550     size_t profile_length;
551     uint16_t mki_length;
552     /*! 2 bytes for profile length and 1 byte for mki len */
553     const size_t size_of_lengths = 3;
554 
555     /* If use_srtp is not configured, just ignore the extension */
556     if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
557         (ssl->conf->dtls_srtp_profile_list == NULL) ||
558         (ssl->conf->dtls_srtp_profile_list_len == 0)) {
559         return 0;
560     }
561 
562     /* RFC5764 section 4.1.1
563      * uint8 SRTPProtectionProfile[2];
564      *
565      * struct {
566      *   SRTPProtectionProfiles SRTPProtectionProfiles;
567      *   opaque srtp_mki<0..255>;
568      * } UseSRTPData;
569 
570      * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
571      */
572 
573     /*
574      * Min length is 5: at least one protection profile(2 bytes)
575      *                  and length(2 bytes) + srtp_mki length(1 byte)
576      * Check here that we have at least 2 bytes of protection profiles length
577      * and one of srtp_mki length
578      */
579     if (len < size_of_lengths) {
580         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
581                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
582         return MBEDTLS_ERR_SSL_DECODE_ERROR;
583     }
584 
585     ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
586 
587     /* first 2 bytes are protection profile length(in bytes) */
588     profile_length = (buf[0] << 8) | buf[1];
589     buf += 2;
590 
591     /* The profile length cannot be bigger than input buffer size - lengths fields */
592     if (profile_length > len - size_of_lengths ||
593         profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */
594         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
595                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
596         return MBEDTLS_ERR_SSL_DECODE_ERROR;
597     }
598     /*
599      * parse the extension list values are defined in
600      * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
601      */
602     for (j = 0; j < profile_length; j += 2) {
603         uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1];
604         client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value);
605 
606         if (client_protection != MBEDTLS_TLS_SRTP_UNSET) {
607             MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
608                                       mbedtls_ssl_get_srtp_profile_as_string(
609                                           client_protection)));
610         } else {
611             continue;
612         }
613         /* check if suggested profile is in our list */
614         for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
615             if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) {
616                 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
617                 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
618                                           mbedtls_ssl_get_srtp_profile_as_string(
619                                               client_protection)));
620                 break;
621             }
622         }
623         if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) {
624             break;
625         }
626     }
627     buf += profile_length; /* buf points to the mki length */
628     mki_length = *buf;
629     buf++;
630 
631     if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH ||
632         mki_length + profile_length + size_of_lengths != len) {
633         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
634                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
635         return MBEDTLS_ERR_SSL_DECODE_ERROR;
636     }
637 
638     /* Parse the mki only if present and mki is supported locally */
639     if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
640         mki_length > 0) {
641         ssl->dtls_srtp_info.mki_len = mki_length;
642 
643         memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length);
644 
645         MBEDTLS_SSL_DEBUG_BUF(3, "using mki",  ssl->dtls_srtp_info.mki_value,
646                               ssl->dtls_srtp_info.mki_len);
647     }
648 
649     return 0;
650 }
651 #endif /* MBEDTLS_SSL_DTLS_SRTP */
652 
653 /*
654  * Auxiliary functions for ServerHello parsing and related actions
655  */
656 
657 #if defined(MBEDTLS_X509_CRT_PARSE_C)
658 /*
659  * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
660  */
661 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
662 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_key_curve(mbedtls_pk_context * pk,uint16_t * curves_tls_id)663 static int ssl_check_key_curve(mbedtls_pk_context *pk,
664                                uint16_t *curves_tls_id)
665 {
666     uint16_t *curr_tls_id = curves_tls_id;
667     mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk);
668     mbedtls_ecp_group_id curr_grp_id;
669 
670     while (*curr_tls_id != 0) {
671         curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
672         if (curr_grp_id == grp_id) {
673             return 0;
674         }
675         curr_tls_id++;
676     }
677 
678     return -1;
679 }
680 #endif /* MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED */
681 
682 /*
683  * Try picking a certificate for this ciphersuite,
684  * return 0 on success and -1 on failure.
685  */
686 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_pick_cert(mbedtls_ssl_context * ssl,const mbedtls_ssl_ciphersuite_t * ciphersuite_info)687 static int ssl_pick_cert(mbedtls_ssl_context *ssl,
688                          const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
689 {
690     mbedtls_ssl_key_cert *cur, *list;
691 #if defined(MBEDTLS_USE_PSA_CRYPTO)
692     psa_algorithm_t pk_alg =
693         mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info);
694     psa_key_usage_t pk_usage =
695         mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info);
696 #else
697     mbedtls_pk_type_t pk_alg =
698         mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
699 #endif /* MBEDTLS_USE_PSA_CRYPTO */
700     uint32_t flags;
701 
702 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
703     if (ssl->handshake->sni_key_cert != NULL) {
704         list = ssl->handshake->sni_key_cert;
705     } else
706 #endif
707     list = ssl->conf->key_cert;
708 
709     int pk_alg_is_none = 0;
710 #if defined(MBEDTLS_USE_PSA_CRYPTO)
711     pk_alg_is_none = (pk_alg == PSA_ALG_NONE);
712 #else
713     pk_alg_is_none = (pk_alg == MBEDTLS_PK_NONE);
714 #endif /* MBEDTLS_USE_PSA_CRYPTO */
715     if (pk_alg_is_none) {
716         return 0;
717     }
718 
719     MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate"));
720 
721     if (list == NULL) {
722         MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
723         return -1;
724     }
725 
726     for (cur = list; cur != NULL; cur = cur->next) {
727         flags = 0;
728         MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate",
729                               cur->cert);
730 
731         int key_type_matches = 0;
732 #if defined(MBEDTLS_USE_PSA_CRYPTO)
733 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
734         key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
735                              ssl->conf->f_async_decrypt_start != NULL ||
736                              mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
737                             mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
738 #else
739         key_type_matches = (
740             mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
741 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
742 #else
743         key_type_matches = mbedtls_pk_can_do(&cur->cert->pk, pk_alg);
744 #endif /* MBEDTLS_USE_PSA_CRYPTO */
745         if (!key_type_matches) {
746             MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
747             continue;
748         }
749 
750         /*
751          * This avoids sending the client a cert it'll reject based on
752          * keyUsage or other extensions.
753          *
754          * It also allows the user to provision different certificates for
755          * different uses based on keyUsage, eg if they want to avoid signing
756          * and decrypting with the same RSA key.
757          */
758         if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
759                                          MBEDTLS_SSL_IS_CLIENT,
760                                          MBEDTLS_SSL_VERSION_TLS1_2,
761                                          &flags) != 0) {
762             MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
763                                       "(extended) key usage extension"));
764             continue;
765         }
766 
767 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
768         if (pk_alg == MBEDTLS_PK_ECDSA &&
769             ssl_check_key_curve(&cur->cert->pk,
770                                 ssl->handshake->curves_tls_id) != 0) {
771             MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve"));
772             continue;
773         }
774 #endif
775 
776         /* If we get there, we got a winner */
777         break;
778     }
779 
780     /* Do not update ssl->handshake->key_cert unless there is a match */
781     if (cur != NULL) {
782         ssl->handshake->key_cert = cur;
783         MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate",
784                               ssl->handshake->key_cert->cert);
785         return 0;
786     }
787 
788     return -1;
789 }
790 #endif /* MBEDTLS_X509_CRT_PARSE_C */
791 
792 /*
793  * Check if a given ciphersuite is suitable for use with our config/keys/etc
794  * Sets ciphersuite_info only if the suite matches.
795  */
796 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_ciphersuite_match(mbedtls_ssl_context * ssl,int suite_id,const mbedtls_ssl_ciphersuite_t ** ciphersuite_info)797 static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
798                                  const mbedtls_ssl_ciphersuite_t **ciphersuite_info)
799 {
800     const mbedtls_ssl_ciphersuite_t *suite_info;
801 
802 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
803     mbedtls_pk_type_t sig_type;
804 #endif
805 
806     suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
807     if (suite_info == NULL) {
808         MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
809         return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
810     }
811 
812     MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)",
813                               (unsigned int) suite_id, suite_info->name));
814 
815     if (suite_info->min_tls_version > ssl->tls_version ||
816         suite_info->max_tls_version < ssl->tls_version) {
817         MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version"));
818         return 0;
819     }
820 
821 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
822     if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
823         (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) {
824         MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake "
825                                   "not configured or ext missing"));
826         return 0;
827     }
828 #endif
829 
830 
831 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
832     defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
833     if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
834         (ssl->handshake->curves_tls_id == NULL ||
835          ssl->handshake->curves_tls_id[0] == 0)) {
836         MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
837                                   "no common elliptic curve"));
838         return 0;
839     }
840 #endif
841 
842 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
843     /* If the ciphersuite requires a pre-shared key and we don't
844      * have one, skip it now rather than failing later */
845     if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
846         ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
847         MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key"));
848         return 0;
849     }
850 #endif
851 
852 #if defined(MBEDTLS_X509_CRT_PARSE_C)
853     /*
854      * Final check: if ciphersuite requires us to have a
855      * certificate/key of a particular type:
856      * - select the appropriate certificate if we have one, or
857      * - try the next ciphersuite if we don't
858      * This must be done last since we modify the key_cert list.
859      */
860     if (ssl_pick_cert(ssl, suite_info) != 0) {
861         MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
862                                   "no suitable certificate"));
863         return 0;
864     }
865 #endif
866 
867 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
868     /* If the ciphersuite requires signing, check whether
869      * a suitable hash algorithm is present. */
870     sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
871     if (sig_type != MBEDTLS_PK_NONE &&
872         mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
873             ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) {
874         MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm "
875                                   "for signature algorithm %u", (unsigned) sig_type));
876         return 0;
877     }
878 
879 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
880 
881     *ciphersuite_info = suite_info;
882     return 0;
883 }
884 
885 /* This function doesn't alert on errors that happen early during
886    ClientHello parsing because they might indicate that the client is
887    not talking SSL/TLS at all and would not understand our alert. */
888 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_client_hello(mbedtls_ssl_context * ssl)889 static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
890 {
891     int ret, got_common_suite;
892     size_t i, j;
893     size_t ciph_offset, comp_offset, ext_offset;
894     size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
895 #if defined(MBEDTLS_SSL_PROTO_DTLS)
896     size_t cookie_offset, cookie_len;
897 #endif
898     unsigned char *buf, *p, *ext;
899 #if defined(MBEDTLS_SSL_RENEGOTIATION)
900     int renegotiation_info_seen = 0;
901 #endif
902     int handshake_failure = 0;
903     const int *ciphersuites;
904     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
905 
906     /* If there is no signature-algorithm extension present,
907      * we need to fall back to the default values for allowed
908      * signature-hash pairs. */
909 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
910     int sig_hash_alg_ext_present = 0;
911 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
912 
913     MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
914 
915     int renegotiating;
916 
917 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
918 read_record_header:
919 #endif
920     /*
921      * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
922      * otherwise read it ourselves manually in order to support SSLv2
923      * ClientHello, which doesn't use the same record layer format.
924      * Otherwise in a scenario of TLS 1.3/TLS 1.2 version negotiation, the
925      * ClientHello has been already fully fetched by the TLS 1.3 code and the
926      * flag ssl->keep_current_message is raised.
927      */
928     renegotiating = 0;
929 #if defined(MBEDTLS_SSL_RENEGOTIATION)
930     renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE);
931 #endif
932     if (!renegotiating && !ssl->keep_current_message) {
933         if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) {
934             /* No alert on a read error. */
935             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
936             return ret;
937         }
938     }
939 
940     buf = ssl->in_hdr;
941 
942     MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl));
943 
944     /*
945      * TLS Client Hello
946      *
947      * Record layer:
948      *     0  .   0   message type
949      *     1  .   2   protocol version
950      *     3  .   11  DTLS: epoch + record sequence number
951      *     3  .   4   message length
952      */
953     MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message type: %d",
954                               buf[0]));
955 
956     if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
957         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
958         return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
959     }
960 
961     MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d",
962                               MBEDTLS_GET_UINT16_BE(ssl->in_len, 0)));
963 
964     MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, protocol version: [%d:%d]",
965                               buf[1], buf[2]));
966 
967     /* For DTLS if this is the initial handshake, remember the client sequence
968      * number to use it in our next message (RFC 6347 4.2.1) */
969 #if defined(MBEDTLS_SSL_PROTO_DTLS)
970     if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
971 #if defined(MBEDTLS_SSL_RENEGOTIATION)
972         && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
973 #endif
974         ) {
975         /* Epoch should be 0 for initial handshakes */
976         if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
977             MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
978             return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
979         }
980 
981         memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2,
982                sizeof(ssl->cur_out_ctr) - 2);
983 
984 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
985         if (mbedtls_ssl_dtls_replay_check(ssl) != 0) {
986             MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding"));
987             ssl->next_record_offset = 0;
988             ssl->in_left = 0;
989             goto read_record_header;
990         }
991 
992         /* No MAC to check yet, so we can update right now */
993         mbedtls_ssl_dtls_replay_update(ssl);
994 #endif
995     }
996 #endif /* MBEDTLS_SSL_PROTO_DTLS */
997 
998     msg_len = MBEDTLS_GET_UINT16_BE(ssl->in_len, 0);
999 
1000 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1001     if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
1002         /* Set by mbedtls_ssl_read_record() */
1003         msg_len = ssl->in_hslen;
1004     } else
1005 #endif
1006     {
1007         if (ssl->keep_current_message) {
1008             ssl->keep_current_message = 0;
1009         } else {
1010             if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
1011                 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1012                 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1013             }
1014 
1015             if ((ret = mbedtls_ssl_fetch_input(ssl,
1016                                                mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) {
1017                 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
1018                 return ret;
1019             }
1020 
1021             /* Done reading this record, get ready for the next one */
1022 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1023             if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1024                 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl);
1025             } else
1026 #endif
1027             ssl->in_left = 0;
1028         }
1029     }
1030 
1031     buf = ssl->in_msg;
1032 
1033     MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len);
1034 
1035     ret = ssl->handshake->update_checksum(ssl, buf, msg_len);
1036     if (0 != ret) {
1037         MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
1038         return ret;
1039     }
1040 
1041     /*
1042      * Handshake layer:
1043      *     0  .   0   handshake type
1044      *     1  .   3   handshake length
1045      *     4  .   5   DTLS only: message sequence number
1046      *     6  .   8   DTLS only: fragment offset
1047      *     9  .  11   DTLS only: fragment length
1048      */
1049     if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) {
1050         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1051         return MBEDTLS_ERR_SSL_DECODE_ERROR;
1052     }
1053 
1054     MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0]));
1055 
1056     if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
1057         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1058         return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
1059     }
1060     {
1061         size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1);
1062         MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u",
1063                                   (unsigned) handshake_len));
1064 
1065         /* The record layer has a record size limit of 2^14 - 1 and
1066          * fragmentation is not supported, so buf[1] should be zero. */
1067         if (buf[1] != 0) {
1068             MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0",
1069                                       (unsigned) buf[1]));
1070             return MBEDTLS_ERR_SSL_DECODE_ERROR;
1071         }
1072 
1073         /* We don't support fragmentation of ClientHello (yet?) */
1074         if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) {
1075             MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u",
1076                                       (unsigned) msg_len,
1077                                       (unsigned) mbedtls_ssl_hs_hdr_len(ssl),
1078                                       (unsigned) handshake_len));
1079             return MBEDTLS_ERR_SSL_DECODE_ERROR;
1080         }
1081     }
1082 
1083 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1084     if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1085         /*
1086          * Copy the client's handshake message_seq on initial handshakes,
1087          * check sequence number on renego.
1088          */
1089 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1090         if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1091             /* This couldn't be done in ssl_prepare_handshake_record() */
1092             unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
1093             if (cli_msg_seq != ssl->handshake->in_msg_seq) {
1094                 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
1095                                           "%u (expected %u)", cli_msg_seq,
1096                                           ssl->handshake->in_msg_seq));
1097                 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1098             }
1099 
1100             ssl->handshake->in_msg_seq++;
1101         } else
1102 #endif
1103         {
1104             unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
1105             ssl->handshake->out_msg_seq = cli_msg_seq;
1106             ssl->handshake->in_msg_seq  = cli_msg_seq + 1;
1107         }
1108         {
1109             /*
1110              * For now we don't support fragmentation, so make sure
1111              * fragment_offset == 0 and fragment_length == length
1112              */
1113             size_t fragment_offset, fragment_length, length;
1114             fragment_offset = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6);
1115             fragment_length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9);
1116             length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1);
1117             MBEDTLS_SSL_DEBUG_MSG(
1118                 4, ("fragment_offset=%u fragment_length=%u length=%u",
1119                     (unsigned) fragment_offset, (unsigned) fragment_length,
1120                     (unsigned) length));
1121             if (fragment_offset != 0 || length != fragment_length) {
1122                 MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported"));
1123                 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1124             }
1125         }
1126     }
1127 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1128 
1129     buf += mbedtls_ssl_hs_hdr_len(ssl);
1130     msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
1131 
1132     /*
1133      * ClientHello layout:
1134      *     0  .   1   protocol version
1135      *     2  .  33   random bytes (starting with 4 bytes of Unix time)
1136      *    34  .  34   session id length (1 byte)
1137      *    35  . 34+x  session id, where x = session id length from byte 34
1138      *   35+x . 35+x  DTLS only: cookie length (1 byte)
1139      *   36+x .  ..   DTLS only: cookie
1140      *    ..  .  ..   ciphersuite list length (2 bytes)
1141      *    ..  .  ..   ciphersuite list
1142      *    ..  .  ..   compression alg. list length (1 byte)
1143      *    ..  .  ..   compression alg. list
1144      *    ..  .  ..   extensions length (2 bytes, optional)
1145      *    ..  .  ..   extensions (optional)
1146      */
1147 
1148     /*
1149      * Minimal length (with everything empty and extensions omitted) is
1150      * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1151      * read at least up to session id length without worrying.
1152      */
1153     if (msg_len < 38) {
1154         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1155         return MBEDTLS_ERR_SSL_DECODE_ERROR;
1156     }
1157 
1158     /*
1159      * Check and save the protocol version
1160      */
1161     MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2);
1162 
1163     ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
1164                                                                                ssl->conf->transport);
1165     ssl->session_negotiate->tls_version = ssl->tls_version;
1166     ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1167 
1168     if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
1169         MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2"));
1170         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1171                                        MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1172         return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1173     }
1174 
1175     /*
1176      * Save client random (inc. Unix time)
1177      */
1178     MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32);
1179 
1180     memcpy(ssl->handshake->randbytes, buf + 2, 32);
1181 
1182     /*
1183      * Check the session ID length and save session ID
1184      */
1185     sess_len = buf[34];
1186 
1187     if (sess_len > sizeof(ssl->session_negotiate->id) ||
1188         sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */
1189         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1190         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1191                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1192         return MBEDTLS_ERR_SSL_DECODE_ERROR;
1193     }
1194 
1195     MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len);
1196 
1197     ssl->session_negotiate->id_len = sess_len;
1198     memset(ssl->session_negotiate->id, 0,
1199            sizeof(ssl->session_negotiate->id));
1200     memcpy(ssl->session_negotiate->id, buf + 35,
1201            ssl->session_negotiate->id_len);
1202 
1203     /*
1204      * Check the cookie length and content
1205      */
1206 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1207     if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1208         cookie_offset = 35 + sess_len;
1209         cookie_len = buf[cookie_offset];
1210 
1211         if (cookie_offset + 1 + cookie_len + 2 > msg_len) {
1212             MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1213             mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1214                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1215             return MBEDTLS_ERR_SSL_DECODE_ERROR;
1216         }
1217 
1218         MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
1219                               buf + cookie_offset + 1, cookie_len);
1220 
1221 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
1222         if (ssl->conf->f_cookie_check != NULL
1223 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1224             && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
1225 #endif
1226             ) {
1227             if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
1228                                           buf + cookie_offset + 1, cookie_len,
1229                                           ssl->cli_id, ssl->cli_id_len) != 0) {
1230                 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed"));
1231                 ssl->handshake->cookie_verify_result = 1;
1232             } else {
1233                 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed"));
1234                 ssl->handshake->cookie_verify_result = 0;
1235             }
1236         } else
1237 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
1238         {
1239             /* We know we didn't send a cookie, so it should be empty */
1240             if (cookie_len != 0) {
1241                 /* This may be an attacker's probe, so don't send an alert */
1242                 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1243                 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1244             }
1245 
1246             MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped"));
1247         }
1248 
1249         /*
1250          * Check the ciphersuitelist length (will be parsed later)
1251          */
1252         ciph_offset = cookie_offset + 1 + cookie_len;
1253     } else
1254 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1255     ciph_offset = 35 + sess_len;
1256 
1257     ciph_len = MBEDTLS_GET_UINT16_BE(buf, ciph_offset);
1258 
1259     if (ciph_len < 2 ||
1260         ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
1261         (ciph_len % 2) != 0) {
1262         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1263         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1264                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1265         return MBEDTLS_ERR_SSL_DECODE_ERROR;
1266     }
1267 
1268     MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
1269                           buf + ciph_offset + 2,  ciph_len);
1270 
1271     /*
1272      * Check the compression algorithm's length.
1273      * The list contents are ignored because implementing
1274      * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only
1275      * option supported by Mbed TLS.
1276      */
1277     comp_offset = ciph_offset + 2 + ciph_len;
1278 
1279     comp_len = buf[comp_offset];
1280 
1281     if (comp_len < 1 ||
1282         comp_len > 16 ||
1283         comp_len + comp_offset + 1 > msg_len) {
1284         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1285         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1286                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1287         return MBEDTLS_ERR_SSL_DECODE_ERROR;
1288     }
1289 
1290     MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression",
1291                           buf + comp_offset + 1, comp_len);
1292 
1293     /*
1294      * Check the extension length
1295      */
1296     ext_offset = comp_offset + 1 + comp_len;
1297     if (msg_len > ext_offset) {
1298         if (msg_len < ext_offset + 2) {
1299             MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1300             mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1301                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1302             return MBEDTLS_ERR_SSL_DECODE_ERROR;
1303         }
1304 
1305         ext_len = MBEDTLS_GET_UINT16_BE(buf, ext_offset);
1306 
1307         if (msg_len != ext_offset + 2 + ext_len) {
1308             MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1309             mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1310                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1311             return MBEDTLS_ERR_SSL_DECODE_ERROR;
1312         }
1313     } else {
1314         ext_len = 0;
1315     }
1316 
1317     ext = buf + ext_offset + 2;
1318     MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len);
1319 
1320     while (ext_len != 0) {
1321         unsigned int ext_id;
1322         unsigned int ext_size;
1323         if (ext_len < 4) {
1324             MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1325             mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1326                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1327             return MBEDTLS_ERR_SSL_DECODE_ERROR;
1328         }
1329         ext_id   = MBEDTLS_GET_UINT16_BE(ext, 0);
1330         ext_size = MBEDTLS_GET_UINT16_BE(ext, 2);
1331 
1332         if (ext_size + 4 > ext_len) {
1333             MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1334             mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1335                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1336             return MBEDTLS_ERR_SSL_DECODE_ERROR;
1337         }
1338         switch (ext_id) {
1339 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1340             case MBEDTLS_TLS_EXT_SERVERNAME:
1341                 MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1342                 ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4,
1343                                                         ext + 4 + ext_size);
1344                 if (ret != 0) {
1345                     return ret;
1346                 }
1347                 break;
1348 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1349 
1350             case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1351                 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
1352 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1353                 renegotiation_info_seen = 1;
1354 #endif
1355 
1356                 ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size);
1357                 if (ret != 0) {
1358                     return ret;
1359                 }
1360                 break;
1361 
1362 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1363             case MBEDTLS_TLS_EXT_SIG_ALG:
1364                 MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
1365 
1366                 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size);
1367                 if (ret != 0) {
1368                     return ret;
1369                 }
1370 
1371                 sig_hash_alg_ext_present = 1;
1372                 break;
1373 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1374 
1375 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
1376                 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
1377                 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1378             case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
1379                 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
1380 
1381                 ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size);
1382                 if (ret != 0) {
1383                     return ret;
1384                 }
1385                 break;
1386 
1387             case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1388                 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension"));
1389                 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
1390 
1391                 ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size);
1392                 if (ret != 0) {
1393                     return ret;
1394                 }
1395                 break;
1396 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || \
1397           MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
1398           MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1399 
1400 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1401             case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1402                 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension"));
1403 
1404                 ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size);
1405                 if (ret != 0) {
1406                     return ret;
1407                 }
1408                 break;
1409 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1410 
1411 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1412             case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1413                 MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension"));
1414 
1415                 ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size);
1416                 if (ret != 0) {
1417                     return ret;
1418                 }
1419                 break;
1420 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1421 
1422 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1423             case MBEDTLS_TLS_EXT_CID:
1424                 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
1425 
1426                 ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size);
1427                 if (ret != 0) {
1428                     return ret;
1429                 }
1430                 break;
1431 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1432 
1433 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1434             case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1435                 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension"));
1436 
1437                 ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size);
1438                 if (ret != 0) {
1439                     return ret;
1440                 }
1441                 break;
1442 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1443 
1444 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1445             case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1446                 MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension"));
1447 
1448                 ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size);
1449                 if (ret != 0) {
1450                     return ret;
1451                 }
1452                 break;
1453 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1454 
1455 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1456             case MBEDTLS_TLS_EXT_SESSION_TICKET:
1457                 MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension"));
1458 
1459                 ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size);
1460                 if (ret != 0) {
1461                     return ret;
1462                 }
1463                 break;
1464 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1465 
1466 #if defined(MBEDTLS_SSL_ALPN)
1467             case MBEDTLS_TLS_EXT_ALPN:
1468                 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
1469 
1470                 ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4,
1471                                                  ext + 4 + ext_size);
1472                 if (ret != 0) {
1473                     return ret;
1474                 }
1475                 break;
1476 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1477 
1478 #if defined(MBEDTLS_SSL_DTLS_SRTP)
1479             case MBEDTLS_TLS_EXT_USE_SRTP:
1480                 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
1481 
1482                 ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size);
1483                 if (ret != 0) {
1484                     return ret;
1485                 }
1486                 break;
1487 #endif /* MBEDTLS_SSL_DTLS_SRTP */
1488 
1489             default:
1490                 MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)",
1491                                           ext_id));
1492         }
1493 
1494         ext_len -= 4 + ext_size;
1495         ext += 4 + ext_size;
1496     }
1497 
1498 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1499 
1500     /*
1501      * Try to fall back to default hash SHA1 if the client
1502      * hasn't provided any preferred signature-hash combinations.
1503      */
1504     if (!sig_hash_alg_ext_present) {
1505         uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
1506         const uint16_t default_sig_algs[] = {
1507 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
1508             MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA,
1509                                                MBEDTLS_SSL_HASH_SHA1),
1510 #endif
1511 #if defined(MBEDTLS_RSA_C)
1512             MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA,
1513                                                MBEDTLS_SSL_HASH_SHA1),
1514 #endif
1515             MBEDTLS_TLS_SIG_NONE
1516         };
1517 
1518         MBEDTLS_STATIC_ASSERT(sizeof(default_sig_algs) / sizeof(default_sig_algs[0])
1519                               <= MBEDTLS_RECEIVED_SIG_ALGS_SIZE,
1520                               "default_sig_algs is too big");
1521 
1522         memcpy(received_sig_algs, default_sig_algs, sizeof(default_sig_algs));
1523     }
1524 
1525 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1526 
1527     /*
1528      * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1529      */
1530     for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
1531         if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
1532             MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
1533 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1534             if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1535                 MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
1536                                           "during renegotiation"));
1537                 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1538                                                MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1539                 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1540             }
1541 #endif
1542             ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1543             break;
1544         }
1545     }
1546 
1547     /*
1548      * Renegotiation security checks
1549      */
1550     if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1551         ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1552         MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
1553         handshake_failure = 1;
1554     }
1555 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1556     else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1557              ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1558              renegotiation_info_seen == 0) {
1559         MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)"));
1560         handshake_failure = 1;
1561     } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1562                ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1563                ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1564         MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
1565         handshake_failure = 1;
1566     } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1567                ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1568                renegotiation_info_seen == 1) {
1569         MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)"));
1570         handshake_failure = 1;
1571     }
1572 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1573 
1574     if (handshake_failure == 1) {
1575         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1576                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1577         return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1578     }
1579 
1580     /*
1581      * Server certification selection (after processing TLS extensions)
1582      */
1583     if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
1584         MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
1585         return ret;
1586     }
1587 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1588     ssl->handshake->sni_name = NULL;
1589     ssl->handshake->sni_name_len = 0;
1590 #endif
1591 
1592     /*
1593      * Search for a matching ciphersuite
1594      * (At the end because we need information from the EC-based extensions
1595      * and certificate from the SNI callback triggered by the SNI extension
1596      * or certificate from server certificate selection callback.)
1597      */
1598     got_common_suite = 0;
1599     ciphersuites = ssl->conf->ciphersuite_list;
1600     ciphersuite_info = NULL;
1601 
1602     if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) {
1603         for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1604             for (i = 0; ciphersuites[i] != 0; i++) {
1605                 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
1606                     continue;
1607                 }
1608 
1609                 got_common_suite = 1;
1610 
1611                 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1612                                                  &ciphersuite_info)) != 0) {
1613                     return ret;
1614                 }
1615 
1616                 if (ciphersuite_info != NULL) {
1617                     goto have_ciphersuite;
1618                 }
1619             }
1620         }
1621     } else {
1622         for (i = 0; ciphersuites[i] != 0; i++) {
1623             for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1624                 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
1625                     continue;
1626                 }
1627 
1628                 got_common_suite = 1;
1629 
1630                 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1631                                                  &ciphersuite_info)) != 0) {
1632                     return ret;
1633                 }
1634 
1635                 if (ciphersuite_info != NULL) {
1636                     goto have_ciphersuite;
1637                 }
1638             }
1639         }
1640     }
1641 
1642     if (got_common_suite) {
1643         MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
1644                                   "but none of them usable"));
1645         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1646                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1647         return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1648     } else {
1649         MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
1650         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1651                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1652         return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1653     }
1654 
1655 have_ciphersuite:
1656     MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
1657 
1658     ssl->session_negotiate->ciphersuite = ciphersuites[i];
1659     ssl->handshake->ciphersuite_info = ciphersuite_info;
1660 
1661     ssl->state++;
1662 
1663 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1664     if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1665         mbedtls_ssl_recv_flight_completed(ssl);
1666     }
1667 #endif
1668 
1669     /* Debugging-only output for testsuite */
1670 #if defined(MBEDTLS_DEBUG_C)                         && \
1671     defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1672     mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
1673     if (sig_alg != MBEDTLS_PK_NONE) {
1674         unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
1675             ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
1676         MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u",
1677                                   sig_hash));
1678     } else {
1679         MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm "
1680                                   "%u - should not happen", (unsigned) sig_alg));
1681     }
1682 #endif
1683 
1684     MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
1685 
1686     return 0;
1687 }
1688 
1689 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
ssl_write_cid_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1690 static void ssl_write_cid_ext(mbedtls_ssl_context *ssl,
1691                               unsigned char *buf,
1692                               size_t *olen)
1693 {
1694     unsigned char *p = buf;
1695     size_t ext_len;
1696     const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1697 
1698     *olen = 0;
1699 
1700     /* Skip writing the extension if we don't want to use it or if
1701      * the client hasn't offered it. */
1702     if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) {
1703         return;
1704     }
1705 
1706     /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
1707      * which is at most 255, so the increment cannot overflow. */
1708     if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) {
1709         MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1710         return;
1711     }
1712 
1713     MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension"));
1714 
1715     /*
1716      *   struct {
1717      *      opaque cid<0..2^8-1>;
1718      *   } ConnectionId;
1719      */
1720     MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
1721     p += 2;
1722     ext_len = (size_t) ssl->own_cid_len + 1;
1723     MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
1724     p += 2;
1725 
1726     *p++ = (uint8_t) ssl->own_cid_len;
1727     memcpy(p, ssl->own_cid, ssl->own_cid_len);
1728 
1729     *olen = ssl->own_cid_len + 5;
1730 }
1731 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1732 
1733 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1734 static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
1735                                            unsigned char *buf,
1736                                            size_t *olen)
1737 {
1738     unsigned char *p = buf;
1739     const mbedtls_ssl_ciphersuite_t *suite = NULL;
1740 
1741     /*
1742      * RFC 7366: "If a server receives an encrypt-then-MAC request extension
1743      * from a client and then selects a stream or Authenticated Encryption
1744      * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
1745      * encrypt-then-MAC response extension back to the client."
1746      */
1747     suite = mbedtls_ssl_ciphersuite_from_id(
1748         ssl->session_negotiate->ciphersuite);
1749     if (suite == NULL) {
1750         ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
1751     } else {
1752         mbedtls_ssl_mode_t ssl_mode =
1753             mbedtls_ssl_get_mode_from_ciphersuite(
1754                 ssl->session_negotiate->encrypt_then_mac,
1755                 suite);
1756 
1757         if (ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM) {
1758             ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
1759         }
1760     }
1761 
1762     if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
1763         *olen = 0;
1764         return;
1765     }
1766 
1767     MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension"));
1768 
1769     MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
1770     p += 2;
1771 
1772     *p++ = 0x00;
1773     *p++ = 0x00;
1774 
1775     *olen = 4;
1776 }
1777 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
1778 
1779 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
ssl_write_extended_ms_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1780 static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
1781                                       unsigned char *buf,
1782                                       size_t *olen)
1783 {
1784     unsigned char *p = buf;
1785 
1786     if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
1787         *olen = 0;
1788         return;
1789     }
1790 
1791     MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret "
1792                               "extension"));
1793 
1794     MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
1795     p += 2;
1796 
1797     *p++ = 0x00;
1798     *p++ = 0x00;
1799 
1800     *olen = 4;
1801 }
1802 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1803 
1804 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
ssl_write_session_ticket_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1805 static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
1806                                          unsigned char *buf,
1807                                          size_t *olen)
1808 {
1809     unsigned char *p = buf;
1810 
1811     if (ssl->handshake->new_session_ticket == 0) {
1812         *olen = 0;
1813         return;
1814     }
1815 
1816     MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension"));
1817 
1818     MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
1819     p += 2;
1820 
1821     *p++ = 0x00;
1822     *p++ = 0x00;
1823 
1824     *olen = 4;
1825 }
1826 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1827 
ssl_write_renegotiation_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1828 static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
1829                                         unsigned char *buf,
1830                                         size_t *olen)
1831 {
1832     unsigned char *p = buf;
1833 
1834     if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) {
1835         *olen = 0;
1836         return;
1837     }
1838 
1839     MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension"));
1840 
1841     MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
1842     p += 2;
1843 
1844 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1845     if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
1846         *p++ = 0x00;
1847         *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF;
1848         *p++ = ssl->verify_data_len * 2 & 0xFF;
1849 
1850         memcpy(p, ssl->peer_verify_data, ssl->verify_data_len);
1851         p += ssl->verify_data_len;
1852         memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
1853         p += ssl->verify_data_len;
1854     } else
1855 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1856     {
1857         *p++ = 0x00;
1858         *p++ = 0x01;
1859         *p++ = 0x00;
1860     }
1861 
1862     *olen = (size_t) (p - buf);
1863 }
1864 
1865 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
ssl_write_max_fragment_length_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1866 static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
1867                                               unsigned char *buf,
1868                                               size_t *olen)
1869 {
1870     unsigned char *p = buf;
1871 
1872     if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
1873         *olen = 0;
1874         return;
1875     }
1876 
1877     MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension"));
1878 
1879     MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
1880     p += 2;
1881 
1882     *p++ = 0x00;
1883     *p++ = 1;
1884 
1885     *p++ = ssl->session_negotiate->mfl_code;
1886 
1887     *olen = 5;
1888 }
1889 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1890 
1891 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
1892     defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
1893     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_write_supported_point_formats_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1894 static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
1895                                                   unsigned char *buf,
1896                                                   size_t *olen)
1897 {
1898     unsigned char *p = buf;
1899     ((void) ssl);
1900 
1901     if ((ssl->handshake->cli_exts &
1902          MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) {
1903         *olen = 0;
1904         return;
1905     }
1906 
1907     MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension"));
1908 
1909     MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
1910     p += 2;
1911 
1912     *p++ = 0x00;
1913     *p++ = 2;
1914 
1915     *p++ = 1;
1916     *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
1917 
1918     *olen = 6;
1919 }
1920 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
1921           MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
1922           MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1923 
1924 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1925 static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
1926                                        unsigned char *buf,
1927                                        size_t *olen)
1928 {
1929     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1930     unsigned char *p = buf;
1931     const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1932     size_t kkpp_len;
1933 
1934     *olen = 0;
1935 
1936     /* Skip costly computation if not needed */
1937     if (ssl->handshake->ciphersuite_info->key_exchange !=
1938         MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
1939         return;
1940     }
1941 
1942     MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension"));
1943 
1944     if (end - p < 4) {
1945         MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1946         return;
1947     }
1948 
1949     MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
1950     p += 2;
1951 
1952 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1953     ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
1954                                           p + 2, (size_t) (end - p - 2), &kkpp_len,
1955                                           MBEDTLS_ECJPAKE_ROUND_ONE);
1956     if (ret != 0) {
1957         psa_destroy_key(ssl->handshake->psa_pake_password);
1958         psa_pake_abort(&ssl->handshake->psa_pake_ctx);
1959         MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
1960         return;
1961     }
1962 #else
1963     ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
1964                                           p + 2, (size_t) (end - p - 2), &kkpp_len,
1965                                           ssl->conf->f_rng, ssl->conf->p_rng);
1966     if (ret != 0) {
1967         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret);
1968         return;
1969     }
1970 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1971 
1972     MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
1973     p += 2;
1974 
1975     *olen = kkpp_len + 4;
1976 }
1977 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1978 
1979 #if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS)
ssl_write_use_srtp_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1980 static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
1981                                    unsigned char *buf,
1982                                    size_t *olen)
1983 {
1984     size_t mki_len = 0, ext_len = 0;
1985     uint16_t profile_value = 0;
1986     const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1987 
1988     *olen = 0;
1989 
1990     if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
1991         (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) {
1992         return;
1993     }
1994 
1995     MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension"));
1996 
1997     if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
1998         mki_len = ssl->dtls_srtp_info.mki_len;
1999     }
2000 
2001     /* The extension total size is 9 bytes :
2002      * - 2 bytes for the extension tag
2003      * - 2 bytes for the total size
2004      * - 2 bytes for the protection profile length
2005      * - 2 bytes for the protection profile
2006      * - 1 byte for the mki length
2007      * +  the actual mki length
2008      * Check we have enough room in the output buffer */
2009     if ((size_t) (end - buf) < mki_len + 9) {
2010         MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
2011         return;
2012     }
2013 
2014     /* extension */
2015     MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0);
2016     /*
2017      * total length 5 and mki value: only one profile(2 bytes)
2018      *              and length(2 bytes) and srtp_mki  )
2019      */
2020     ext_len = 5 + mki_len;
2021     MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2);
2022 
2023     /* protection profile length: 2 */
2024     buf[4] = 0x00;
2025     buf[5] = 0x02;
2026     profile_value = mbedtls_ssl_check_srtp_profile_value(
2027         ssl->dtls_srtp_info.chosen_dtls_srtp_profile);
2028     if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
2029         MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6);
2030     } else {
2031         MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile"));
2032         return;
2033     }
2034 
2035     buf[8] = mki_len & 0xFF;
2036     memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len);
2037 
2038     *olen = 9 + mki_len;
2039 }
2040 #endif /* MBEDTLS_SSL_DTLS_SRTP */
2041 
2042 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2043 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_hello_verify_request(mbedtls_ssl_context * ssl)2044 static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
2045 {
2046     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2047     unsigned char *p = ssl->out_msg + 4;
2048     unsigned char *cookie_len_byte;
2049 
2050     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request"));
2051 
2052     /*
2053      * struct {
2054      *   ProtocolVersion server_version;
2055      *   opaque cookie<0..2^8-1>;
2056      * } HelloVerifyRequest;
2057      */
2058 
2059     /* The RFC is not clear on this point, but sending the actual negotiated
2060      * version looks like the most interoperable thing to do. */
2061     mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
2062     MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
2063     p += 2;
2064 
2065     /* If we get here, f_cookie_check is not null */
2066     if (ssl->conf->f_cookie_write == NULL) {
2067         MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks"));
2068         return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2069     }
2070 
2071     /* Skip length byte until we know the length */
2072     cookie_len_byte = p++;
2073 
2074     if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie,
2075                                          &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2076                                          ssl->cli_id, ssl->cli_id_len)) != 0) {
2077         MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret);
2078         return ret;
2079     }
2080 
2081     *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1));
2082 
2083     MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte);
2084 
2085     ssl->out_msglen  = (size_t) (p - ssl->out_msg);
2086     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2087     ssl->out_msg[0]  = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
2088 
2089     ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
2090 
2091     if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
2092         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
2093         return ret;
2094     }
2095 
2096 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2097     if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2098         (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
2099         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
2100         return ret;
2101     }
2102 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2103 
2104     MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request"));
2105 
2106     return 0;
2107 }
2108 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2109 
ssl_handle_id_based_session_resumption(mbedtls_ssl_context * ssl)2110 static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl)
2111 {
2112     int ret;
2113     mbedtls_ssl_session session_tmp;
2114     mbedtls_ssl_session * const session = ssl->session_negotiate;
2115 
2116     /* Resume is 0  by default, see ssl_handshake_init().
2117      * It may be already set to 1 by ssl_parse_session_ticket_ext(). */
2118     if (ssl->handshake->resume == 1) {
2119         return;
2120     }
2121     if (session->id_len == 0) {
2122         return;
2123     }
2124     if (ssl->conf->f_get_cache == NULL) {
2125         return;
2126     }
2127 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2128     if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
2129         return;
2130     }
2131 #endif
2132 
2133     mbedtls_ssl_session_init(&session_tmp);
2134 
2135     ret = ssl->conf->f_get_cache(ssl->conf->p_cache,
2136                                  session->id,
2137                                  session->id_len,
2138                                  &session_tmp);
2139     if (ret != 0) {
2140         goto exit;
2141     }
2142 
2143     if (session->ciphersuite != session_tmp.ciphersuite) {
2144         /* Mismatch between cached and negotiated session */
2145         goto exit;
2146     }
2147 
2148     /* Move semantics */
2149     mbedtls_ssl_session_free(session);
2150     *session = session_tmp;
2151     memset(&session_tmp, 0, sizeof(session_tmp));
2152 
2153     MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache"));
2154     ssl->handshake->resume = 1;
2155 
2156 exit:
2157 
2158     mbedtls_ssl_session_free(&session_tmp);
2159 }
2160 
2161 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_server_hello(mbedtls_ssl_context * ssl)2162 static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
2163 {
2164 #if defined(MBEDTLS_HAVE_TIME)
2165     mbedtls_time_t t;
2166 #endif
2167     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2168     size_t olen, ext_len = 0, n;
2169     unsigned char *buf, *p;
2170 
2171     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
2172 
2173 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2174     if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2175         ssl->handshake->cookie_verify_result != 0) {
2176         MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated"));
2177         MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
2178 
2179         return ssl_write_hello_verify_request(ssl);
2180     }
2181 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2182 
2183     /*
2184      *     0  .   0   handshake type
2185      *     1  .   3   handshake length
2186      *     4  .   5   protocol version
2187      *     6  .   9   UNIX time()
2188      *    10  .  37   random bytes
2189      */
2190     buf = ssl->out_msg;
2191     p = buf + 4;
2192 
2193     mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
2194     p += 2;
2195 
2196     MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]",
2197                               buf[4], buf[5]));
2198 
2199 #if defined(MBEDTLS_HAVE_TIME)
2200     t = mbedtls_time(NULL);
2201     MBEDTLS_PUT_UINT32_BE(t, p, 0);
2202     p += 4;
2203 
2204     MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
2205                               (long long) t));
2206 #else
2207     if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) {
2208         return ret;
2209     }
2210 
2211     p += 4;
2212 #endif /* MBEDTLS_HAVE_TIME */
2213 
2214     if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) {
2215         return ret;
2216     }
2217     p += 20;
2218 
2219 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2220     /*
2221      * RFC 8446
2222      * TLS 1.3 has a downgrade protection mechanism embedded in the server's
2223      * random value. TLS 1.3 servers which negotiate TLS 1.2 or below in
2224      * response to a ClientHello MUST set the last 8 bytes of their Random
2225      * value specially in their ServerHello.
2226      */
2227     if (mbedtls_ssl_conf_is_tls13_enabled(ssl->conf)) {
2228         static const unsigned char magic_tls12_downgrade_string[] =
2229         { 'D', 'O', 'W', 'N', 'G', 'R', 'D', 1 };
2230 
2231         MBEDTLS_STATIC_ASSERT(
2232             sizeof(magic_tls12_downgrade_string) == 8,
2233             "magic_tls12_downgrade_string does not have the expected size");
2234 
2235         memcpy(p, magic_tls12_downgrade_string,
2236                sizeof(magic_tls12_downgrade_string));
2237     } else
2238 #endif
2239     {
2240         if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) {
2241             return ret;
2242         }
2243     }
2244     p += 8;
2245 
2246     memcpy(ssl->handshake->randbytes + 32, buf + 6, 32);
2247 
2248     MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32);
2249 
2250     ssl_handle_id_based_session_resumption(ssl);
2251 
2252     if (ssl->handshake->resume == 0) {
2253         /*
2254          * New session, create a new session id,
2255          * unless we're about to issue a session ticket
2256          */
2257         ssl->state++;
2258 
2259 #if defined(MBEDTLS_HAVE_TIME)
2260         ssl->session_negotiate->start = mbedtls_time(NULL);
2261 #endif
2262 
2263 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2264         if (ssl->handshake->new_session_ticket != 0) {
2265             ssl->session_negotiate->id_len = n = 0;
2266             memset(ssl->session_negotiate->id, 0, 32);
2267         } else
2268 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2269         {
2270             ssl->session_negotiate->id_len = n = 32;
2271             if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id,
2272                                         n)) != 0) {
2273                 return ret;
2274             }
2275         }
2276     } else {
2277         /*
2278          * Resuming a session
2279          */
2280         n = ssl->session_negotiate->id_len;
2281         ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
2282 
2283         if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
2284             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
2285             return ret;
2286         }
2287     }
2288 
2289     /*
2290      *    38  .  38     session id length
2291      *    39  . 38+n    session id
2292      *   39+n . 40+n    chosen ciphersuite
2293      *   41+n . 41+n    chosen compression alg.
2294      *   42+n . 43+n    extensions length
2295      *   44+n . 43+n+m  extensions
2296      */
2297     *p++ = (unsigned char) ssl->session_negotiate->id_len;
2298     memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
2299     p += ssl->session_negotiate->id_len;
2300 
2301     MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
2302     MBEDTLS_SSL_DEBUG_BUF(3,   "server hello, session id", buf + 39, n);
2303     MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
2304                               ssl->handshake->resume ? "a" : "no"));
2305 
2306     MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
2307     p += 2;
2308     *p++ = MBEDTLS_BYTE_0(MBEDTLS_SSL_COMPRESS_NULL);
2309 
2310     MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s",
2311                               mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite)));
2312     MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X",
2313                               (unsigned int) MBEDTLS_SSL_COMPRESS_NULL));
2314 
2315     /*
2316      *  First write extensions, then the total length
2317      */
2318     ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen);
2319     ext_len += olen;
2320 
2321 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2322     ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen);
2323     ext_len += olen;
2324 #endif
2325 
2326 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2327     ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen);
2328     ext_len += olen;
2329 #endif
2330 
2331 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2332     ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen);
2333     ext_len += olen;
2334 #endif
2335 
2336 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2337     ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen);
2338     ext_len += olen;
2339 #endif
2340 
2341 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2342     ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen);
2343     ext_len += olen;
2344 #endif
2345 
2346 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
2347     defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
2348     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2349     const mbedtls_ssl_ciphersuite_t *suite =
2350         mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite);
2351     if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) {
2352         ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen);
2353         ext_len += olen;
2354     }
2355 #endif
2356 
2357 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2358     ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen);
2359     ext_len += olen;
2360 #endif
2361 
2362 #if defined(MBEDTLS_SSL_ALPN)
2363     unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
2364     if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen))
2365         != 0) {
2366         return ret;
2367     }
2368 
2369     ext_len += olen;
2370 #endif
2371 
2372 #if defined(MBEDTLS_SSL_DTLS_SRTP)
2373     ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen);
2374     ext_len += olen;
2375 #endif
2376 
2377     MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
2378                               ext_len));
2379 
2380     if (ext_len > 0) {
2381         MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
2382         p += 2 + ext_len;
2383     }
2384 
2385     ssl->out_msglen  = (size_t) (p - buf);
2386     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2387     ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO;
2388 
2389     ret = mbedtls_ssl_write_handshake_msg(ssl);
2390 
2391     MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
2392 
2393     return ret;
2394 }
2395 
2396 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2397 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_certificate_request(mbedtls_ssl_context * ssl)2398 static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
2399 {
2400     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2401         ssl->handshake->ciphersuite_info;
2402 
2403     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
2404 
2405     if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2406         MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2407         ssl->state++;
2408         return 0;
2409     }
2410 
2411     MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2412     return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2413 }
2414 #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
2415 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_certificate_request(mbedtls_ssl_context * ssl)2416 static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
2417 {
2418     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2419     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2420         ssl->handshake->ciphersuite_info;
2421     uint16_t dn_size, total_dn_size; /* excluding length bytes */
2422     size_t ct_len, sa_len; /* including length bytes */
2423     unsigned char *buf, *p;
2424     const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2425     const mbedtls_x509_crt *crt;
2426     int authmode;
2427 
2428     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
2429 
2430     ssl->state++;
2431 
2432 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2433     if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
2434         authmode = ssl->handshake->sni_authmode;
2435     } else
2436 #endif
2437     authmode = ssl->conf->authmode;
2438 
2439     if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) ||
2440         authmode == MBEDTLS_SSL_VERIFY_NONE) {
2441         MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2442         return 0;
2443     }
2444 
2445     /*
2446      *     0  .   0   handshake type
2447      *     1  .   3   handshake length
2448      *     4  .   4   cert type count
2449      *     5  .. m-1  cert types
2450      *     m  .. m+1  sig alg length (TLS 1.2 only)
2451      *    m+1 .. n-1  SignatureAndHashAlgorithms (TLS 1.2 only)
2452      *     n  .. n+1  length of all DNs
2453      *    n+2 .. n+3  length of DN 1
2454      *    n+4 .. ...  Distinguished Name #1
2455      *    ... .. ...  length of DN 2, etc.
2456      */
2457     buf = ssl->out_msg;
2458     p = buf + 4;
2459 
2460     /*
2461      * Supported certificate types
2462      *
2463      *     ClientCertificateType certificate_types<1..2^8-1>;
2464      *     enum { (255) } ClientCertificateType;
2465      */
2466     ct_len = 0;
2467 
2468 #if defined(MBEDTLS_RSA_C)
2469     p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
2470 #endif
2471 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
2472     p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
2473 #endif
2474 
2475     p[0] = (unsigned char) ct_len++;
2476     p += ct_len;
2477 
2478     sa_len = 0;
2479 
2480     /*
2481      * Add signature_algorithms for verify (TLS 1.2)
2482      *
2483      *     SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2484      *
2485      *     struct {
2486      *           HashAlgorithm hash;
2487      *           SignatureAlgorithm signature;
2488      *     } SignatureAndHashAlgorithm;
2489      *
2490      *     enum { (255) } HashAlgorithm;
2491      *     enum { (255) } SignatureAlgorithm;
2492      */
2493     const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
2494     if (sig_alg == NULL) {
2495         return MBEDTLS_ERR_SSL_BAD_CONFIG;
2496     }
2497 
2498     for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2499         unsigned char hash = MBEDTLS_BYTE_1(*sig_alg);
2500 
2501         if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) {
2502             continue;
2503         }
2504         if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
2505             continue;
2506         }
2507 
2508         /* Write elements at offsets starting from 1 (offset 0 is for the
2509          * length). Thus the offset of each element is the length of the
2510          * partial list including that element. */
2511         sa_len += 2;
2512         MBEDTLS_PUT_UINT16_BE(*sig_alg, p, sa_len);
2513 
2514     }
2515 
2516     /* Fill in list length. */
2517     MBEDTLS_PUT_UINT16_BE(sa_len, p, 0);
2518     sa_len += 2;
2519     p += sa_len;
2520 
2521     /*
2522      * DistinguishedName certificate_authorities<0..2^16-1>;
2523      * opaque DistinguishedName<1..2^16-1>;
2524      */
2525     p += 2;
2526 
2527     total_dn_size = 0;
2528 
2529     if (ssl->conf->cert_req_ca_list ==  MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) {
2530         /* NOTE: If trusted certificates are provisioned
2531          *       via a CA callback (configured through
2532          *       `mbedtls_ssl_conf_ca_cb()`, then the
2533          *       CertificateRequest is currently left empty. */
2534 
2535 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2536 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2537         if (ssl->handshake->dn_hints != NULL) {
2538             crt = ssl->handshake->dn_hints;
2539         } else
2540 #endif
2541         if (ssl->conf->dn_hints != NULL) {
2542             crt = ssl->conf->dn_hints;
2543         } else
2544 #endif
2545 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2546         if (ssl->handshake->sni_ca_chain != NULL) {
2547             crt = ssl->handshake->sni_ca_chain;
2548         } else
2549 #endif
2550         crt = ssl->conf->ca_chain;
2551 
2552         while (crt != NULL && crt->version != 0) {
2553             /* It follows from RFC 5280 A.1 that this length
2554              * can be represented in at most 11 bits. */
2555             dn_size = (uint16_t) crt->subject_raw.len;
2556 
2557             if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) {
2558                 MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short"));
2559                 break;
2560             }
2561 
2562             MBEDTLS_PUT_UINT16_BE(dn_size, p, 0);
2563             p += 2;
2564             memcpy(p, crt->subject_raw.p, dn_size);
2565             p += dn_size;
2566 
2567             MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size);
2568 
2569             total_dn_size += (unsigned short) (2 + dn_size);
2570             crt = crt->next;
2571         }
2572     }
2573 
2574     ssl->out_msglen  = (size_t) (p - buf);
2575     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2576     ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
2577     MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len);
2578 
2579     ret = mbedtls_ssl_write_handshake_msg(ssl);
2580 
2581     MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
2582 
2583     return ret;
2584 }
2585 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
2586 
2587 #if (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2588     defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED))
2589 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2590 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_ecdh_params_from_cert(mbedtls_ssl_context * ssl)2591 static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
2592 {
2593     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2594     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2595     mbedtls_pk_context *pk;
2596     mbedtls_pk_type_t pk_type;
2597     psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
2598     unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
2599     size_t key_len;
2600 #if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2601     uint16_t tls_id = 0;
2602     psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
2603     mbedtls_ecp_group_id grp_id;
2604     mbedtls_ecp_keypair *key;
2605 #endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
2606 
2607     pk = mbedtls_ssl_own_key(ssl);
2608 
2609     if (pk == NULL) {
2610         return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2611     }
2612 
2613     pk_type = mbedtls_pk_get_type(pk);
2614 
2615     switch (pk_type) {
2616         case MBEDTLS_PK_OPAQUE:
2617 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2618         case MBEDTLS_PK_ECKEY:
2619         case MBEDTLS_PK_ECKEY_DH:
2620         case MBEDTLS_PK_ECDSA:
2621 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
2622             if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
2623                 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2624             }
2625 
2626             /* Get the attributes of the key previously parsed by PK module in
2627              * order to extract its type and length (in bits). */
2628             status = psa_get_key_attributes(pk->priv_id, &key_attributes);
2629             if (status != PSA_SUCCESS) {
2630                 ret = PSA_TO_MBEDTLS_ERR(status);
2631                 goto exit;
2632             }
2633             ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
2634             ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes);
2635 
2636 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2637             if (pk_type != MBEDTLS_PK_OPAQUE) {
2638                 /* PK_ECKEY[_DH] and PK_ECDSA instead as parsed from the PK
2639                  * module and only have ECDSA capabilities. Since we need
2640                  * them for ECDH later, we export and then re-import them with
2641                  * proper flags and algorithm. Of course We also set key's type
2642                  * and bits that we just got above. */
2643                 key_attributes = psa_key_attributes_init();
2644                 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2645                 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2646                 psa_set_key_type(&key_attributes,
2647                                  PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
2648                 psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
2649 
2650                 status = psa_export_key(pk->priv_id, buf, sizeof(buf), &key_len);
2651                 if (status != PSA_SUCCESS) {
2652                     ret = PSA_TO_MBEDTLS_ERR(status);
2653                     goto exit;
2654                 }
2655                 status = psa_import_key(&key_attributes, buf, key_len,
2656                                         &ssl->handshake->xxdh_psa_privkey);
2657                 if (status != PSA_SUCCESS) {
2658                     ret = PSA_TO_MBEDTLS_ERR(status);
2659                     goto exit;
2660                 }
2661 
2662                 /* Set this key as owned by the TLS library: it will be its duty
2663                  * to clear it exit. */
2664                 ssl->handshake->xxdh_psa_privkey_is_external = 0;
2665 
2666                 ret = 0;
2667                 break;
2668             }
2669 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
2670 
2671             /* Opaque key is created by the user (externally from Mbed TLS)
2672              * so we assume it already has the right algorithm and flags
2673              * set. Just copy its ID as reference. */
2674             ssl->handshake->xxdh_psa_privkey = pk->priv_id;
2675             ssl->handshake->xxdh_psa_privkey_is_external = 1;
2676             ret = 0;
2677             break;
2678 
2679 #if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2680         case MBEDTLS_PK_ECKEY:
2681         case MBEDTLS_PK_ECKEY_DH:
2682         case MBEDTLS_PK_ECDSA:
2683             key = mbedtls_pk_ec_rw(*pk);
2684             grp_id = mbedtls_pk_get_ec_group_id(pk);
2685             if (grp_id == MBEDTLS_ECP_DP_NONE) {
2686                 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2687             }
2688             tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
2689             if (tls_id == 0) {
2690                 /* This elliptic curve is not supported */
2691                 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2692             }
2693 
2694             /* If the above conversion to TLS ID was fine, then also this one will
2695                be, so there is no need to check the return value here */
2696             mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
2697                                                        &ssl->handshake->xxdh_psa_bits);
2698 
2699             ssl->handshake->xxdh_psa_type = key_type;
2700 
2701             key_attributes = psa_key_attributes_init();
2702             psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2703             psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2704             psa_set_key_type(&key_attributes,
2705                              PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
2706             psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
2707 
2708             ret = mbedtls_ecp_write_key_ext(key, &key_len, buf, sizeof(buf));
2709             if (ret != 0) {
2710                 mbedtls_platform_zeroize(buf, sizeof(buf));
2711                 break;
2712             }
2713 
2714             status = psa_import_key(&key_attributes, buf, key_len,
2715                                     &ssl->handshake->xxdh_psa_privkey);
2716             if (status != PSA_SUCCESS) {
2717                 ret = PSA_TO_MBEDTLS_ERR(status);
2718                 mbedtls_platform_zeroize(buf, sizeof(buf));
2719                 break;
2720             }
2721 
2722             mbedtls_platform_zeroize(buf, sizeof(buf));
2723             ret = 0;
2724             break;
2725 #endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
2726         default:
2727             ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2728     }
2729 
2730 exit:
2731     psa_reset_key_attributes(&key_attributes);
2732     mbedtls_platform_zeroize(buf, sizeof(buf));
2733 
2734     return ret;
2735 }
2736 #else /* MBEDTLS_USE_PSA_CRYPTO */
2737 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_ecdh_params_from_cert(mbedtls_ssl_context * ssl)2738 static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
2739 {
2740     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2741 
2742     const mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
2743     if (private_key == NULL) {
2744         MBEDTLS_SSL_DEBUG_MSG(1, ("got no server private key"));
2745         return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
2746     }
2747 
2748     if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_ECKEY)) {
2749         MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
2750         return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2751     }
2752 
2753     if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx,
2754                                        mbedtls_pk_ec_ro(*mbedtls_ssl_own_key(ssl)),
2755                                        MBEDTLS_ECDH_OURS)) != 0) {
2756         MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
2757         return ret;
2758     }
2759 
2760     return 0;
2761 }
2762 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2763 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2764           MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2765 
2766 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
2767     defined(MBEDTLS_SSL_ASYNC_PRIVATE)
2768 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_resume_server_key_exchange(mbedtls_ssl_context * ssl,size_t * signature_len)2769 static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl,
2770                                           size_t *signature_len)
2771 {
2772     /* Append the signature to ssl->out_msg, leaving 2 bytes for the
2773      * signature length which will be added in ssl_write_server_key_exchange
2774      * after the call to ssl_prepare_server_key_exchange.
2775      * ssl_write_server_key_exchange also takes care of incrementing
2776      * ssl->out_msglen. */
2777     unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
2778     size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
2779                           - sig_start);
2780     int ret = ssl->conf->f_async_resume(ssl,
2781                                         sig_start, signature_len, sig_max_len);
2782     if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
2783         ssl->handshake->async_in_progress = 0;
2784         mbedtls_ssl_set_async_operation_data(ssl, NULL);
2785     }
2786     MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret);
2787     return ret;
2788 }
2789 #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
2790           defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
2791 
2792 /* Prepare the ServerKeyExchange message, up to and including
2793  * calculating the signature if any, but excluding formatting the
2794  * signature and sending the message. */
2795 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_prepare_server_key_exchange(mbedtls_ssl_context * ssl,size_t * signature_len)2796 static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
2797                                            size_t *signature_len)
2798 {
2799     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2800         ssl->handshake->ciphersuite_info;
2801 
2802 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
2803 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
2804     unsigned char *dig_signed = NULL;
2805 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
2806 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
2807 
2808     (void) ciphersuite_info; /* unused in some configurations */
2809 #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
2810     (void) signature_len;
2811 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
2812 
2813 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
2814 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
2815     size_t out_buf_len = ssl->out_buf_len - (size_t) (ssl->out_msg - ssl->out_buf);
2816 #else
2817     size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (size_t) (ssl->out_msg - ssl->out_buf);
2818 #endif
2819 #endif
2820 
2821     ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
2822 
2823     /*
2824      *
2825      * Part 1: Provide key exchange parameters for chosen ciphersuite.
2826      *
2827      */
2828 
2829     /*
2830      * - ECJPAKE key exchanges
2831      */
2832 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2833     if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
2834         int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2835 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2836         unsigned char *out_p = ssl->out_msg + ssl->out_msglen;
2837         unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
2838                                ssl->out_msglen;
2839         size_t output_offset = 0;
2840         size_t output_len = 0;
2841 
2842         /*
2843          * The first 3 bytes are:
2844          * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
2845          * [1, 2] elliptic curve's TLS ID
2846          *
2847          * However since we only support secp256r1 for now, we hardcode its
2848          * TLS ID here
2849          */
2850         uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
2851             MBEDTLS_ECP_DP_SECP256R1);
2852         if (tls_id == 0) {
2853             return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2854         }
2855         *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE;
2856         MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1);
2857         output_offset += 3;
2858 
2859         ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
2860                                               out_p + output_offset,
2861                                               end_p - out_p - output_offset, &output_len,
2862                                               MBEDTLS_ECJPAKE_ROUND_TWO);
2863         if (ret != 0) {
2864             psa_destroy_key(ssl->handshake->psa_pake_password);
2865             psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2866             MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
2867             return ret;
2868         }
2869 
2870         output_offset += output_len;
2871         ssl->out_msglen += output_offset;
2872 #else
2873         size_t len = 0;
2874 
2875         ret = mbedtls_ecjpake_write_round_two(
2876             &ssl->handshake->ecjpake_ctx,
2877             ssl->out_msg + ssl->out_msglen,
2878             MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
2879             ssl->conf->f_rng, ssl->conf->p_rng);
2880         if (ret != 0) {
2881             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
2882             return ret;
2883         }
2884 
2885         ssl->out_msglen += len;
2886 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2887     }
2888 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2889 
2890     /*
2891      * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
2892      * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
2893      * we use empty support identity hints here.
2894      **/
2895 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)   || \
2896     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2897     if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2898         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
2899         ssl->out_msg[ssl->out_msglen++] = 0x00;
2900         ssl->out_msg[ssl->out_msglen++] = 0x00;
2901     }
2902 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2903           MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2904 
2905     /*
2906      * - DHE key exchanges
2907      */
2908 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
2909     if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) {
2910         int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2911         size_t len = 0;
2912 
2913         if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) {
2914             MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set"));
2915             return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2916         }
2917 
2918         /*
2919          * Ephemeral DH parameters:
2920          *
2921          * struct {
2922          *     opaque dh_p<1..2^16-1>;
2923          *     opaque dh_g<1..2^16-1>;
2924          *     opaque dh_Ys<1..2^16-1>;
2925          * } ServerDHParams;
2926          */
2927         if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx,
2928                                          &ssl->conf->dhm_P,
2929                                          &ssl->conf->dhm_G)) != 0) {
2930             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret);
2931             return ret;
2932         }
2933 
2934         if ((ret = mbedtls_dhm_make_params(
2935                  &ssl->handshake->dhm_ctx,
2936                  (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
2937                  ssl->out_msg + ssl->out_msglen, &len,
2938                  ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2939             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret);
2940             return ret;
2941         }
2942 
2943 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
2944         dig_signed = ssl->out_msg + ssl->out_msglen;
2945 #endif
2946 
2947         ssl->out_msglen += len;
2948 
2949         MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
2950         MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
2951         MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
2952         MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
2953     }
2954 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */
2955 
2956     /*
2957      * - ECDHE key exchanges
2958      */
2959 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
2960     if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) {
2961         /*
2962          * Ephemeral ECDH parameters:
2963          *
2964          * struct {
2965          *     ECParameters curve_params;
2966          *     ECPoint      public;
2967          * } ServerECDHParams;
2968          */
2969         uint16_t *curr_tls_id = ssl->handshake->curves_tls_id;
2970         const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
2971         int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2972         size_t len = 0;
2973 
2974         /* Match our preference list against the offered curves */
2975         if ((group_list == NULL) || (curr_tls_id == NULL)) {
2976             return MBEDTLS_ERR_SSL_BAD_CONFIG;
2977         }
2978         for (; *group_list != 0; group_list++) {
2979             for (curr_tls_id = ssl->handshake->curves_tls_id;
2980                  *curr_tls_id != 0; curr_tls_id++) {
2981                 if (*curr_tls_id == *group_list) {
2982                     goto curve_matching_done;
2983                 }
2984             }
2985         }
2986 
2987 curve_matching_done:
2988         if (*curr_tls_id == 0) {
2989             MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE"));
2990             return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2991         }
2992 
2993         MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s",
2994                                   mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id)));
2995 
2996 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2997         psa_status_t status = PSA_ERROR_GENERIC_ERROR;
2998         psa_key_attributes_t key_attributes;
2999         mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3000         uint8_t *p = ssl->out_msg + ssl->out_msglen;
3001         const size_t header_size = 4; // curve_type(1), namedcurve(2),
3002                                       // data length(1)
3003         const size_t data_length_size = 1;
3004         psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
3005         size_t ec_bits = 0;
3006 
3007         MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
3008 
3009         /* Convert EC's TLS ID to PSA key type. */
3010         if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id,
3011                                                        &key_type,
3012                                                        &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
3013             MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse."));
3014             return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
3015         }
3016         handshake->xxdh_psa_type = key_type;
3017         handshake->xxdh_psa_bits = ec_bits;
3018 
3019         key_attributes = psa_key_attributes_init();
3020         psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
3021         psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
3022         psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
3023         psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
3024 
3025         /*
3026          * ECParameters curve_params
3027          *
3028          * First byte is curve_type, always named_curve
3029          */
3030         *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
3031 
3032         /*
3033          * Next two bytes are the namedcurve value
3034          */
3035         MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0);
3036         p += 2;
3037 
3038         /* Generate ECDH private key. */
3039         status = psa_generate_key(&key_attributes,
3040                                   &handshake->xxdh_psa_privkey);
3041         if (status != PSA_SUCCESS) {
3042             ret = PSA_TO_MBEDTLS_ERR(status);
3043             MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
3044             return ret;
3045         }
3046 
3047         /*
3048          * ECPoint  public
3049          *
3050          * First byte is data length.
3051          * It will be filled later. p holds now the data length location.
3052          */
3053 
3054         /* Export the public part of the ECDH private key from PSA.
3055          * Make one byte space for the length.
3056          */
3057         unsigned char *own_pubkey = p + data_length_size;
3058 
3059         size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN
3060                                               - (own_pubkey - ssl->out_msg));
3061 
3062         status = psa_export_public_key(handshake->xxdh_psa_privkey,
3063                                        own_pubkey, own_pubkey_max_len,
3064                                        &len);
3065         if (status != PSA_SUCCESS) {
3066             ret = PSA_TO_MBEDTLS_ERR(status);
3067             MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
3068             (void) psa_destroy_key(handshake->xxdh_psa_privkey);
3069             handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3070             return ret;
3071         }
3072 
3073         /* Store the length of the exported public key. */
3074         *p = (uint8_t) len;
3075 
3076         /* Determine full message length. */
3077         len += header_size;
3078 #else
3079         mbedtls_ecp_group_id curr_grp_id =
3080             mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
3081 
3082         if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx,
3083                                       curr_grp_id)) != 0) {
3084             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret);
3085             return ret;
3086         }
3087 
3088         if ((ret = mbedtls_ecdh_make_params(
3089                  &ssl->handshake->ecdh_ctx, &len,
3090                  ssl->out_msg + ssl->out_msglen,
3091                  MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
3092                  ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3093             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret);
3094             return ret;
3095         }
3096 
3097         MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3098                                MBEDTLS_DEBUG_ECDH_Q);
3099 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3100 
3101 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3102         dig_signed = ssl->out_msg + ssl->out_msglen;
3103 #endif
3104 
3105         ssl->out_msglen += len;
3106     }
3107 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
3108 
3109     /*
3110      *
3111      * Part 2: For key exchanges involving the server signing the
3112      *         exchange parameters, compute and add the signature here.
3113      *
3114      */
3115 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3116     if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
3117         if (dig_signed == NULL) {
3118             MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3119             return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3120         }
3121 
3122         size_t dig_signed_len = (size_t) (ssl->out_msg + ssl->out_msglen - dig_signed);
3123         size_t hashlen = 0;
3124         unsigned char hash[MBEDTLS_MD_MAX_SIZE];
3125 
3126         int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3127 
3128         /*
3129          * 2.1: Choose hash algorithm:
3130          *      For TLS 1.2, obey signature-hash-algorithm extension
3131          *      to choose appropriate hash.
3132          */
3133 
3134         mbedtls_pk_type_t sig_alg =
3135             mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
3136 
3137         unsigned char sig_hash =
3138             (unsigned char) mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
3139                 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
3140 
3141         mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash);
3142 
3143         /*    For TLS 1.2, obey signature-hash-algorithm extension
3144          *    (RFC 5246, Sec. 7.4.1.4.1). */
3145         if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) {
3146             MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3147             /* (... because we choose a cipher suite
3148              *      only if there is a matching hash.) */
3149             return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3150         }
3151 
3152         MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg));
3153 
3154         /*
3155          * 2.2: Compute the hash to be signed
3156          */
3157         if (md_alg != MBEDTLS_MD_NONE) {
3158             ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
3159                                                          dig_signed,
3160                                                          dig_signed_len,
3161                                                          md_alg);
3162             if (ret != 0) {
3163                 return ret;
3164             }
3165         } else {
3166             MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3167             return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3168         }
3169 
3170         MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
3171 
3172         /*
3173          * 2.3: Compute and add the signature
3174          */
3175         /*
3176          * We need to specify signature and hash algorithm explicitly through
3177          * a prefix to the signature.
3178          *
3179          * struct {
3180          *    HashAlgorithm hash;
3181          *    SignatureAlgorithm signature;
3182          * } SignatureAndHashAlgorithm;
3183          *
3184          * struct {
3185          *    SignatureAndHashAlgorithm algorithm;
3186          *    opaque signature<0..2^16-1>;
3187          * } DigitallySigned;
3188          *
3189          */
3190 
3191         ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg);
3192         ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg);
3193 
3194 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3195         if (ssl->conf->f_async_sign_start != NULL) {
3196             ret = ssl->conf->f_async_sign_start(ssl,
3197                                                 mbedtls_ssl_own_cert(ssl),
3198                                                 md_alg, hash, hashlen);
3199             switch (ret) {
3200                 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3201                     /* act as if f_async_sign was null */
3202                     break;
3203                 case 0:
3204                     ssl->handshake->async_in_progress = 1;
3205                     return ssl_resume_server_key_exchange(ssl, signature_len);
3206                 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3207                     ssl->handshake->async_in_progress = 1;
3208                     return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3209                 default:
3210                     MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret);
3211                     return ret;
3212             }
3213         }
3214 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3215 
3216         if (mbedtls_ssl_own_key(ssl) == NULL) {
3217             MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key"));
3218             return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
3219         }
3220 
3221         /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3222          * signature length which will be added in ssl_write_server_key_exchange
3223          * after the call to ssl_prepare_server_key_exchange.
3224          * ssl_write_server_key_exchange also takes care of incrementing
3225          * ssl->out_msglen. */
3226         if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl),
3227                                    md_alg, hash, hashlen,
3228                                    ssl->out_msg + ssl->out_msglen + 2,
3229                                    out_buf_len - ssl->out_msglen - 2,
3230                                    signature_len,
3231                                    ssl->conf->f_rng,
3232                                    ssl->conf->p_rng)) != 0) {
3233             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
3234             return ret;
3235         }
3236     }
3237 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
3238 
3239     return 0;
3240 }
3241 
3242 /* Prepare the ServerKeyExchange message and send it. For ciphersuites
3243  * that do not include a ServerKeyExchange message, do nothing. Either
3244  * way, if successful, move on to the next step in the SSL state
3245  * machine. */
3246 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_server_key_exchange(mbedtls_ssl_context * ssl)3247 static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
3248 {
3249     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3250     size_t signature_len = 0;
3251 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
3252     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3253         ssl->handshake->ciphersuite_info;
3254 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
3255 
3256     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange"));
3257 
3258 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
3259     /* Extract static ECDH parameters and abort if ServerKeyExchange
3260      * is not needed. */
3261     if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) {
3262         /* For suites involving ECDH, extract DH parameters
3263          * from certificate at this point. */
3264 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
3265         if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) {
3266             ret = ssl_get_ecdh_params_from_cert(ssl);
3267             if (ret != 0) {
3268                 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
3269                 return ret;
3270             }
3271         }
3272 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
3273 
3274         /* Key exchanges not involving ephemeral keys don't use
3275          * ServerKeyExchange, so end here. */
3276         MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
3277         ssl->state++;
3278         return 0;
3279     }
3280 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
3281 
3282 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
3283     defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3284     /* If we have already prepared the message and there is an ongoing
3285      * signature operation, resume signing. */
3286     if (ssl->handshake->async_in_progress != 0) {
3287         MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation"));
3288         ret = ssl_resume_server_key_exchange(ssl, &signature_len);
3289     } else
3290 #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
3291           defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
3292     {
3293         /* ServerKeyExchange is needed. Prepare the message. */
3294         ret = ssl_prepare_server_key_exchange(ssl, &signature_len);
3295     }
3296 
3297     if (ret != 0) {
3298         /* If we're starting to write a new message, set ssl->out_msglen
3299          * to 0. But if we're resuming after an asynchronous message,
3300          * out_msglen is the amount of data written so far and mst be
3301          * preserved. */
3302         if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3303             MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)"));
3304         } else {
3305             ssl->out_msglen = 0;
3306         }
3307         return ret;
3308     }
3309 
3310     /* If there is a signature, write its length.
3311      * ssl_prepare_server_key_exchange already wrote the signature
3312      * itself at its proper place in the output buffer. */
3313 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3314     if (signature_len != 0) {
3315         ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len);
3316         ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len);
3317 
3318         MBEDTLS_SSL_DEBUG_BUF(3, "my signature",
3319                               ssl->out_msg + ssl->out_msglen,
3320                               signature_len);
3321 
3322         /* Skip over the already-written signature */
3323         ssl->out_msglen += signature_len;
3324     }
3325 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
3326 
3327     /* Add header and send. */
3328     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3329     ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
3330 
3331     ssl->state++;
3332 
3333     if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3334         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3335         return ret;
3336     }
3337 
3338     MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange"));
3339     return 0;
3340 }
3341 
3342 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_server_hello_done(mbedtls_ssl_context * ssl)3343 static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
3344 {
3345     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3346 
3347     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done"));
3348 
3349     ssl->out_msglen  = 4;
3350     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3351     ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
3352 
3353     ssl->state++;
3354 
3355 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3356     if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3357         mbedtls_ssl_send_flight_completed(ssl);
3358     }
3359 #endif
3360 
3361     if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3362         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3363         return ret;
3364     }
3365 
3366 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3367     if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3368         (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
3369         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
3370         return ret;
3371     }
3372 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3373 
3374     MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done"));
3375 
3376     return 0;
3377 }
3378 
3379 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
3380     defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3381 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_client_dh_public(mbedtls_ssl_context * ssl,unsigned char ** p,const unsigned char * end)3382 static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p,
3383                                       const unsigned char *end)
3384 {
3385     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3386     size_t n;
3387 
3388     /*
3389      * Receive G^Y mod P, premaster = (G^Y)^X mod P
3390      */
3391     if (*p + 2 > end) {
3392         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3393         return MBEDTLS_ERR_SSL_DECODE_ERROR;
3394     }
3395 
3396     n = MBEDTLS_GET_UINT16_BE(*p, 0);
3397     *p += 2;
3398 
3399     if (*p + n > end) {
3400         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3401         return MBEDTLS_ERR_SSL_DECODE_ERROR;
3402     }
3403 
3404     if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) {
3405         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret);
3406         return MBEDTLS_ERR_SSL_DECODE_ERROR;
3407     }
3408 
3409     *p += n;
3410 
3411     MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
3412 
3413     return ret;
3414 }
3415 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3416           MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3417 
3418 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                           \
3419     defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3420 
3421 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3422 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_resume_decrypt_pms(mbedtls_ssl_context * ssl,unsigned char * peer_pms,size_t * peer_pmslen,size_t peer_pmssize)3423 static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
3424                                   unsigned char *peer_pms,
3425                                   size_t *peer_pmslen,
3426                                   size_t peer_pmssize)
3427 {
3428     int ret = ssl->conf->f_async_resume(ssl,
3429                                         peer_pms, peer_pmslen, peer_pmssize);
3430     if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3431         ssl->handshake->async_in_progress = 0;
3432         mbedtls_ssl_set_async_operation_data(ssl, NULL);
3433     }
3434     MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
3435     return ret;
3436 }
3437 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3438 
3439 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_decrypt_encrypted_pms(mbedtls_ssl_context * ssl,const unsigned char * p,const unsigned char * end,unsigned char * peer_pms,size_t * peer_pmslen,size_t peer_pmssize)3440 static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
3441                                      const unsigned char *p,
3442                                      const unsigned char *end,
3443                                      unsigned char *peer_pms,
3444                                      size_t *peer_pmslen,
3445                                      size_t peer_pmssize)
3446 {
3447     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3448 
3449     mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl);
3450     if (own_cert == NULL) {
3451         MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate"));
3452         return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
3453     }
3454     mbedtls_pk_context *public_key = &own_cert->pk;
3455     mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
3456     size_t len = mbedtls_pk_get_len(public_key);
3457 
3458 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3459     /* If we have already started decoding the message and there is an ongoing
3460      * decryption operation, resume signing. */
3461     if (ssl->handshake->async_in_progress != 0) {
3462         MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
3463         return ssl_resume_decrypt_pms(ssl,
3464                                       peer_pms, peer_pmslen, peer_pmssize);
3465     }
3466 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3467 
3468     /*
3469      * Prepare to decrypt the premaster using own private RSA key
3470      */
3471     if (p + 2 > end) {
3472         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3473         return MBEDTLS_ERR_SSL_DECODE_ERROR;
3474     }
3475     if (*p++ != MBEDTLS_BYTE_1(len) ||
3476         *p++ != MBEDTLS_BYTE_0(len)) {
3477         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3478         return MBEDTLS_ERR_SSL_DECODE_ERROR;
3479     }
3480 
3481     if (p + len != end) {
3482         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3483         return MBEDTLS_ERR_SSL_DECODE_ERROR;
3484     }
3485 
3486     /*
3487      * Decrypt the premaster secret
3488      */
3489 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3490     if (ssl->conf->f_async_decrypt_start != NULL) {
3491         ret = ssl->conf->f_async_decrypt_start(ssl,
3492                                                mbedtls_ssl_own_cert(ssl),
3493                                                p, len);
3494         switch (ret) {
3495             case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3496                 /* act as if f_async_decrypt_start was null */
3497                 break;
3498             case 0:
3499                 ssl->handshake->async_in_progress = 1;
3500                 return ssl_resume_decrypt_pms(ssl,
3501                                               peer_pms,
3502                                               peer_pmslen,
3503                                               peer_pmssize);
3504             case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3505                 ssl->handshake->async_in_progress = 1;
3506                 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3507             default:
3508                 MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
3509                 return ret;
3510         }
3511     }
3512 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3513 
3514     if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
3515         MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
3516         return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
3517     }
3518 
3519     ret = mbedtls_pk_decrypt(private_key, p, len,
3520                              peer_pms, peer_pmslen, peer_pmssize,
3521                              ssl->conf->f_rng, ssl->conf->p_rng);
3522     return ret;
3523 }
3524 
3525 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_encrypted_pms(mbedtls_ssl_context * ssl,const unsigned char * p,const unsigned char * end,size_t pms_offset)3526 static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
3527                                    const unsigned char *p,
3528                                    const unsigned char *end,
3529                                    size_t pms_offset)
3530 {
3531     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3532     unsigned char *pms = ssl->handshake->premaster + pms_offset;
3533     unsigned char ver[2];
3534     unsigned char fake_pms[48], peer_pms[48];
3535     size_t peer_pmslen;
3536     mbedtls_ct_condition_t diff;
3537 
3538     /* In case of a failure in decryption, the decryption may write less than
3539      * 2 bytes of output, but we always read the first two bytes. It doesn't
3540      * matter in the end because diff will be nonzero in that case due to
3541      * ret being nonzero, and we only care whether diff is 0.
3542      * But do initialize peer_pms and peer_pmslen for robustness anyway. This
3543      * also makes memory analyzers happy (don't access uninitialized memory,
3544      * even if it's an unsigned char). */
3545     peer_pms[0] = peer_pms[1] = ~0;
3546     peer_pmslen = 0;
3547 
3548     ret = ssl_decrypt_encrypted_pms(ssl, p, end,
3549                                     peer_pms,
3550                                     &peer_pmslen,
3551                                     sizeof(peer_pms));
3552 
3553 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3554     if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3555         return ret;
3556     }
3557 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3558 
3559     mbedtls_ssl_write_version(ver, ssl->conf->transport,
3560                               ssl->session_negotiate->tls_version);
3561 
3562     /* Avoid data-dependent branches while checking for invalid
3563      * padding, to protect against timing-based Bleichenbacher-type
3564      * attacks. */
3565     diff = mbedtls_ct_bool(ret);
3566     diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pmslen, 48));
3567     diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[0], ver[0]));
3568     diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[1], ver[1]));
3569 
3570     /*
3571      * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3572      * must not cause the connection to end immediately; instead, send a
3573      * bad_record_mac later in the handshake.
3574      * To protect against timing-based variants of the attack, we must
3575      * not have any branch that depends on whether the decryption was
3576      * successful. In particular, always generate the fake premaster secret,
3577      * regardless of whether it will ultimately influence the output or not.
3578      */
3579     ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
3580     if (ret != 0) {
3581         /* It's ok to abort on an RNG failure, since this does not reveal
3582          * anything about the RSA decryption. */
3583         return ret;
3584     }
3585 
3586 #if defined(MBEDTLS_SSL_DEBUG_ALL)
3587     if (diff != MBEDTLS_CT_FALSE) {
3588         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3589     }
3590 #endif
3591 
3592     if (sizeof(ssl->handshake->premaster) < pms_offset ||
3593         sizeof(ssl->handshake->premaster) - pms_offset < 48) {
3594         MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3595         return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3596     }
3597     ssl->handshake->pmslen = 48;
3598 
3599     /* Set pms to either the true or the fake PMS, without
3600      * data-dependent branches. */
3601     mbedtls_ct_memcpy_if(diff, pms, fake_pms, peer_pms, ssl->handshake->pmslen);
3602 
3603     return 0;
3604 }
3605 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
3606           MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3607 
3608 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
3609 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_client_psk_identity(mbedtls_ssl_context * ssl,unsigned char ** p,const unsigned char * end)3610 static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
3611                                          const unsigned char *end)
3612 {
3613     int ret = 0;
3614     uint16_t n;
3615 
3616     if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
3617         MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key"));
3618         return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
3619     }
3620 
3621     /*
3622      * Receive client pre-shared key identity name
3623      */
3624     if (end - *p < 2) {
3625         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3626         return MBEDTLS_ERR_SSL_DECODE_ERROR;
3627     }
3628 
3629     n = MBEDTLS_GET_UINT16_BE(*p, 0);
3630     *p += 2;
3631 
3632     if (n == 0 || n > end - *p) {
3633         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3634         return MBEDTLS_ERR_SSL_DECODE_ERROR;
3635     }
3636 
3637     if (ssl->conf->f_psk != NULL) {
3638         if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) {
3639             ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3640         }
3641     } else {
3642         /* Identity is not a big secret since clients send it in the clear,
3643          * but treat it carefully anyway, just in case */
3644         if (n != ssl->conf->psk_identity_len ||
3645             mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) {
3646             ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3647         }
3648     }
3649 
3650     if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
3651         MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n);
3652         mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3653                                        MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY);
3654         return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3655     }
3656 
3657     *p += n;
3658 
3659     return 0;
3660 }
3661 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
3662 
3663 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_client_key_exchange(mbedtls_ssl_context * ssl)3664 static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
3665 {
3666     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3667     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
3668     unsigned char *p, *end;
3669 
3670     ciphersuite_info = ssl->handshake->ciphersuite_info;
3671 
3672     MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
3673 
3674 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
3675     (defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3676     defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED))
3677     if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3678          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) &&
3679         (ssl->handshake->async_in_progress != 0)) {
3680         /* We've already read a record and there is an asynchronous
3681          * operation in progress to decrypt it. So skip reading the
3682          * record. */
3683         MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
3684     } else
3685 #endif
3686     if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3687         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3688         return ret;
3689     }
3690 
3691     p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
3692     end = ssl->in_msg + ssl->in_hslen;
3693 
3694     if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3695         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3696         return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
3697     }
3698 
3699     if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) {
3700         MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3701         return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
3702     }
3703 
3704 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3705     if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
3706         if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3707             MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
3708             return ret;
3709         }
3710 
3711         if (p != end) {
3712             MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3713             return MBEDTLS_ERR_SSL_DECODE_ERROR;
3714         }
3715 
3716         if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3717                                            ssl->handshake->premaster,
3718                                            MBEDTLS_PREMASTER_SIZE,
3719                                            &ssl->handshake->pmslen,
3720                                            ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3721             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3722             return MBEDTLS_ERR_SSL_DECODE_ERROR;
3723         }
3724 
3725         MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3726     } else
3727 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3728 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
3729     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
3730     defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
3731     defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3732     if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3733         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3734         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3735         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
3736 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3737         size_t data_len = (size_t) (*p++);
3738         size_t buf_len = (size_t) (end - p);
3739         psa_status_t status = PSA_ERROR_GENERIC_ERROR;
3740         mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3741 
3742         MBEDTLS_SSL_DEBUG_MSG(3, ("Read the peer's public key."));
3743 
3744         /*
3745          * We must have at least two bytes (1 for length, at least 1 for data)
3746          */
3747         if (buf_len < 2) {
3748             MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length: %" MBEDTLS_PRINTF_SIZET,
3749                                       buf_len));
3750             return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
3751         }
3752 
3753         if (data_len < 1 || data_len > buf_len) {
3754             MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length: %" MBEDTLS_PRINTF_SIZET
3755                                       " > %" MBEDTLS_PRINTF_SIZET,
3756                                       data_len, buf_len));
3757             return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
3758         }
3759 
3760         /* Store peer's ECDH public key. */
3761         if (data_len > sizeof(handshake->xxdh_psa_peerkey)) {
3762             MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %" MBEDTLS_PRINTF_SIZET
3763                                       " > %" MBEDTLS_PRINTF_SIZET,
3764                                       data_len,
3765                                       sizeof(handshake->xxdh_psa_peerkey)));
3766             return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
3767         }
3768         memcpy(handshake->xxdh_psa_peerkey, p, data_len);
3769         handshake->xxdh_psa_peerkey_len = data_len;
3770 
3771         /* Compute ECDH shared secret. */
3772         status = psa_raw_key_agreement(
3773             PSA_ALG_ECDH, handshake->xxdh_psa_privkey,
3774             handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len,
3775             handshake->premaster, sizeof(handshake->premaster),
3776             &handshake->pmslen);
3777         if (status != PSA_SUCCESS) {
3778             ret = PSA_TO_MBEDTLS_ERR(status);
3779             MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
3780             if (handshake->xxdh_psa_privkey_is_external == 0) {
3781                 (void) psa_destroy_key(handshake->xxdh_psa_privkey);
3782             }
3783             handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3784             return ret;
3785         }
3786 
3787         if (handshake->xxdh_psa_privkey_is_external == 0) {
3788             status = psa_destroy_key(handshake->xxdh_psa_privkey);
3789 
3790             if (status != PSA_SUCCESS) {
3791                 ret = PSA_TO_MBEDTLS_ERR(status);
3792                 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
3793                 return ret;
3794             }
3795         }
3796         handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3797 #else
3798         if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
3799                                             p, (size_t) (end - p))) != 0) {
3800             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
3801             return MBEDTLS_ERR_SSL_DECODE_ERROR;
3802         }
3803 
3804         MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3805                                MBEDTLS_DEBUG_ECDH_QP);
3806 
3807         if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
3808                                             &ssl->handshake->pmslen,
3809                                             ssl->handshake->premaster,
3810                                             MBEDTLS_MPI_MAX_SIZE,
3811                                             ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3812             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
3813             return MBEDTLS_ERR_SSL_DECODE_ERROR;
3814         }
3815 
3816         MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3817                                MBEDTLS_DEBUG_ECDH_Z);
3818 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3819     } else
3820 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3821           MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3822           MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3823           MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3824 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3825     if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
3826         if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3827             MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3828             return ret;
3829         }
3830 
3831         if (p != end) {
3832             MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3833             return MBEDTLS_ERR_SSL_DECODE_ERROR;
3834         }
3835 
3836 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
3837         if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3838                                                     (mbedtls_key_exchange_type_t) ciphersuite_info->
3839                                                     key_exchange)) != 0) {
3840             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3841             return ret;
3842         }
3843 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
3844     } else
3845 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
3846 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3847     if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
3848 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3849         if (ssl->handshake->async_in_progress != 0) {
3850             /* There is an asynchronous operation in progress to
3851              * decrypt the encrypted premaster secret, so skip
3852              * directly to resuming this operation. */
3853             MBEDTLS_SSL_DEBUG_MSG(3, ("PSK identity already parsed"));
3854             /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
3855              * won't actually use it, but maintain p anyway for robustness. */
3856             p += ssl->conf->psk_identity_len + 2;
3857         } else
3858 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3859         if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3860             MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3861             return ret;
3862         }
3863 
3864         if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) {
3865             MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_encrypted_pms"), ret);
3866             return ret;
3867         }
3868 
3869 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
3870         if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3871                                                     (mbedtls_key_exchange_type_t) ciphersuite_info->
3872                                                     key_exchange)) != 0) {
3873             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3874             return ret;
3875         }
3876 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
3877     } else
3878 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3879 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3880     if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
3881         if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3882             MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3883             return ret;
3884         }
3885         if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3886             MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
3887             return ret;
3888         }
3889 
3890         if (p != end) {
3891             MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3892             return MBEDTLS_ERR_SSL_DECODE_ERROR;
3893         }
3894 
3895 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3896         unsigned char *pms = ssl->handshake->premaster;
3897         unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
3898         size_t pms_len;
3899 
3900         /* Write length only when we know the actual value */
3901         if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3902                                            pms + 2, pms_end - (pms + 2), &pms_len,
3903                                            ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3904             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3905             return ret;
3906         }
3907         MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
3908         pms += 2 + pms_len;
3909 
3910         MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3911 #else
3912         if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3913                                                     (mbedtls_key_exchange_type_t) ciphersuite_info->
3914                                                     key_exchange)) != 0) {
3915             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3916             return ret;
3917         }
3918 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3919     } else
3920 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3921 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3922     if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
3923 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3924         psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3925         psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
3926         size_t ecpoint_len;
3927 
3928         mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3929 
3930         if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3931             MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3932             psa_destroy_key(handshake->xxdh_psa_privkey);
3933             handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3934             return ret;
3935         }
3936 
3937         /* Keep a copy of the peer's public key */
3938         if (p >= end) {
3939             psa_destroy_key(handshake->xxdh_psa_privkey);
3940             handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3941             return MBEDTLS_ERR_SSL_DECODE_ERROR;
3942         }
3943 
3944         ecpoint_len = *(p++);
3945         if ((size_t) (end - p) < ecpoint_len) {
3946             psa_destroy_key(handshake->xxdh_psa_privkey);
3947             handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3948             return MBEDTLS_ERR_SSL_DECODE_ERROR;
3949         }
3950 
3951         /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
3952            the sizes of the FFDH keys which are at least 2048 bits.
3953            The size of the array is thus greater than 256 bytes which is greater than any
3954            possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
3955 #if !defined(PSA_WANT_ALG_FFDH)
3956         if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
3957             psa_destroy_key(handshake->xxdh_psa_privkey);
3958             handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3959             return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
3960         }
3961 #else
3962         MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
3963                               "peer key buffer too small");
3964 #endif
3965 
3966         memcpy(handshake->xxdh_psa_peerkey, p, ecpoint_len);
3967         handshake->xxdh_psa_peerkey_len = ecpoint_len;
3968         p += ecpoint_len;
3969 
3970         /* As RFC 5489 section 2, the premaster secret is formed as follows:
3971          * - a uint16 containing the length (in octets) of the ECDH computation
3972          * - the octet string produced by the ECDH computation
3973          * - a uint16 containing the length (in octets) of the PSK
3974          * - the PSK itself
3975          */
3976         unsigned char *psm = ssl->handshake->premaster;
3977         const unsigned char * const psm_end =
3978             psm + sizeof(ssl->handshake->premaster);
3979         /* uint16 to store length (in octets) of the ECDH computation */
3980         const size_t zlen_size = 2;
3981         size_t zlen = 0;
3982 
3983         /* Compute ECDH shared secret. */
3984         status = psa_raw_key_agreement(PSA_ALG_ECDH,
3985                                        handshake->xxdh_psa_privkey,
3986                                        handshake->xxdh_psa_peerkey,
3987                                        handshake->xxdh_psa_peerkey_len,
3988                                        psm + zlen_size,
3989                                        psm_end - (psm + zlen_size),
3990                                        &zlen);
3991 
3992         destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
3993         handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3994 
3995         if (status != PSA_SUCCESS) {
3996             return PSA_TO_MBEDTLS_ERR(status);
3997         } else if (destruction_status != PSA_SUCCESS) {
3998             return PSA_TO_MBEDTLS_ERR(destruction_status);
3999         }
4000 
4001         /* Write the ECDH computation length before the ECDH computation */
4002         MBEDTLS_PUT_UINT16_BE(zlen, psm, 0);
4003         psm += zlen_size + zlen;
4004 
4005 #else /* MBEDTLS_USE_PSA_CRYPTO */
4006         if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
4007             MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
4008             return ret;
4009         }
4010 
4011         if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
4012                                             p, (size_t) (end - p))) != 0) {
4013             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
4014             return MBEDTLS_ERR_SSL_DECODE_ERROR;
4015         }
4016 
4017         MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
4018                                MBEDTLS_DEBUG_ECDH_QP);
4019 
4020         if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
4021                                                     (mbedtls_key_exchange_type_t) ciphersuite_info->
4022                                                     key_exchange)) != 0) {
4023             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
4024             return ret;
4025         }
4026 #endif /* MBEDTLS_USE_PSA_CRYPTO */
4027     } else
4028 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
4029 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
4030     if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
4031         if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
4032             MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
4033             return ret;
4034         }
4035     } else
4036 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
4037 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4038     if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
4039 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4040         if ((ret = mbedtls_psa_ecjpake_read_round(
4041                  &ssl->handshake->psa_pake_ctx, p, (size_t) (end - p),
4042                  MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
4043             psa_destroy_key(ssl->handshake->psa_pake_password);
4044             psa_pake_abort(&ssl->handshake->psa_pake_ctx);
4045 
4046             MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
4047             return ret;
4048         }
4049 #else
4050         ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
4051                                              p, (size_t) (end - p));
4052         if (ret != 0) {
4053             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
4054             return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4055         }
4056 
4057         ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
4058                                             ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
4059                                             ssl->conf->f_rng, ssl->conf->p_rng);
4060         if (ret != 0) {
4061             MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
4062             return ret;
4063         }
4064 #endif /* MBEDTLS_USE_PSA_CRYPTO */
4065     } else
4066 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
4067     {
4068         MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4069         return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4070     }
4071 
4072     if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
4073         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
4074         return ret;
4075     }
4076 
4077     ssl->state++;
4078 
4079     MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
4080 
4081     return 0;
4082 }
4083 
4084 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
4085 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_verify(mbedtls_ssl_context * ssl)4086 static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
4087 {
4088     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
4089         ssl->handshake->ciphersuite_info;
4090 
4091     MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
4092 
4093     if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4094         MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4095         ssl->state++;
4096         return 0;
4097     }
4098 
4099     MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4100     return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4101 }
4102 #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
4103 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_verify(mbedtls_ssl_context * ssl)4104 static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
4105 {
4106     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4107     size_t i, sig_len;
4108     unsigned char hash[48];
4109     unsigned char *hash_start = hash;
4110     size_t hashlen;
4111     mbedtls_pk_type_t pk_alg;
4112     mbedtls_md_type_t md_alg;
4113     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
4114         ssl->handshake->ciphersuite_info;
4115     mbedtls_pk_context *peer_pk;
4116 
4117     MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
4118 
4119     if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4120         MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4121         ssl->state++;
4122         return 0;
4123     }
4124 
4125 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4126     if (ssl->session_negotiate->peer_cert == NULL) {
4127         MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4128         ssl->state++;
4129         return 0;
4130     }
4131 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4132     if (ssl->session_negotiate->peer_cert_digest == NULL) {
4133         MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4134         ssl->state++;
4135         return 0;
4136     }
4137 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4138 
4139     /* Read the message without adding it to the checksum */
4140     ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */);
4141     if (0 != ret) {
4142         MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret);
4143         return ret;
4144     }
4145 
4146     ssl->state++;
4147 
4148     /* Process the message contents */
4149     if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
4150         ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) {
4151         MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4152         return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
4153     }
4154 
4155     i = mbedtls_ssl_hs_hdr_len(ssl);
4156 
4157 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4158     peer_pk = &ssl->handshake->peer_pubkey;
4159 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4160     if (ssl->session_negotiate->peer_cert == NULL) {
4161         /* Should never happen */
4162         return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4163     }
4164     peer_pk = &ssl->session_negotiate->peer_cert->pk;
4165 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4166 
4167     /*
4168      *  struct {
4169      *     SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
4170      *     opaque signature<0..2^16-1>;
4171      *  } DigitallySigned;
4172      */
4173     if (i + 2 > ssl->in_hslen) {
4174         MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4175         return MBEDTLS_ERR_SSL_DECODE_ERROR;
4176     }
4177 
4178     /*
4179      * Hash
4180      */
4181     md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]);
4182 
4183     if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) {
4184         MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4185                                   " for verify message"));
4186         return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
4187     }
4188 
4189 #if !defined(MBEDTLS_MD_SHA1)
4190     if (MBEDTLS_MD_SHA1 == md_alg) {
4191         hash_start += 16;
4192     }
4193 #endif
4194 
4195     /* Info from md_alg will be used instead */
4196     hashlen = 0;
4197 
4198     i++;
4199 
4200     /*
4201      * Signature
4202      */
4203     if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i]))
4204         == MBEDTLS_PK_NONE) {
4205         MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4206                                   " for verify message"));
4207         return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
4208     }
4209 
4210     /*
4211      * Check the certificate's key type matches the signature alg
4212      */
4213     if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
4214         MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
4215         return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
4216     }
4217 
4218     i++;
4219 
4220     if (i + 2 > ssl->in_hslen) {
4221         MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4222         return MBEDTLS_ERR_SSL_DECODE_ERROR;
4223     }
4224 
4225     sig_len = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i);
4226     i += 2;
4227 
4228     if (i + sig_len != ssl->in_hslen) {
4229         MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4230         return MBEDTLS_ERR_SSL_DECODE_ERROR;
4231     }
4232 
4233     /* Calculate hash and verify signature */
4234     {
4235         size_t dummy_hlen;
4236         ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
4237         if (0 != ret) {
4238             MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
4239             return ret;
4240         }
4241     }
4242 
4243     if ((ret = mbedtls_pk_verify(peer_pk,
4244                                  md_alg, hash_start, hashlen,
4245                                  ssl->in_msg + i, sig_len)) != 0) {
4246         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
4247         return ret;
4248     }
4249 
4250     ret = mbedtls_ssl_update_handshake_status(ssl);
4251     if (0 != ret) {
4252         MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
4253         return ret;
4254     }
4255 
4256     MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
4257 
4258     return ret;
4259 }
4260 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
4261 
4262 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4263 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_new_session_ticket(mbedtls_ssl_context * ssl)4264 static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl)
4265 {
4266     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4267     size_t tlen;
4268     uint32_t lifetime;
4269 
4270     MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket"));
4271 
4272     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4273     ssl->out_msg[0]  = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
4274 
4275     /*
4276      * struct {
4277      *     uint32 ticket_lifetime_hint;
4278      *     opaque ticket<0..2^16-1>;
4279      * } NewSessionTicket;
4280      *
4281      * 4  .  7   ticket_lifetime_hint (0 = unspecified)
4282      * 8  .  9   ticket_len (n)
4283      * 10 .  9+n ticket content
4284      */
4285 
4286 #if defined(MBEDTLS_HAVE_TIME)
4287     ssl->session_negotiate->ticket_creation_time = mbedtls_ms_time();
4288 #endif
4289     if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
4290                                          ssl->session_negotiate,
4291                                          ssl->out_msg + 10,
4292                                          ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
4293                                          &tlen, &lifetime)) != 0) {
4294         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret);
4295         tlen = 0;
4296     }
4297 
4298     MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4);
4299     MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8);
4300     ssl->out_msglen = 10 + tlen;
4301 
4302     /*
4303      * Morally equivalent to updating ssl->state, but NewSessionTicket and
4304      * ChangeCipherSpec share the same state.
4305      */
4306     ssl->handshake->new_session_ticket = 0;
4307 
4308     if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4309         MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4310         return ret;
4311     }
4312 
4313     MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
4314 
4315     return 0;
4316 }
4317 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4318 
4319 /*
4320  * SSL handshake -- server side -- single step
4321  */
mbedtls_ssl_handshake_server_step(mbedtls_ssl_context * ssl)4322 int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
4323 {
4324     int ret = 0;
4325 
4326     MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state));
4327 
4328     switch (ssl->state) {
4329         case MBEDTLS_SSL_HELLO_REQUEST:
4330             ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
4331             break;
4332 
4333         /*
4334          *  <==   ClientHello
4335          */
4336         case MBEDTLS_SSL_CLIENT_HELLO:
4337             ret = ssl_parse_client_hello(ssl);
4338             break;
4339 
4340 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4341         case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
4342             return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED;
4343 #endif
4344 
4345         /*
4346          *  ==>   ServerHello
4347          *        Certificate
4348          *      ( ServerKeyExchange  )
4349          *      ( CertificateRequest )
4350          *        ServerHelloDone
4351          */
4352         case MBEDTLS_SSL_SERVER_HELLO:
4353             ret = ssl_write_server_hello(ssl);
4354             break;
4355 
4356         case MBEDTLS_SSL_SERVER_CERTIFICATE:
4357             ret = mbedtls_ssl_write_certificate(ssl);
4358             break;
4359 
4360         case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
4361             ret = ssl_write_server_key_exchange(ssl);
4362             break;
4363 
4364         case MBEDTLS_SSL_CERTIFICATE_REQUEST:
4365             ret = ssl_write_certificate_request(ssl);
4366             break;
4367 
4368         case MBEDTLS_SSL_SERVER_HELLO_DONE:
4369             ret = ssl_write_server_hello_done(ssl);
4370             break;
4371 
4372         /*
4373          *  <== ( Certificate/Alert  )
4374          *        ClientKeyExchange
4375          *      ( CertificateVerify  )
4376          *        ChangeCipherSpec
4377          *        Finished
4378          */
4379         case MBEDTLS_SSL_CLIENT_CERTIFICATE:
4380             ret = mbedtls_ssl_parse_certificate(ssl);
4381             break;
4382 
4383         case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
4384             ret = ssl_parse_client_key_exchange(ssl);
4385             break;
4386 
4387         case MBEDTLS_SSL_CERTIFICATE_VERIFY:
4388             ret = ssl_parse_certificate_verify(ssl);
4389             break;
4390 
4391         case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
4392             ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
4393             break;
4394 
4395         case MBEDTLS_SSL_CLIENT_FINISHED:
4396             ret = mbedtls_ssl_parse_finished(ssl);
4397             break;
4398 
4399         /*
4400          *  ==> ( NewSessionTicket )
4401          *        ChangeCipherSpec
4402          *        Finished
4403          */
4404         case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4405 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4406             if (ssl->handshake->new_session_ticket != 0) {
4407                 ret = ssl_write_new_session_ticket(ssl);
4408             } else
4409 #endif
4410             ret = mbedtls_ssl_write_change_cipher_spec(ssl);
4411             break;
4412 
4413         case MBEDTLS_SSL_SERVER_FINISHED:
4414             ret = mbedtls_ssl_write_finished(ssl);
4415             break;
4416 
4417         case MBEDTLS_SSL_FLUSH_BUFFERS:
4418             MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
4419             ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
4420             break;
4421 
4422         case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
4423             mbedtls_ssl_handshake_wrapup(ssl);
4424             break;
4425 
4426         default:
4427             MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
4428             return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4429     }
4430 
4431     return ret;
4432 }
4433 
mbedtls_ssl_conf_preference_order(mbedtls_ssl_config * conf,int order)4434 void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order)
4435 {
4436     conf->respect_cli_pref = order;
4437 }
4438 
4439 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */
4440